sb/intel/*: add option to lockdown chipset on normal boot path

On platforms with a PCH, some registers within host bridge should be
locked down on each normal boot path (done by either coreboot or
payload) and S3 resume (always done by coreboot).

A function to perform such locking is implemented in src/northbridge/
intel/*/finalize.c, and is designed as the handler of an #SMI triggered
with outb(APM_CNT_FINALIZE, APM_CNT), but currently this #SMI is only
triggered during s3 resume, and not on normal boot path. This problem
has beed discussed in
https://mail.coreboot.org/pipermail/coreboot/2017-August/084924.html .

This time, an option "INTEL_CHIPSET_LOCKDOWN" within src/southbridge/
intel/common/Kconfig is added to control the actual locking, which
depends on several compatibility flags, including
"HAVE_INTEL_CHIPSET_LOCKDOWN".

In this commit, "ibexpeak", "bd82x6x", "fsp_bd82x6x", and "lynxpoint"
have the flag "HAVE_INTEL_CHIPSET_LOCKDOWN" selected.

The change is only well tested on Sandy Bridge, my Lenovo x230.

Change-Id: I43d4142291c8737b29738c41e8c484328b297b55
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21129
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>

src/southbridge/intel/bd82x6x/Kconfig

@@ -39,6 +39,7 @@ config SOUTH_BRIDGE_OPTIONS # dummy
 	select HAVE_INTEL_FIRMWARE
 	select SOUTHBRIDGE_INTEL_COMMON_GPIO
 	select RTC
+	select HAVE_INTEL_CHIPSET_LOCKDOWN
 
 config EHCI_BAR
 	hex

src/southbridge/intel/bd82x6x/lpc.c

@@ -829,9 +829,12 @@ static void southbridge_fill_ssdt(device_t device)
 
 static void lpc_final(struct device *dev)
 {
-	if (CONFIG_HAVE_SMI_HANDLER && acpi_is_wakeup_s3()) {
-		/* Call SMM finalize() handlers before resume */
-		outb(0xcb, 0xb2);
+	/* Call SMM finalize() handlers before resume */
+	if (IS_ENABLED(CONFIG_HAVE_SMI_HANDLER)) {
+		if (IS_ENABLED(CONFIG_INTEL_CHIPSET_LOCKDOWN) ||
+		    acpi_is_wakeup_s3()) {
+			outb(APM_CNT_FINALIZE, APM_CNT);
+		}
 	}
 }
 

src/southbridge/intel/common/Kconfig

@@ -4,3 +4,16 @@ config SOUTHBRIDGE_INTEL_COMMON_GPIO
 	def_bool n
 config SOUTHBRIDGE_INTEL_COMMON_SMBUS
 	def_bool n
+config HAVE_INTEL_CHIPSET_LOCKDOWN
+	def_bool n
+
+config INTEL_CHIPSET_LOCKDOWN
+	depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS
+	#ChromeOS's payload seems to handle finalization on its on.
+	bool "Lock down chipset in coreboot"
+	default y
+	help
+	  Some registers within host bridge on particular chipsets should be
+	  locked down on each normal boot path (done by either coreboot or payload)
+	  and S3 resume (always done by coreboot). Select this to let coreboot
+	  to do this on normal boot path.

src/southbridge/intel/fsp_bd82x6x/Kconfig

@@ -33,6 +33,7 @@ config SOUTH_BRIDGE_OPTIONS # dummy
 	select HAVE_INTEL_FIRMWARE
 	select SOUTHBRIDGE_INTEL_COMMON
 	select SOUTHBRIDGE_INTEL_COMMON_SMBUS
+	select HAVE_INTEL_CHIPSET_LOCKDOWN
 
 config EHCI_BAR
 	hex

src/southbridge/intel/fsp_bd82x6x/lpc.c

@@ -739,6 +739,17 @@ void acpi_fill_fadt(acpi_fadt_t *fadt)
 	fadt->x_gpe1_blk.addrh = 0x0;
 }
 
+static void lpc_final(struct device *dev)
+{
+	/* Call SMM finalize() handlers before resume */
+	if (IS_ENABLED(CONFIG_HAVE_SMI_HANDLER)) {
+		if (IS_ENABLED(CONFIG_INTEL_CHIPSET_LOCKDOWN) ||
+		    acpi_is_wakeup_s3()) {
+			outb(APM_CNT_FINALIZE, APM_CNT);
+		}
+	}
+}
+
 static struct pci_operations pci_ops = {
 	.set_subsystem = set_subsystem,
 };
@@ -750,6 +761,7 @@ static struct device_operations device_ops = {
 	.write_acpi_tables      = acpi_write_hpet,
 	.acpi_inject_dsdt_generator = southbridge_inject_dsdt,
 	.init			= lpc_init,
+	.final			= lpc_final,
 	.enable			= pch_lpc_enable,
 	.scan_bus		= scan_lpc_bus,
 	.ops_pci		= &pci_ops,

src/southbridge/intel/ibexpeak/Kconfig

@@ -36,6 +36,7 @@ config SOUTH_BRIDGE_OPTIONS # dummy
 	select ACPI_SATA_GENERATOR
 	select HAVE_INTEL_FIRMWARE
 	select SOUTHBRIDGE_INTEL_COMMON_GPIO
+	select HAVE_INTEL_CHIPSET_LOCKDOWN
 
 config EHCI_BAR
 	hex

src/southbridge/intel/ibexpeak/lpc.c

@@ -782,6 +782,17 @@ static void southbridge_fill_ssdt(device_t device)
 	intel_acpi_pcie_hotplug_generator(chip->pcie_hotplug_map, 8);
 }
 
+static void lpc_final(struct device *dev)
+{
+	/* Call SMM finalize() handlers before resume */
+	if (IS_ENABLED(CONFIG_HAVE_SMI_HANDLER)) {
+		if (IS_ENABLED(CONFIG_INTEL_CHIPSET_LOCKDOWN) ||
+		    acpi_is_wakeup_s3()) {
+			outb(APM_CNT_FINALIZE, APM_CNT);
+		}
+	}
+}
+
 static struct pci_operations pci_ops = {
 	.set_subsystem = set_subsystem,
 };
@@ -794,6 +805,7 @@ static struct device_operations device_ops = {
 	.acpi_fill_ssdt_generator = southbridge_fill_ssdt,
 	.write_acpi_tables      = acpi_write_hpet,
 	.init			= lpc_init,
+	.final			= lpc_final,
 	.enable			= pch_lpc_enable,
 	.scan_bus		= scan_lpc_bus,
 	.ops_pci		= &pci_ops,

src/southbridge/intel/lynxpoint/Kconfig

@@ -34,6 +34,7 @@ config SOUTH_BRIDGE_OPTIONS # dummy
 	select HAVE_SPI_CONSOLE_SUPPORT
 	select RTC
 	select SOUTHBRIDGE_INTEL_COMMON_GPIO if !INTEL_LYNXPOINT_LP
+	select HAVE_INTEL_CHIPSET_LOCKDOWN
 
 config INTEL_LYNXPOINT_LP
 	bool

src/southbridge/intel/lynxpoint/smi.c

@@ -121,13 +121,13 @@ void smm_setup_structures(void *gnvs, void *tcg, void *smi1)
 }
 
 /*
- * Finalize system before payload boot if not in ChromeOS environment.
+ * Finalize system before payload boot if INTEL_CHIPSET_LOCKDOWN=y
  */
-#if !IS_ENABLED(CONFIG_CHROMEOS)
+#if IS_ENABLED(CONFIG_INTEL_CHIPSET_LOCKDOWN)
 
 static void finalize_boot(void *unused)
 {
-	outb(0xcb, 0xb2);
+	outb(APM_CNT_FINALIZE, APM_CNT);
 }
 
 BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, finalize_boot, NULL);