security/intel/stm/Makefile.inc: Fix typo

In both the Kconfig and Makefile in this directory,
"STM_TTYS0_BASE" is used. Therefore, fix the typo.

Original-Change-Id: Ie83ec31c7bb0f6805c0225ee7405e137a666a5d3
Original-Signed-off-by: Benjamin Doron <benjamin.doron00@gmail.com>
Original-Reviewed-on: https://review.coreboot.org/c/coreboot/+/51206
Original-Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Original-Reviewed-by: Eugene Myers <cedarhouse1@comcast.net>
Original-Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

Change-Id: I8aa81a51380d48b172284e534ffd203f30a10286
Signed-off-by: Eugene Myers <edmyers@tycho.nsa.gov>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/55624
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

.gitmodules

@@ -43,3 +43,7 @@
 	url = ../amd_blobs
 	update = none
 	ignore = dirty
+[submodule "3rdparty/stm"]
+	path = 3rdparty/stm
+	url = ../STM
+	branch = stmpe

src/cpu/x86/mp_init.c

@@ -756,9 +756,9 @@ static void asmlinkage smm_do_relocation(void *arg)
 	if (CONFIG(STM)) {
 		if (is_smm_enabled()) {
 			uintptr_t mseg;
+			size_t mseg_size;
 
-			mseg = mp_state.perm_smbase +
-				(mp_state.perm_smsize - CONFIG_MSEG_SIZE);
+			smm_subregion(SMM_SUBREGION_MSEG, &mseg, &mseg_size);
 
 			stm_setup(mseg, p->cpu, runtime->num_cpus,
 					perm_smbase,

src/cpu/x86/smm/smm_module_loader.c

@@ -368,7 +368,7 @@ int smm_load_module(void *smram, size_t size, struct smm_loader_params *params)
 	base += size;
 
 	if (CONFIG(STM))
-		base -= CONFIG_MSEG_SIZE + CONFIG_BIOS_RESOURCE_LIST_SIZE;
+		base -= CONFIG_BIOS_RESOURCE_LIST_SIZE;
 
 	params->stack_top = base;
 

src/cpu/x86/smm/smm_module_loaderv2.c

@@ -586,8 +586,8 @@ int smm_load_module(void *smram, size_t size, struct smm_loader_params *params)
 
 	/* MSEG starts at the top of SMRAM and works down */
 	if (CONFIG(STM)) {
-		base -= CONFIG_MSEG_SIZE + CONFIG_BIOS_RESOURCE_LIST_SIZE;
-		total_size += CONFIG_MSEG_SIZE + CONFIG_BIOS_RESOURCE_LIST_SIZE;
+		base -= CONFIG_BIOS_RESOURCE_LIST_SIZE;
+		total_size += CONFIG_BIOS_RESOURCE_LIST_SIZE;
 	}
 
 	/* FXSAVE goes below MSEG */

src/cpu/x86/smm/tseg_region.c

@@ -17,6 +17,7 @@
 #include <cpu/x86/smm.h>
 #include <stage_cache.h>
 #include <types.h>
+#include <inttypes.h>
 
 /*
  *        Subregions within SMM
@@ -25,6 +26,8 @@
  *     +-------------------------+
  *     |  External Stage Cache   | SMM_RESERVED_SIZE
  *     +-------------------------+
+ *     |          STM            | MSEG_SIZE
+ *     +-------------------------+
  *     |      code and data      |
  *     |         (TSEG)          |
  *     +-------------------------+ TSEG
@@ -35,17 +38,24 @@ int smm_subregion(int sub, uintptr_t *start, size_t *size)
 	size_t sub_size;
 	const size_t ied_size = CONFIG_IED_REGION_SIZE;
 	const size_t cache_size = CONFIG_SMM_RESERVED_SIZE;
+	const size_t mseg_size = CONFIG_MSEG_SIZE;
 
 	smm_region(&sub_base, &sub_size);
 
 	ASSERT(IS_ALIGNED(sub_base, sub_size));
-	ASSERT(sub_size > (cache_size + ied_size));
+	ASSERT(sub_size > (cache_size + ied_size + mseg_size));
 
 	switch (sub) {
 	case SMM_SUBREGION_HANDLER:
 		/* Handler starts at the base of TSEG. */
 		sub_size -= ied_size;
 		sub_size -= cache_size;
+		sub_size -= mseg_size;
+		break;
+	case SMM_SUBREGION_MSEG:
+		/* MSEG follows the SMM HANDLER subregion */
+		sub_base += sub_size - (ied_size + cache_size + mseg_size);
+		sub_size = mseg_size;
 		break;
 	case SMM_SUBREGION_CACHE:
 		/* External cache is in the middle of TSEG. */
@@ -88,11 +98,11 @@ void smm_list_regions(void)
 		return;
 
 	printk(BIOS_DEBUG, "SMM Memory Map\n");
-	printk(BIOS_DEBUG, "SMRAM       : 0x%zx 0x%zx\n", base, size);
+	printk(BIOS_DEBUG, "SMRAM       : 0x%" PRIxPTR " 0x%zx\n", base, size);
 
 	for (i = 0; i < SMM_SUBREGION_NUM; i++) {
 		if (smm_subregion(i, &base, &size))
 			continue;
-		printk(BIOS_DEBUG, " Subregion %d: 0x%zx 0x%zx\n", i, base, size);
+		printk(BIOS_DEBUG, " Subregion %d: 0x%" PRIxPTR " 0x%zx\n", i, base, size);
 	}
 }

src/include/cpu/x86/smm.h

@@ -168,6 +168,8 @@ void smm_region(uintptr_t *start, size_t *size);
 enum {
 	/* SMM handler area. */
 	SMM_SUBREGION_HANDLER,
+	/* MSEG (STM). */
+	SMM_SUBREGION_MSEG,
 	/* SMM cache region. */
 	SMM_SUBREGION_CACHE,
 	/* Chipset specific area. */

src/security/intel/stm/Kconfig

@@ -29,20 +29,93 @@ menu "SMI Transfer Monitor (STM)"
 
 config MSEG_SIZE
 	hex "mseg size"
-	default 0x400000
+	default 0x100000
 	help
-		STM only - 0x100000
-		STM/PE   - 0x300000+ depending on the amount of memory needed
-		                     for the protected execution virtual
-		                     machine (VM/PE)
+	  The MSEG_SIZE of 0x100000 assumes that:
+	      IED_REGION_SIZE   = 0x400000
+	      SMM_RESERVED_SIZE = 0x200000
+	      SMM_TSEG_SIZE     = 0x800000
+
+	  To use STM/PE, a larger MSEG_SIZE is necessary.  This can be
+	  done by either increasing SMM_TSEG_SIZE or reducing the
+	  IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination
+	  of the three.
+	  NOTE: The authors experience is that these configuration
+	  parameters have to be changed at the soc Konfig for them to
+	  be applied.
+	  Minimum sizes:
+	        STM only - 0x100000 - Supports up to 38 processor threads
+	                 - 0x200000 - Supports up to 102 processor threads
+	        STM/PE   - 0x300000+ depending on the amount of memory needed
+	                             for the protected execution virtual
+	                             machine (VM/PE)
+
+config STM_STMPE_ENABLED
+	bool "STM/PE Enabled"
+	default n
+	help
+	  STM/PE provides for additional virtual machines in SMRAM
+	  that provides a protected execution environment for
+	  applications such as introspection, which need to be
+	  protected from malicious code.  More information can be
+	  found on the stmpe branch of
+	  https://review.coreboot.org/STM
+
 
 config BIOS_RESOURCE_LIST_SIZE
-	hex "bios_resource_list_size"
+	hex "bios resource list size"
 	default 0x1000
+	help
+	  The BIOS resource list defines the resources that the
+	  SMI handler needs.  This list is created during the
+	  coreboot bootup.  Unless there has been a lot of elements
+	  added to this list, this value should not change.
 
 config STM_BINARY_FILE
 	string "STM binary file"
-	default "3rdparty/blobs/cpu/intel/stm/stm.bin"
+	default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin"
+	help
+	  Location of the STM binary file.  The default location is
+	  where the file will be located when coreboot builds
+	  the STM.
+
+config STM_HEAPSIZE
+	hex "stm heapsize"
+	default 0x46000
+	help
+	  The STM_HEAPSIZE defines the heap space that is available
+	  to the STM.  The default size assumes a MSEG_SIZE of 0x100000.
+	  For STM/PE this size should be a minimum of 0x246000.
+
+config STM_TTYS0_BASE
+	hex "stm uart"
+	default TTYS0_BASE if TTYS0_BASE
+	default 0x000
+	help
+	  Defines the serial port for STM console output.  0x000 indicates
+	  no serial port.
+
+config STM_CBMEM_CONSOLE
+	bool "STM cbmem console"
+	default n
+	depends on CONSOLE_CBMEM
+	help
+	  Places the STM console output into the cbmem.
+
+choice
+	prompt "Select STM console output"
+
+config STM_CONSOLE_DEBUG
+	bool "Debug output"
+	depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE
+	help
+	  "Produces all STM console output"
+
+config STM_CONSOLE_RELEASE
+	bool "Deactivate console output"
+	help
+	  "No console output is produced"
+endchoice
 
 endmenu #STM
 

src/security/intel/stm/Makefile

@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: BSD-2-Clause
+
+project_name=STM
+project_dir=../../../../3rdparty/stm/
+build_dir=$(project_dir)/Stm/build
+project_git_branch=$(CONFIG_STM_GIT_BRANCH)
+
+ifeq ($(CONFIG_STM_CONSOLE_DEBUG),y)
+STM_BUILD="debug"
+endif
+
+ifeq ($(CONFIG_STM_CONSOLE_RELEASE),y)
+STM_BUILD="release"
+endif
+
+
+all: build
+
+build:
+	echo "STM - Build"
+	cd $(project_dir)/Stm; \
+	mkdir -p build; \
+	cd build; \
+	cmake .. -DBIOS=coreboot \
+		-DUART=$(CONFIG_STM_TTYS0_BASE) \
+		-DHEAPSIZE=$(CONFIG_STM_HEAPSIZE) \
+		-DCBMEM_ENABLE=$(CONFIG_STM_CBMEM_CONSOLE) \
+		-DSTMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \
+		-DBUILD=$(STM_BUILD); \
+	$(MAKE);
+
+
+.PHONY: build

src/security/intel/stm/Makefile.inc

@@ -8,3 +8,13 @@ stm.bin-type := raw
 ramstage-$(CONFIG_STM) += SmmStm.c
 ramstage-$(CONFIG_STM) += StmPlatformSmm.c
 ramstage-$(CONFIG_STM) += StmPlatformResource.c
+
+3rdparty/stm/Stm/build/StmPkg/Core/stm.bin: $(obj)/config.h
+	$(MAKE) -C src/security/intel/stm \
+		CONFIG_STM_TTYS0_BASE=$(CONFIG_STM_TTYS0_BASE) \
+		CONFIG_STM_HEAPSIZE=$(CONFIG_STM_HEAPSIZE) \
+		CONFIG_STM_CONSOLE_DEBUG=$(CONFIG_STM_CONSOLE_DEBUG) \
+		CONFIG_STM_CONSOLE_RELEASE=$(CONFIG_STM_CONSOLE_RELEASE) \
+		CONFIG_STM_GIT_BRANCH=$(CONFIG_STM_GIT_BRANCH) \
+		CONFIG_STM_STMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \
+		CONFIG_STM_CBMEM_CONSOLE=$(CONFIG_STM_CBMEM_CONSOLE)

src/security/intel/stm/SmmStm.c

@@ -39,8 +39,7 @@
 
 #define STM_PAGE_SHIFT 12
 #define STM_PAGE_MASK 0xFFF
-#define STM_SIZE_TO_PAGES(a)                                                   \
-	(((a) >> STM_PAGE_SHIFT) + (((a)&STM_PAGE_MASK) ? 1 : 0))
+#define STM_SIZE_TO_PAGES(a) (((a) >> STM_PAGE_SHIFT) + (((a)&STM_PAGE_MASK) ? 1 : 0))
 #define STM_PAGES_TO_SIZE(a) ((a) << STM_PAGE_SHIFT)
 
 #define STM_ACCESS_DENIED 15
@@ -137,13 +136,10 @@ static bool handle_single_resource(STM_RSC *resource, STM_RSC *record)
 		resource_hi = resource->mem.base + resource->mem.length;
 		record_lo = record->mem.base;
 		record_hi = record->mem.base + record->mem.length;
-		if (resource->mem.rwx_attributes
-		    != record->mem.rwx_attributes) {
-			if ((resource_lo == record_lo)
-			    && (resource_hi == record_hi)) {
-				record->mem.rwx_attributes =
-					resource->mem.rwx_attributes
-					| record->mem.rwx_attributes;
+		if (resource->mem.rwx_attributes != record->mem.rwx_attributes) {
+			if ((resource_lo == record_lo) && (resource_hi == record_hi)) {
+				record->mem.rwx_attributes = resource->mem.rwx_attributes
+							     | record->mem.rwx_attributes;
 				return true;
 			} else {
 				return false;
@@ -153,39 +149,31 @@ static bool handle_single_resource(STM_RSC *resource, STM_RSC *record)
 	case IO_RANGE:
 	case TRAPPED_IO_RANGE:
 		resource_lo = (uint64_t)resource->io.base;
-		resource_hi = (uint64_t)resource->io.base
-			      + (uint64_t)resource->io.length;
+		resource_hi = (uint64_t)resource->io.base + (uint64_t)resource->io.length;
 		record_lo = (uint64_t)record->io.base;
-		record_hi =
-			(uint64_t)record->io.base + (uint64_t)record->io.length;
+		record_hi = (uint64_t)record->io.base + (uint64_t)record->io.length;
 		break;
 	case PCI_CFG_RANGE:
 		if ((resource->pci_cfg.originating_bus_number
 		     != record->pci_cfg.originating_bus_number)
-		    || (resource->pci_cfg.last_node_index
-			!= record->pci_cfg.last_node_index))
+		    || (resource->pci_cfg.last_node_index != record->pci_cfg.last_node_index))
 			return false;
 
-		if (memcmp(resource->pci_cfg.pci_device_path,
-			   record->pci_cfg.pci_device_path,
+		if (memcmp(resource->pci_cfg.pci_device_path, record->pci_cfg.pci_device_path,
 			   sizeof(STM_PCI_DEVICE_PATH_NODE)
 				   * (resource->pci_cfg.last_node_index + 1))
 		    != 0) {
 			return false;
 		}
 		resource_lo = (uint64_t)resource->pci_cfg.base;
-		resource_hi = (uint64_t)resource->pci_cfg.base
-			      + (uint64_t)resource->pci_cfg.length;
+		resource_hi =
+			(uint64_t)resource->pci_cfg.base + (uint64_t)resource->pci_cfg.length;
 		record_lo = (uint64_t)record->pci_cfg.base;
-		record_hi = (uint64_t)record->pci_cfg.base
-			    + (uint64_t)record->pci_cfg.length;
-		if (resource->pci_cfg.rw_attributes
-		    != record->pci_cfg.rw_attributes) {
-			if ((resource_lo == record_lo)
-			    && (resource_hi == record_hi)) {
-				record->pci_cfg.rw_attributes =
-					resource->pci_cfg.rw_attributes
-					| record->pci_cfg.rw_attributes;
+		record_hi = (uint64_t)record->pci_cfg.base + (uint64_t)record->pci_cfg.length;
+		if (resource->pci_cfg.rw_attributes != record->pci_cfg.rw_attributes) {
+			if ((resource_lo == record_lo) && (resource_hi == record_hi)) {
+				record->pci_cfg.rw_attributes = resource->pci_cfg.rw_attributes
+								| record->pci_cfg.rw_attributes;
 				return true;
 			} else {
 				return false;
@@ -256,8 +244,7 @@ static void add_single_resource(STM_RSC *resource)
 
 		// Go to next record if resource and record types don't match.
 		if (resource->header.rsc_type != record->header.rsc_type) {
-			record = (STM_RSC *)((void *)record
-					     + record->header.length);
+			record = (STM_RSC *)((void *)record + record->header.length);
 			continue;
 		}
 
@@ -268,15 +255,13 @@ static void add_single_resource(STM_RSC *resource)
 	}
 
 	// Add resource to the end of area.
-	memcpy(m_stm_resources_ptr + m_stm_resource_size_used
-		       - sizeof(m_rsc_end_node),
+	memcpy(m_stm_resources_ptr + m_stm_resource_size_used - sizeof(m_rsc_end_node),
 	       resource, resource->header.length);
-	memcpy(m_stm_resources_ptr + m_stm_resource_size_used
-		       - sizeof(m_rsc_end_node) + resource->header.length,
+	memcpy(m_stm_resources_ptr + m_stm_resource_size_used - sizeof(m_rsc_end_node)
+		       + resource->header.length,
 	       &m_rsc_end_node, sizeof(m_rsc_end_node));
 	m_stm_resource_size_used += resource->header.length;
-	m_stm_resource_size_available =
-		m_stm_resource_total_size - m_stm_resource_size_used;
+	m_stm_resource_size_available = m_stm_resource_total_size - m_stm_resource_size_used;
 }
 
 /*
@@ -303,8 +288,7 @@ static void add_resource(STM_RSC *resource_list, uint32_t num_entries)
 		if (resource->header.rsc_type == END_OF_RESOURCES)
 			return;
 		add_single_resource(resource);
-		resource =
-			(STM_RSC *)((void *)resource + resource->header.length);
+		resource = (STM_RSC *)((void *)resource + resource->header.length);
 	}
 }
 
@@ -336,11 +320,8 @@ static bool validate_resource(STM_RSC *resource_list, uint32_t num_entries)
 	resource = resource_list;
 
 	for (index = 0; index < count; index++) {
-		printk(BIOS_DEBUG, "STM: %s (%u) - RscType(%x) length(0x%x)\n",
-			__func__,
-			index,
-			resource->header.rsc_type,
-			resource->header.length);
+		printk(BIOS_DEBUG, "STM: %s (%u) - RscType(%x) length(0x%x)\n", __func__, index,
+		       resource->header.rsc_type, resource->header.length);
 		// Validate resource.
 		switch (resource->header.rsc_type) {
 		case END_OF_RESOURCES:
@@ -360,11 +341,8 @@ static bool validate_resource(STM_RSC *resource_list, uint32_t num_entries)
 
 		case MEM_RANGE:
 		case MMIO_RANGE:
-			printk(BIOS_DEBUG,
-				"STM: %s - MEM (0x%0llx, 0x%0llx)\n",
-				__func__,
-				resource->mem.base,
-				resource->mem.length);
+			printk(BIOS_DEBUG, "STM: %s - MEM (0x%0llx, 0x%0llx)\n", __func__,
+			       resource->mem.base, resource->mem.length);
 
 			if (resource->header.length != sizeof(STM_RSC_MEM_DESC))
 				return false;
@@ -383,34 +361,26 @@ static bool validate_resource(STM_RSC *resource_list, uint32_t num_entries)
 			break;
 
 		case PCI_CFG_RANGE:
-			printk(BIOS_DEBUG,
-			       "STM: %s - PCI (0x%02x, 0x%08x, 0x%02x, 0x%02x)\n",
-			       __func__,
-			       resource->pci_cfg.originating_bus_number,
+			printk(BIOS_DEBUG, "STM: %s - PCI (0x%02x, 0x%08x, 0x%02x, 0x%02x)\n",
+			       __func__, resource->pci_cfg.originating_bus_number,
 			       resource->pci_cfg.last_node_index,
 			       resource->pci_cfg.pci_device_path[0].pci_device,
-			       resource->pci_cfg.pci_device_path[0]
-				       .pci_function);
+			       resource->pci_cfg.pci_device_path[0].pci_function);
 			if (resource->header.length
 			    != sizeof(STM_RSC_PCI_CFG_DESC)
 				       + (sizeof(STM_PCI_DEVICE_PATH_NODE)
 					  * resource->pci_cfg.last_node_index))
 				return false;
-			for (sub_index = 0;
-			     sub_index <= resource->pci_cfg.last_node_index;
+			for (sub_index = 0; sub_index <= resource->pci_cfg.last_node_index;
 			     sub_index++) {
-				if ((resource->pci_cfg
-					     .pci_device_path[sub_index]
-					     .pci_device
+				if ((resource->pci_cfg.pci_device_path[sub_index].pci_device
 				     > 0x1F)
-				    || (resource->pci_cfg
-						.pci_device_path[sub_index]
+				    || (resource->pci_cfg.pci_device_path[sub_index]
 						.pci_function
 					> 7))
 					return false;
 			}
-			if ((resource->pci_cfg.base + resource->pci_cfg.length)
-			    > 0x1000)
+			if ((resource->pci_cfg.base + resource->pci_cfg.length) > 0x1000)
 				return false;
 			break;
 
@@ -420,12 +390,11 @@ static bool validate_resource(STM_RSC *resource_list, uint32_t num_entries)
 			break;
 
 		default:
-			printk(BIOS_DEBUG, "STM: %s - Unknown RscType(%x)\n",
-			       __func__, resource->header.rsc_type);
+			printk(BIOS_DEBUG, "STM: %s - Unknown RscType(%x)\n", __func__,
+			       resource->header.rsc_type);
 			return false;
 		}
-		resource =
-			(STM_RSC *)((void *)resource + resource->header.length);
+		resource = (STM_RSC *)((void *)resource + resource->header.length);
 	}
 	return true;
 }
@@ -462,8 +431,7 @@ static uint32_t get_resource_size(STM_RSC *resource_list, uint32_t num_entries)
 	for (index = 0; index < count; index++) {
 		if (resource->header.rsc_type == END_OF_RESOURCES)
 			break;
-		resource =
-			(STM_RSC *)((void *)resource + resource->header.length);
+		resource = (STM_RSC *)((void *)resource + resource->header.length);
 	}
 	return (uint32_t)((uint32_t)resource - (uint32_t)resource_list);
 }
@@ -490,7 +458,7 @@ int add_pi_resource(STM_RSC *resource_list, uint32_t num_entries)
 		return -1; // INVALID_PARAMETER;
 
 	resource_size = get_resource_size(resource_list, num_entries);
-	printk(BIOS_DEBUG, "STM: ResourceSize - 0x%08lx\n", resource_size);
+	printk(BIOS_DEBUG, "STM: ResourceSize - 0x%08x\n", (int)resource_size);
 	if (resource_size == 0)
 		return -1; // INVALID_PARAMETER;
 
@@ -501,8 +469,7 @@ int add_pi_resource(STM_RSC *resource_list, uint32_t num_entries)
 		m_stm_resource_total_size = CONFIG_BIOS_RESOURCE_LIST_SIZE;
 		memset(m_stm_resources_ptr, 0, CONFIG_BIOS_RESOURCE_LIST_SIZE);
 
-		memcpy(m_stm_resources_ptr, &m_rsc_end_node,
-		       sizeof(m_rsc_end_node));
+		memcpy(m_stm_resources_ptr, &m_rsc_end_node, sizeof(m_rsc_end_node));
 		m_stm_resource_size_used = sizeof(m_rsc_end_node);
 		m_stm_resource_size_available =
 			m_stm_resource_total_size - sizeof(m_rsc_end_node);
@@ -511,7 +478,7 @@ int add_pi_resource(STM_RSC *resource_list, uint32_t num_entries)
 	} else {
 		if (m_stm_resource_size_available < resource_size) {
 			printk(BIOS_DEBUG,
-			"STM: ERROR - not enough space for SMM resource list\n");
+			       "STM: ERROR - not enough space for SMM resource list\n");
 			return -1; // OUT_OF_RESOURCES
 		}
 	}
@@ -543,8 +510,7 @@ int32_t delete_pi_resource(STM_RSC *resource_list, uint32_t num_entries)
 	// Delete all
 	memcpy(m_stm_resources_ptr, &m_rsc_end_node, sizeof(m_rsc_end_node));
 	m_stm_resource_size_used = sizeof(m_rsc_end_node);
-	m_stm_resource_size_available =
-		m_stm_resource_total_size - sizeof(m_rsc_end_node);
+	m_stm_resource_size_available = m_stm_resource_total_size - sizeof(m_rsc_end_node);
 	return 0; // SUCCESS;
 }
 
@@ -587,8 +553,8 @@ static uint32_t get_vmcs_size(void)
 
 	this_vmcs_size = msr_data64.bits.vmcs_size;
 	stm_support = msr_data64.bits.stm_supported;
-	printk(BIOS_DEBUG, "STM: %s: Size %d StmSupport %d\n", __func__,
-	       this_vmcs_size, stm_support);
+	printk(BIOS_DEBUG, "STM: %s: Size %d StmSupport %d\n", __func__, this_vmcs_size,
+	       stm_support);
 
 	// VMCS require 0x1000 alignment
 	this_vmcs_size = STM_PAGES_TO_SIZE(STM_SIZE_TO_PAGES(this_vmcs_size));
@@ -623,10 +589,9 @@ void stm_gen_4g_pagetable_x64(uint32_t pagetable_base)
 		pde++;
 		pagetable_base += PTP_SIZE;
 
-		for (sub_index = 0; sub_index < SIZE_4KB / sizeof(*pte);
-		     sub_index++) {
-			*pte = (((index << 9) + sub_index) << 21) | IA32_PG_PS
-			       | IA32_PG_RW | IA32_PG_P;
+		for (sub_index = 0; sub_index < SIZE_4KB / sizeof(*pte); sub_index++) {
+			*pte = (((index << 9) + sub_index) << 21) | IA32_PG_PS | IA32_PG_RW
+			       | IA32_PG_P;
 			pte++;
 		}
 	}
@@ -650,30 +615,31 @@ bool stm_check_stm_image(void *stm_image, uint32_t stm_imagesize)
 	stm_header = (STM_HEADER *)stm_image;
 
 	// Get Minimal required Mseg size
-	min_mseg_size = (STM_PAGES_TO_SIZE(STM_SIZE_TO_PAGES(
-				 stm_header->sw_stm_hdr.static_image_size))
-			 + stm_header->sw_stm_hdr.additional_dynamic_memory_size
-			 + (stm_header->sw_stm_hdr.per_proc_dynamic_memory_size
-			    + get_vmcs_size() * 2)
-				   * mp_state.cpu_count);
+	min_mseg_size =
+		(STM_PAGES_TO_SIZE(STM_SIZE_TO_PAGES(stm_header->sw_stm_hdr.static_image_size))
+		 + stm_header->sw_stm_hdr.additional_dynamic_memory_size
+		 + (stm_header->sw_stm_hdr.per_proc_dynamic_memory_size + get_vmcs_size() * 2)
+			   * mp_state.cpu_count);
 	if (min_mseg_size < stm_imagesize)
 		min_mseg_size = stm_imagesize;
 
-	if (stm_header->hw_stm_hdr.cr3_offset
-	    >= stm_header->sw_stm_hdr.static_image_size) {
+	if (stm_header->hw_stm_hdr.cr3_offset >= stm_header->sw_stm_hdr.static_image_size) {
 
 		// We will create page table, just in case that SINIT does not
 		// create it.
-		if (min_mseg_size < stm_header->hw_stm_hdr.cr3_offset
-					    + STM_PAGES_TO_SIZE(6)) {
-			min_mseg_size = stm_header->hw_stm_hdr.cr3_offset
-					+ STM_PAGES_TO_SIZE(6);
+		if (min_mseg_size < stm_header->hw_stm_hdr.cr3_offset + STM_PAGES_TO_SIZE(6)) {
+			min_mseg_size =
+				stm_header->hw_stm_hdr.cr3_offset + STM_PAGES_TO_SIZE(6);
 		}
 	}
 
 	// Check if it exceeds MSEG size
-	if (min_mseg_size > CONFIG_MSEG_SIZE)
+	if (min_mseg_size > CONFIG_MSEG_SIZE) {
+		printk(BIOS_ERR,
+		       "STM: ERROR - Configured MSEG size 0x%x less than required MSEG size 0x%x\n",
+		       CONFIG_MSEG_SIZE, min_mseg_size);
 		return false;
+	}
 
 	return true;
 }

src/security/intel/stm/StmPlatformResource.c

@@ -179,8 +179,12 @@ static void add_msr_resources(void)
 /*
  * Add resources to BIOS resource database.
  */
+
+extern uint8_t *m_stm_resources_ptr;
+
 void add_resources_cmd(void)
 {
+	m_stm_resources_ptr = NULL;
 
 	add_simple_resources();
 

src/security/intel/stm/StmPlatformSmm.c

@@ -173,12 +173,15 @@ void stm_setup(uintptr_t mseg, int cpu, int num_cpus, uintptr_t smbase,
 		return;
 	}
 
+	// This code moved here because paralled SMM setup can cause some
+	// processors to get a bad value.
+	addr_calc = mseg - CONFIG_BIOS_RESOURCE_LIST_SIZE;
+	stm_resource_heap = (uint8_t *) addr_calc;
+
 	if (cpu == 0) {
 
 		// need to create the BIOS resource list once
 		// first calculate the location in SMRAM
-		addr_calc = mseg - CONFIG_BIOS_RESOURCE_LIST_SIZE;
-		stm_resource_heap = (uint8_t *) addr_calc;
 		printk(BIOS_DEBUG, "STM: stm_resource_heap located at %p\n",
 				stm_resource_heap);
 		//setup the the list

src/soc/intel/apollolake/include/soc/pm.h

@@ -250,4 +250,7 @@ void pch_log_state(void);
 
 void enable_pm_timer_emulation(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif

src/soc/intel/apollolake/pmutil.c

@@ -246,3 +246,9 @@ int vbnv_cmos_failed(void)
 
 	return rtc_failure;
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return (uint16_t) ACPI_BASE_ADDRESS;
+}

src/soc/intel/broadwell/include/soc/pm.h

@@ -155,4 +155,7 @@ void disable_gpe(uint32_t mask);
 /* Return the selected ACPI SCI IRQ */
 int acpi_sci_irq(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif

src/soc/intel/broadwell/pmutil.c

@@ -458,3 +458,9 @@ int vboot_platform_is_resuming(void)
 
 	return acpi_sleep_from_pm1(inl(ACPI_BASE_ADDRESS + PM1_CNT)) == ACPI_S3;
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return (uint16_t) ACPI_BASE_ADDRESS;
+}

src/soc/intel/cannonlake/include/soc/pm.h

@@ -172,5 +172,8 @@ void pmc_set_disb(void);
 /* Clear PMCON status bits */
 void pmc_clear_pmcon_sts(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif /* !defined(__ACPI__) */
 #endif

src/soc/intel/cannonlake/pmutil.c

@@ -273,3 +273,9 @@ void soc_fill_power_state(struct chipset_power_state *ps)
 	printk(BIOS_DEBUG, "GBLRST_CAUSE: %08x %08x\n",
 		ps->gblrst_cause[0], ps->gblrst_cause[1]);
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return (uint16_t) ACPI_BASE_ADDRESS;
+}

src/soc/intel/fsp_broadwell_de/Kconfig

@@ -95,6 +95,10 @@ config HPET_MIN_TICKS
 	hex
 	default 0x80
 
+config ENABLE_VMX
+	bool "Enable VMX for virtualization"
+	default y
+
 ## Broadwell-DE Specific FSP Kconfig
 source src/soc/intel/fsp_broadwell_de/fsp/Kconfig
 

src/soc/intel/fsp_broadwell_de/include/soc/pm.h

@@ -0,0 +1,28 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (C) 2007-2009 coresystems GmbH
+ * Copyright (C) 2013 Google Inc.
+ * Copyright (C) 2015-2016 Intel Corp.
+ * Copyright (C) 2016-2018 Siemens AG
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef _SOC_FSP_BROADWELL_DE_PM_H_
+#define _SOC_FSP_BROADWELL_DE_PM_H_
+
+/*
+ * Brings in get_pmbase so that StmPlatformResource.c can build
+ * under 4.11
+ */
+
+#include <soc/acpi.h>
+#endif

src/soc/intel/icelake/include/soc/pm.h

@@ -171,5 +171,8 @@ void pmc_set_disb(void);
 /* Clear PMCON status bits */
 void pmc_clear_pmcon_sts(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif /* !defined(__ACPI__) */
 #endif

src/soc/intel/icelake/pmutil.c

@@ -272,3 +272,9 @@ void soc_fill_power_state(struct chipset_power_state *ps)
 	printk(BIOS_DEBUG, "GBLRST_CAUSE: %08x %08x\n",
 		ps->gblrst_cause[0], ps->gblrst_cause[1]);
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return (uint16_t) ACPI_BASE_ADDRESS;
+}

src/soc/intel/quark/acpi.c

@@ -104,3 +104,10 @@ void acpi_fill_in_fadt(acpi_fadt_t *fadt)
 	printk(BIOS_SPEW, "  0x%08x: RESET\n", fadt->reset_reg.addrl);
 
 }
+
+uint16_t get_pmbase(void)
+{
+	struct device *dev = pcidev_on_root(PCI_DEVICE_NUMBER_QNC_LPC,
+		PCI_FUNCTION_NUMBER_QNC_LPC);
+	return (uint16_t) pci_read_config32(dev, R_QNC_LPC_PM1BLK) & B_QNC_LPC_PM1BLK_MASK;
+}

src/soc/intel/quark/include/soc/pm.h

@@ -27,4 +27,7 @@ struct chipset_power_state {
 struct chipset_power_state *get_power_state(void);
 int fill_power_state(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif /* _SOC_PM_H_ */

src/soc/intel/skylake/include/soc/pm.h

@@ -197,4 +197,7 @@ static inline int deep_s5_enabled(void)
 	return !!(deep_s5_pol & (S5DC_GATE_SUS | S5AC_GATE_SUS));
 }
 
+/* STM Support */
+uint16_t get_pmbase(void);
+
 #endif

src/soc/intel/skylake/pmutil.c

@@ -266,3 +266,9 @@ void soc_fill_power_state(struct chipset_power_state *ps)
 	printk(BIOS_DEBUG, "GBLRST_CAUSE: %08x %08x\n",
 	       ps->gblrst_cause[0], ps->gblrst_cause[1]);
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return ACPI_BASE_ADDRESS;
+}

src/soc/intel/tigerlake/include/soc/pm.h

@@ -177,5 +177,7 @@ void pmc_set_disb(void);
 /* Clear PMCON status bits */
 void pmc_clear_pmcon_sts(void);
 
+/* STM Support */
+uint16_t get_pmbase(void);
 #endif /* !defined(__ACPI__) */
 #endif

src/soc/intel/tigerlake/pmutil.c

@@ -274,3 +274,9 @@ void soc_fill_power_state(struct chipset_power_state *ps)
 	printk(BIOS_DEBUG, "GBLRST_CAUSE: %08x %08x\n",
 		ps->gblrst_cause[0], ps->gblrst_cause[1]);
 }
+
+/* STM Support */
+uint16_t get_pmbase(void)
+{
+	return (uint16_t) ACPI_BASE_ADDRESS;
+}