-
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
soc/intel/lockdown: Allow locking down SPI and LPC in SMM
Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI controller with PR0 flash protection for pre-Skylake platforms. Add new option to skip LPC and FAST SPI lock down in coreboot and move it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path, like it was done on pre-Skylake platforms. As the locking on modern SOCs became more complicated, separate the SPI and LPC locking into new modules to make linking to SMM easier. The expected configuration to leverage the feautre is to unselect INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM. Testing various microarchitectures happens on heads repository: linuxboot/heads#1818 TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake (Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check if flash is unlocked in the heads recovery console. Check if flash is locked in the kexec'ed OS. Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838 Signed-off-by: Michał Żygowski <[email protected]>
- Loading branch information
Showing
19 changed files
with
211 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,7 @@ | ||
| ## SPDX-License-Identifier: GPL-2.0-only | ||
| ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c | ||
| ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_lpc.c | ||
| ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_spi.c | ||
|
|
||
| smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c | ||
| smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| /* SPDX-License-Identifier: GPL-2.0-only */ | ||
|
|
||
| #include <dasharo/options.h> | ||
| #include <intelblocks/cfg.h> | ||
| #include <intelblocks/lpc_lib.h> | ||
| #include <intelpch/lockdown.h> | ||
|
|
||
| void lpc_lockdown_config(int chipset_lockdown) | ||
| { | ||
| /* Set BIOS Interface Lock, BIOS Lock */ | ||
| if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { | ||
| /* BIOS Interface Lock */ | ||
| lpc_set_bios_interface_lock_down(); | ||
|
|
||
| /* Only allow writes in SMM */ | ||
| if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { | ||
| lpc_set_eiss(); | ||
| lpc_enable_wp(); | ||
| } | ||
|
|
||
| /* BIOS Lock */ | ||
| lpc_set_lock_enable(); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| /* SPDX-License-Identifier: GPL-2.0-only */ | ||
|
|
||
| #include <dasharo/options.h> | ||
| #include <intelblocks/cfg.h> | ||
| #include <intelblocks/fast_spi.h> | ||
| #include <intelpch/lockdown.h> | ||
|
|
||
| void fast_spi_lockdown_bios(int chipset_lockdown) | ||
| { | ||
| /* Discrete Lock Flash PR registers */ | ||
| fast_spi_pr_dlock(); | ||
|
|
||
| /* Lock FAST_SPIBAR */ | ||
| fast_spi_lock_bar(); | ||
|
|
||
| /* Set BIOS Interface Lock, BIOS Lock */ | ||
| if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { | ||
| /* BIOS Interface Lock */ | ||
| fast_spi_set_bios_interface_lock_down(); | ||
|
|
||
| /* Only allow writes in SMM */ | ||
| if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { | ||
| fast_spi_set_eiss(); | ||
| fast_spi_enable_wp(); | ||
| } | ||
|
|
||
| /* BIOS Lock */ | ||
| fast_spi_set_lock_enable(); | ||
|
|
||
| /* EXT BIOS Lock */ | ||
| fast_spi_set_ext_bios_lock_enable(); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| /* SPDX-License-Identifier: GPL-2.0-only */ | ||
|
|
||
| #include <arch/io.h> | ||
| #include <bootstate.h> | ||
| #include <console/console.h> | ||
| #include <cpu/x86/smm.h> | ||
| #include <device/mmio.h> | ||
| #include <device/pci.h> | ||
| #include <intelblocks/cse.h> | ||
| #include <intelblocks/lpc_lib.h> | ||
| #include <intelblocks/pcr.h> | ||
| #include <intelblocks/pmclib.h> | ||
| #include <intelblocks/systemagent.h> | ||
| #include <intelblocks/tco.h> | ||
| #include <intelblocks/thermal.h> | ||
| #include <intelpch/lockdown.h> | ||
| #include <soc/p2sb.h> | ||
| #include <soc/pci_devs.h> | ||
| #include <soc/pcr_ids.h> | ||
| #include <soc/pm.h> | ||
| #include <soc/smbus.h> | ||
| #include <soc/soc_chip.h> | ||
| #include <soc/systemagent.h> | ||
| #include <spi-generic.h> | ||
| #include <timer.h> | ||
|
|
||
| static void pch_finalize(void) | ||
| { | ||
| /* TCO Lock down */ | ||
| tco_lockdown(); | ||
|
|
||
| pmc_clear_pmcon_sts(); | ||
| } | ||
|
|
||
| static void tbt_finalize(void) | ||
| { | ||
| int i; | ||
| const struct device *dev; | ||
|
|
||
| /* Disable Thunderbolt PCIe root ports bus master */ | ||
| for (i = 0; i < NUM_TBT_FUNCTIONS; i++) { | ||
| dev = pcidev_path_on_root(PCI_DEVFN_TBT(i)); | ||
| if (dev) | ||
| pci_dev_disable_bus_master(dev); | ||
| } | ||
| } | ||
|
|
||
| static void sa_finalize(void) | ||
| { | ||
| if (get_lockdown_config() == CHIPSET_LOCKDOWN_COREBOOT) | ||
| sa_lock_pam(); | ||
| } | ||
|
|
||
| static void heci_finalize(void) | ||
| { | ||
| heci_set_to_d0i3(); | ||
| if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) | ||
| heci1_disable(); | ||
| } | ||
|
|
||
| static void soc_finalize(void *unused) | ||
| { | ||
| printk(BIOS_DEBUG, "Finalizing chipset.\n"); | ||
|
|
||
| pch_finalize(); | ||
| if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) | ||
| apm_control(APM_CNT_FINALIZE); | ||
|
|
||
| tbt_finalize(); | ||
| sa_finalize(); | ||
| if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && | ||
| CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) | ||
| heci_finalize(); | ||
|
|
||
| /* Indicate finalize step with post code */ | ||
| post_code(POSTCODE_OS_BOOT); | ||
| } | ||
|
|
||
| BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, soc_finalize, NULL); | ||
| /* | ||
| * The purpose of this change is to accommodate more time to push out sending | ||
| * CSE EOP messages at post. | ||
| */ | ||
| BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, soc_finalize, NULL); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.