Revert "coreboot dasharo fork patch: bump patchset to upstream reviewed"

This reverts commit f5fdf9a97e.
Unfortunately, patch doesn't apply to dasharo current fork pointed under modules/coreboot

Waiting for Dasharo to provide a patch updated to heads used fork/dasahro bumping to newer coreboot version for which patchset applies clealy

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-11-28 13:24:02 -05:00
parent 6f2ea7c7bf
commit 43b03fbe60
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461

View File

@ -1,63 +1,44 @@
From f9f309190246c66e92db5408c183dd8b617987f3 Mon Sep 17 00:00:00 2001 From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com> From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com>
Date: Sat, 23 Nov 2024 22:43:10 +0100 Date: Sun, 20 Oct 2024 13:15:19 +0200
Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI Heads payload uses APM_CNT_FINALIZE SMI to set and lock down
controller with PR0 flash protection for pre-Skylake platforms. the SPI controller with PR0 flash protection. Add new option
to skip LPC and FAST SPI lock down in coreboot and move it
to APM_CNT_FINALIZE SMI handler.
Add new option to skip LPC and FAST SPI lock down in coreboot and move
it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN
option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path,
like it was done on pre-Skylake platforms. As the locking on modern
SOCs became more complicated, separate the SPI and LPC locking into
new modules to make linking to SMM easier.
The expected configuration to leverage the feautre is to unselect
INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM.
Testing various microarchitectures happens on heads repository:
https://github.com/linuxboot/heads/pull/1818
TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake
(Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check
if flash is unlocked in the heads recovery console. Check if flash is
locked in the kexec'ed OS.
Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com> Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
--- ---
src/soc/intel/alderlake/finalize.c | 4 +- src/soc/intel/alderlake/finalize.c | 4 ++-
src/soc/intel/cannonlake/finalize.c | 4 +- src/soc/intel/cannonlake/finalize.c | 3 +-
src/soc/intel/common/block/lpc/Makefile.mk | 4 ++ src/soc/intel/common/block/lpc/Makefile.inc | 4 +++
src/soc/intel/common/block/smm/smihandler.c | 10 ++++ src/soc/intel/common/block/smm/smihandler.c | 10 ++++++
.../common/pch/include/intelpch/lockdown.h | 3 ++ .../common/pch/include/intelpch/lockdown.h | 3 ++
src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++ src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++
src/soc/intel/common/pch/lockdown/Makefile.mk | 5 ++ .../intel/common/pch/lockdown/Makefile.inc | 5 +++
src/soc/intel/common/pch/lockdown/lockdown.c | 48 ++----------------- src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------
.../intel/common/pch/lockdown/lockdown_lpc.c | 23 +++++++++ .../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++
.../intel/common/pch/lockdown/lockdown_spi.c | 32 +++++++++++++ .../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++
src/soc/intel/denverton_ns/lpc.c | 3 +- src/soc/intel/denverton_ns/lpc.c | 3 +-
src/soc/intel/elkhartlake/finalize.c | 4 +- src/soc/intel/elkhartlake/finalize.c | 3 +-
src/soc/intel/jasperlake/finalize.c | 3 +- src/soc/intel/jasperlake/finalize.c | 3 +-
src/soc/intel/meteorlake/finalize.c | 4 +- src/soc/intel/meteorlake/finalize.c | 3 +-
src/soc/intel/pantherlake/finalize.c | 4 +-
src/soc/intel/skylake/finalize.c | 3 +- src/soc/intel/skylake/finalize.c | 3 +-
src/soc/intel/tigerlake/finalize.c | 4 +- src/soc/intel/tigerlake/finalize.c | 3 +-
src/soc/intel/xeon_sp/finalize.c | 3 +- src/soc/intel/xeon_sp/finalize.c | 3 +-
src/soc/intel/xeon_sp/lockdown.c | 18 ++----- 17 files changed, 123 insertions(+), 33 deletions(-)
19 files changed, 127 insertions(+), 67 deletions(-)
create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c
create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c
diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c
index 700fde977b..615729d3dd 100644 index 460c8af174e..9cd9351d96a 100644
--- a/src/soc/intel/alderlake/finalize.c --- a/src/soc/intel/alderlake/finalize.c
+++ b/src/soc/intel/alderlake/finalize.c +++ b/src/soc/intel/alderlake/finalize.c
@@ -85,7 +85,9 @@ static void soc_finalize(void *unused) @@ -84,7 +84,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
@ -69,24 +50,23 @@ index 700fde977b..615729d3dd 100644
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE))
diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c
index 974794bd97..461ba3a884 100644 index ba7fc69b552..b5f727e97c7 100644
--- a/src/soc/intel/cannonlake/finalize.c --- a/src/soc/intel/cannonlake/finalize.c
+++ b/src/soc/intel/cannonlake/finalize.c +++ b/src/soc/intel/cannonlake/finalize.c
@@ -87,7 +87,9 @@ static void soc_finalize(void *unused) @@ -87,7 +87,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) &&
CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC))
heci1_disable(); heci1_disable();
diff --git a/src/soc/intel/common/block/lpc/Makefile.mk b/src/soc/intel/common/block/lpc/Makefile.mk diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc
index b510cd0ec3..60792654b5 100644 index b510cd0ec35..60792654b5a 100644
--- a/src/soc/intel/common/block/lpc/Makefile.mk --- a/src/soc/intel/common/block/lpc/Makefile.inc
+++ b/src/soc/intel/common/block/lpc/Makefile.mk +++ b/src/soc/intel/common/block/lpc/Makefile.inc
@@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c @@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
@ -96,10 +76,10 @@ index b510cd0ec3..60792654b5 100644
+smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c +smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
+endif +endif
diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c
index 59489a4f03..2a1f26d2eb 100644 index 4bfd17bfd07..dcd74764957 100644
--- a/src/soc/intel/common/block/smm/smihandler.c --- a/src/soc/intel/common/block/smm/smihandler.c
+++ b/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c
@@ -14,12 +14,14 @@ @@ -15,12 +15,14 @@
#include <device/pci_def.h> #include <device/pci_def.h>
#include <device/pci_ops.h> #include <device/pci_ops.h>
#include <elog.h> #include <elog.h>
@ -114,7 +94,7 @@ index 59489a4f03..2a1f26d2eb 100644
#include <smmstore.h> #include <smmstore.h>
#include <soc/nvs.h> #include <soc/nvs.h>
#include <soc/pci_devs.h> #include <soc/pci_devs.h>
@@ -345,6 +347,14 @@ static void finalize(void) @@ -343,6 +345,14 @@ static void finalize(void)
} }
finalize_done = 1; finalize_done = 1;
@ -130,7 +110,7 @@ index 59489a4f03..2a1f26d2eb 100644
/* Re-init SPI driver to handle locked BAR */ /* Re-init SPI driver to handle locked BAR */
fast_spi_init(); fast_spi_init();
diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h
index b5aba06fe0..1b96f41a2a 100644 index b5aba06fe0e..1b96f41a2a4 100644
--- a/src/soc/intel/common/pch/include/intelpch/lockdown.h --- a/src/soc/intel/common/pch/include/intelpch/lockdown.h
+++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h +++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h
@@ -22,4 +22,7 @@ int get_lockdown_config(void); @@ -22,4 +22,7 @@ int get_lockdown_config(void);
@ -142,10 +122,10 @@ index b5aba06fe0..1b96f41a2a 100644
+ +
#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */
diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig
index 38f60d2056..545185c52f 100644 index 8fce5e785c2..fbeb341e9ac 100644
--- a/src/soc/intel/common/pch/lockdown/Kconfig --- a/src/soc/intel/common/pch/lockdown/Kconfig
+++ b/src/soc/intel/common/pch/lockdown/Kconfig +++ b/src/soc/intel/common/pch/lockdown/Kconfig
@@ -3,7 +3,22 @@ @@ -1,7 +1,22 @@
config SOC_INTEL_COMMON_PCH_LOCKDOWN config SOC_INTEL_COMMON_PCH_LOCKDOWN
bool bool
default n default n
@ -158,7 +138,7 @@ index 38f60d2056..545185c52f 100644
+config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM +config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM
+ bool "Lock down SPI controller in SMM" + bool "Lock down SPI controller in SMM"
+ default n + default n
+ depends on HAVE_SMI_HANDLER && !INTEL_CHIPSET_LOCKDOWN + depends on HAVE_SMI_HANDLER
+ select SPI_FLASH_SMM + select SPI_FLASH_SMM
+ help + help
+ This option allows to have chipset lockdown for FAST_SPI and LPC for + This option allows to have chipset lockdown for FAST_SPI and LPC for
@ -166,12 +146,13 @@ index 38f60d2056..545185c52f 100644
+ and LPC controller. The payload or OS is responsible for locking it + and LPC controller. The payload or OS is responsible for locking it
+ using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash + using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash
+ protection. + protection.
+ +
+ If unsure, say N. + If unsure, say N.
diff --git a/src/soc/intel/common/pch/lockdown/Makefile.mk b/src/soc/intel/common/pch/lockdown/Makefile.mk \ No newline at end of file
index 71466f8edd..64aad562ac 100644 diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc
--- a/src/soc/intel/common/pch/lockdown/Makefile.mk index 71466f8edd1..64aad562acf 100644
+++ b/src/soc/intel/common/pch/lockdown/Makefile.mk --- a/src/soc/intel/common/pch/lockdown/Makefile.inc
+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc
@@ -1,2 +1,7 @@ @@ -1,2 +1,7 @@
## SPDX-License-Identifier: GPL-2.0-only ## SPDX-License-Identifier: GPL-2.0-only
ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c
@ -181,10 +162,10 @@ index 71466f8edd..64aad562ac 100644
+smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c
+smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c
diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c
index eec3beb01b..2d229e1a90 100644 index 1b1d99cc0c9..7e52fb826fe 100644
--- a/src/soc/intel/common/pch/lockdown/lockdown.c --- a/src/soc/intel/common/pch/lockdown/lockdown.c
+++ b/src/soc/intel/common/pch/lockdown/lockdown.c +++ b/src/soc/intel/common/pch/lockdown/lockdown.c
@@ -60,56 +60,17 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) @@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown)
/* Set FAST_SPI opcode menu */ /* Set FAST_SPI opcode menu */
fast_spi_set_opcode_menu(); fast_spi_set_opcode_menu();
@ -203,25 +184,22 @@ index eec3beb01b..2d229e1a90 100644
/* Set Vendor Component Lock (VCL) */ /* Set Vendor Component Lock (VCL) */
fast_spi_vscc0_lock(); fast_spi_vscc0_lock();
- /* Set BIOS Interface Lock, BIOS Lock */ + if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + return;
- /* BIOS Interface Lock */ +
- fast_spi_set_bios_interface_lock_down(); + /* Discrete Lock Flash PR registers */
- + fast_spi_pr_dlock();
- /* Only allow writes in SMM */ +
- if (CONFIG(BOOTMEDIA_SMM_BWP)) { + /* Lock FAST_SPIBAR */
- fast_spi_set_eiss(); + fast_spi_lock_bar();
- fast_spi_enable_wp(); +
- } /* Set BIOS Interface Lock, BIOS Lock */
- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
- /* BIOS Lock */ /* BIOS Interface Lock */
- fast_spi_set_lock_enable(); @@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown)
- }
- /* EXT BIOS Lock */ }
- fast_spi_set_ext_bios_lock_enable();
- }
-}
-
-static void lpc_lockdown_config(int chipset_lockdown) -static void lpc_lockdown_config(int chipset_lockdown)
-{ -{
- /* Set BIOS Interface Lock, BIOS Lock */ - /* Set BIOS Interface Lock, BIOS Lock */
@ -230,7 +208,7 @@ index eec3beb01b..2d229e1a90 100644
- lpc_set_bios_interface_lock_down(); - lpc_set_bios_interface_lock_down();
- -
- /* Only allow writes in SMM */ - /* Only allow writes in SMM */
- if (CONFIG(BOOTMEDIA_SMM_BWP)) { - if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) {
- lpc_set_eiss(); - lpc_set_eiss();
- lpc_enable_wp(); - lpc_enable_wp();
- } - }
@ -238,26 +216,14 @@ index eec3beb01b..2d229e1a90 100644
- /* BIOS Lock */ - /* BIOS Lock */
- lpc_set_lock_enable(); - lpc_set_lock_enable();
- } - }
+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) -}
+ fast_spi_lockdown_bios(chipset_lockdown); -
}
static void sa_lockdown_config(int chipset_lockdown) static void sa_lockdown_config(int chipset_lockdown)
@@ -135,8 +96,9 @@ static void platform_lockdown_config(void *unused) {
/* SPI lock down configuration */ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA))
fast_spi_lockdown_cfg(chipset_lockdown);
- /* LPC/eSPI lock down configuration */
- lpc_lockdown_config(chipset_lockdown);
+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
+ /* LPC/eSPI lock down configuration */
+ lpc_lockdown_config(chipset_lockdown);
/* GPMR lock down configuration */
gpmr_lockdown_cfg();
diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c
new file mode 100644 new file mode 100644
index 0000000000..69278ea343 index 00000000000..69278ea343f
--- /dev/null --- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
@ -286,10 +252,10 @@ index 0000000000..69278ea343
+} +}
diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c
new file mode 100644 new file mode 100644
index 0000000000..8dbe93013e index 00000000000..fa09cec7c2e
--- /dev/null --- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c
@@ -0,0 +1,32 @@ @@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0-only */ +/* SPDX-License-Identifier: GPL-2.0-only */
+ +
+#include <intelblocks/cfg.h> +#include <intelblocks/cfg.h>
@ -298,6 +264,9 @@ index 0000000000..8dbe93013e
+ +
+void fast_spi_lockdown_bios(int chipset_lockdown) +void fast_spi_lockdown_bios(int chipset_lockdown)
+{ +{
+ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI))
+ return;
+
+ /* Discrete Lock Flash PR registers */ + /* Discrete Lock Flash PR registers */
+ fast_spi_pr_dlock(); + fast_spi_pr_dlock();
+ +
@ -323,7 +292,7 @@ index 0000000000..8dbe93013e
+ } + }
+} +}
diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c
index 7dc971ea92..c4f7681c62 100644 index 7ebca1eb946..8d8acf05088 100644
--- a/src/soc/intel/denverton_ns/lpc.c --- a/src/soc/intel/denverton_ns/lpc.c
+++ b/src/soc/intel/denverton_ns/lpc.c +++ b/src/soc/intel/denverton_ns/lpc.c
@@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { @@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = {
@ -337,25 +306,24 @@ index 7dc971ea92..c4f7681c62 100644
BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL);
diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c
index 275413b4ef..fc54710303 100644 index 275413b4efa..802d02cb596 100644
--- a/src/soc/intel/elkhartlake/finalize.c --- a/src/soc/intel/elkhartlake/finalize.c
+++ b/src/soc/intel/elkhartlake/finalize.c +++ b/src/soc/intel/elkhartlake/finalize.c
@@ -43,7 +43,9 @@ static void soc_finalize(void *unused) @@ -43,7 +43,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE))
heci_finalize(); heci_finalize();
diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c
index 8788db155d..4840c0c04c 100644 index 6cff7a80f30..1b68cc51786 100644
--- a/src/soc/intel/jasperlake/finalize.c --- a/src/soc/intel/jasperlake/finalize.c
+++ b/src/soc/intel/jasperlake/finalize.c +++ b/src/soc/intel/jasperlake/finalize.c
@@ -76,7 +76,8 @@ static void soc_finalize(void *unused) @@ -75,7 +75,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
@ -366,37 +334,21 @@ index 8788db155d..4840c0c04c 100644
/* Indicate finalize step with post code */ /* Indicate finalize step with post code */
post_code(POSTCODE_OS_BOOT); post_code(POSTCODE_OS_BOOT);
diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c
index 1fd1d98fb5..80802db285 100644 index a977b0516e5..951153fa812 100644
--- a/src/soc/intel/meteorlake/finalize.c --- a/src/soc/intel/meteorlake/finalize.c
+++ b/src/soc/intel/meteorlake/finalize.c +++ b/src/soc/intel/meteorlake/finalize.c
@@ -64,7 +64,9 @@ static void soc_finalize(void *unused) @@ -75,7 +75,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
tbt_finalize();
sa_finalize();
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
diff --git a/src/soc/intel/pantherlake/finalize.c b/src/soc/intel/pantherlake/finalize.c
index 05ec3eaaca..1d47dd7a0b 100644
--- a/src/soc/intel/pantherlake/finalize.c
+++ b/src/soc/intel/pantherlake/finalize.c
@@ -63,7 +63,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize();
- apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE);
+
tbt_finalize(); tbt_finalize();
sa_finalize(); sa_finalize();
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c
index fd80aeac1a..a147b62e46 100644 index fd80aeac1a0..a147b62e46f 100644
--- a/src/soc/intel/skylake/finalize.c --- a/src/soc/intel/skylake/finalize.c
+++ b/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c
@@ -106,7 +106,8 @@ static void soc_finalize(void *unused) @@ -106,7 +106,8 @@ static void soc_finalize(void *unused)
@ -410,22 +362,21 @@ index fd80aeac1a..a147b62e46 100644
/* Indicate finalize step with post code */ /* Indicate finalize step with post code */
post_code(POSTCODE_OS_BOOT); post_code(POSTCODE_OS_BOOT);
diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c
index cd02745a9e..158b2fb691 100644 index cd02745a9e6..06ce243fe72 100644
--- a/src/soc/intel/tigerlake/finalize.c --- a/src/soc/intel/tigerlake/finalize.c
+++ b/src/soc/intel/tigerlake/finalize.c +++ b/src/soc/intel/tigerlake/finalize.c
@@ -55,7 +55,9 @@ static void soc_finalize(void *unused) @@ -55,7 +55,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
tbt_finalize(); tbt_finalize();
if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT))
heci1_disable(); heci1_disable();
diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c
index a7b3602744..f0cd8a1998 100644 index af630fe8127..8e409b8c439 100644
--- a/src/soc/intel/xeon_sp/finalize.c --- a/src/soc/intel/xeon_sp/finalize.c
+++ b/src/soc/intel/xeon_sp/finalize.c +++ b/src/soc/intel/xeon_sp/finalize.c
@@ -59,7 +59,8 @@ static void soc_finalize(void *unused) @@ -59,7 +59,8 @@ static void soc_finalize(void *unused)
@ -435,43 +386,6 @@ index a7b3602744..f0cd8a1998 100644
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
lock_pam0123();
if (CONFIG_MAX_SOCKET > 1) { if (CONFIG_MAX_SOCKET > 1) {
/* This MSR is package scope but run for all cpus for code simplicity */
diff --git a/src/soc/intel/xeon_sp/lockdown.c b/src/soc/intel/xeon_sp/lockdown.c
index a3d17b46c3..51a5cf5431 100644
--- a/src/soc/intel/xeon_sp/lockdown.c
+++ b/src/soc/intel/xeon_sp/lockdown.c
@@ -6,25 +6,15 @@
#include <soc/lockdown.h>
#include <soc/pm.h>
-static void lpc_lockdown_config(void)
-{
- /* Set BIOS Interface Lock, BIOS Lock */
- lpc_set_bios_interface_lock_down();
-
- /* Only allow writes in SMM */
- if (CONFIG(BOOTMEDIA_SMM_BWP)) {
- lpc_set_eiss();
- lpc_enable_wp();
- }
- lpc_set_lock_enable();
-}
-
void soc_lockdown_config(int chipset_lockdown)
{
if (chipset_lockdown == CHIPSET_LOCKDOWN_FSP)
return;
- lpc_lockdown_config();
+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
+ /* LPC/eSPI lock down configuration */
+ lpc_lockdown_config(chipset_lockdown);
+
pmc_lockdown_config();
sata_lockdown_config(chipset_lockdown);
spi_lockdown_config(chipset_lockdown);
--
2.39.5