From a5c1d8e929dd8dac94b2c236834d74e743773170 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 20 Oct 2024 12:54:27 -0400 Subject: [PATCH 01/10] dasharo coreboot fork patches: rename 501 and add PR0 patch; add coreboot config bits Signed-off-by: Thierry Laurion --- config/coreboot-nitropad-nv41.config | 9 +- ...ch => 0001-tpm_pirq-not_conditional.patch} | 0 ...002-pr0_chipset_locking-post_skylake.patch | 391 ++++++++++++++++++ 3 files changed, 398 insertions(+), 2 deletions(-) rename patches/coreboot-dasharo-unreleased/{501.patch => 0001-tpm_pirq-not_conditional.patch} (100%) create mode 100644 patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config index 9484aaf5..0449d3b2 100644 --- a/config/coreboot-nitropad-nv41.config +++ b/config/coreboot-nitropad-nv41.config @@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +# CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM is not set CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 CONFIG_RCBA_LENGTH=0x4000 @@ -730,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set # CONFIG_INTEL_CBNT_SUPPORT is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y -# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/patches/coreboot-dasharo-unreleased/501.patch b/patches/coreboot-dasharo-unreleased/0001-tpm_pirq-not_conditional.patch similarity index 100% rename from patches/coreboot-dasharo-unreleased/501.patch rename to patches/coreboot-dasharo-unreleased/0001-tpm_pirq-not_conditional.patch diff --git a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch new file mode 100644 index 00000000..768dfc16 --- /dev/null +++ b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch @@ -0,0 +1,391 @@ +From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= +Date: Sun, 20 Oct 2024 13:15:19 +0200 +Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Heads payload uses APM_CNT_FINALIZE SMI to set and lock down +the SPI controller with PR0 flash protection. Add new option +to skip LPC and FAST SPI lock down in coreboot and move it +to APM_CNT_FINALIZE SMI handler. + +Signed-off-by: Michał Żygowski +--- + src/soc/intel/alderlake/finalize.c | 4 ++- + src/soc/intel/cannonlake/finalize.c | 3 +- + src/soc/intel/common/block/lpc/Makefile.inc | 4 +++ + src/soc/intel/common/block/smm/smihandler.c | 10 ++++++ + .../common/pch/include/intelpch/lockdown.h | 3 ++ + src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++ + .../intel/common/pch/lockdown/Makefile.inc | 5 +++ + src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------ + .../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++ + .../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++ + src/soc/intel/denverton_ns/lpc.c | 3 +- + src/soc/intel/elkhartlake/finalize.c | 3 +- + src/soc/intel/jasperlake/finalize.c | 3 +- + src/soc/intel/meteorlake/finalize.c | 3 +- + src/soc/intel/skylake/finalize.c | 3 +- + src/soc/intel/tigerlake/finalize.c | 3 +- + src/soc/intel/xeon_sp/finalize.c | 3 +- + 17 files changed, 123 insertions(+), 33 deletions(-) + create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c + create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c + +diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c +index 460c8af174e..9cd9351d96a 100644 +--- a/src/soc/intel/alderlake/finalize.c ++++ b/src/soc/intel/alderlake/finalize.c +@@ -84,7 +84,9 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); ++ + tbt_finalize(); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && + CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) +diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c +index ba7fc69b552..b5f727e97c7 100644 +--- a/src/soc/intel/cannonlake/finalize.c ++++ b/src/soc/intel/cannonlake/finalize.c +@@ -87,7 +87,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && + CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) + heci1_disable(); +diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc +index b510cd0ec35..60792654b5a 100644 +--- a/src/soc/intel/common/block/lpc/Makefile.inc ++++ b/src/soc/intel/common/block/lpc/Makefile.inc +@@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c + + ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c + ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc.c ++ ++ifeq ($(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM),y) ++smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ++endif +diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c +index 4bfd17bfd07..dcd74764957 100644 +--- a/src/soc/intel/common/block/smm/smihandler.c ++++ b/src/soc/intel/common/block/smm/smihandler.c +@@ -15,12 +15,14 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + #include + #include ++#include + #include + #include + #include +@@ -343,6 +345,14 @@ static void finalize(void) + } + finalize_done = 1; + ++ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) { ++ /* SPI lock down configuration */ ++ fast_spi_lockdown_bios(CHIPSET_LOCKDOWN_COREBOOT); ++ ++ /* LPC/eSPI lock down configuration */ ++ lpc_lockdown_config(CHIPSET_LOCKDOWN_COREBOOT); ++ } ++ + if (CONFIG(SPI_FLASH_SMM)) + /* Re-init SPI driver to handle locked BAR */ + fast_spi_init(); +diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h +index b5aba06fe0e..1b96f41a2a4 100644 +--- a/src/soc/intel/common/pch/include/intelpch/lockdown.h ++++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h +@@ -22,4 +22,7 @@ int get_lockdown_config(void); + */ + void soc_lockdown_config(int chipset_lockdown); + ++void fast_spi_lockdown_bios(int chipset_lockdown); ++void lpc_lockdown_config(int chipset_lockdown); ++ + #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ +diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig +index 8fce5e785c2..fbeb341e9ac 100644 +--- a/src/soc/intel/common/pch/lockdown/Kconfig ++++ b/src/soc/intel/common/pch/lockdown/Kconfig +@@ -1,7 +1,22 @@ + config SOC_INTEL_COMMON_PCH_LOCKDOWN + bool + default n ++ select HAVE_INTEL_CHIPSET_LOCKDOWN + help + This option allows to have chipset lockdown for DMI, FAST_SPI and + soc_lockdown_config() to implement any additional lockdown as PMC, + LPC for supported PCH. ++ ++config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM ++ bool "Lock down SPI controller in SMM" ++ default n ++ depends on HAVE_SMI_HANDLER ++ select SPI_FLASH_SMM ++ help ++ This option allows to have chipset lockdown for FAST_SPI and LPC for ++ supported PCH. If selected, coreboot will skip locking down the SPI ++ and LPC controller. The payload or OS is responsible for locking it ++ using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash ++ protection. ++ ++ If unsure, say N. +\ No newline at end of file +diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc +index 71466f8edd1..64aad562acf 100644 +--- a/src/soc/intel/common/pch/lockdown/Makefile.inc ++++ b/src/soc/intel/common/pch/lockdown/Makefile.inc +@@ -1,2 +1,7 @@ + ## SPDX-License-Identifier: GPL-2.0-only + ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c ++ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_lpc.c ++ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_spi.c ++ ++smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c ++smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c +diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c +index 1b1d99cc0c9..7e52fb826fe 100644 +--- a/src/soc/intel/common/pch/lockdown/lockdown.c ++++ b/src/soc/intel/common/pch/lockdown/lockdown.c +@@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) + /* Set FAST_SPI opcode menu */ + fast_spi_set_opcode_menu(); + +- /* Discrete Lock Flash PR registers */ +- fast_spi_pr_dlock(); +- + /* Check if SPI transaction is pending */ + fast_spi_cycle_in_progress(); + + /* Clear any outstanding status bits like AEL, FCERR, FDONE, SAF etc. */ + fast_spi_clear_outstanding_status(); + +- /* Lock FAST_SPIBAR */ +- fast_spi_lock_bar(); +- + /* Set Vendor Component Lock (VCL) */ + fast_spi_vscc0_lock(); + ++ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ return; ++ ++ /* Discrete Lock Flash PR registers */ ++ fast_spi_pr_dlock(); ++ ++ /* Lock FAST_SPIBAR */ ++ fast_spi_lock_bar(); ++ + /* Set BIOS Interface Lock, BIOS Lock */ + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + /* BIOS Interface Lock */ +@@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) + } + } + +-static void lpc_lockdown_config(int chipset_lockdown) +-{ +- /* Set BIOS Interface Lock, BIOS Lock */ +- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { +- /* BIOS Interface Lock */ +- lpc_set_bios_interface_lock_down(); +- +- /* Only allow writes in SMM */ +- if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { +- lpc_set_eiss(); +- lpc_enable_wp(); +- } +- +- /* BIOS Lock */ +- lpc_set_lock_enable(); +- } +-} +- + static void sa_lockdown_config(int chipset_lockdown) + { + if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA)) +diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +new file mode 100644 +index 00000000000..69278ea343f +--- /dev/null ++++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +@@ -0,0 +1,23 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++#include ++ ++void lpc_lockdown_config(int chipset_lockdown) ++{ ++ /* Set BIOS Interface Lock, BIOS Lock */ ++ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { ++ /* BIOS Interface Lock */ ++ lpc_set_bios_interface_lock_down(); ++ ++ /* Only allow writes in SMM */ ++ if (CONFIG(BOOTMEDIA_SMM_BWP)) { ++ lpc_set_eiss(); ++ lpc_enable_wp(); ++ } ++ ++ /* BIOS Lock */ ++ lpc_set_lock_enable(); ++ } ++} +diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +new file mode 100644 +index 00000000000..fa09cec7c2e +--- /dev/null ++++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +@@ -0,0 +1,35 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++#include ++ ++void fast_spi_lockdown_bios(int chipset_lockdown) ++{ ++ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI)) ++ return; ++ ++ /* Discrete Lock Flash PR registers */ ++ fast_spi_pr_dlock(); ++ ++ /* Lock FAST_SPIBAR */ ++ fast_spi_lock_bar(); ++ ++ /* Set BIOS Interface Lock, BIOS Lock */ ++ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { ++ /* BIOS Interface Lock */ ++ fast_spi_set_bios_interface_lock_down(); ++ ++ /* Only allow writes in SMM */ ++ if (CONFIG(BOOTMEDIA_SMM_BWP)) { ++ fast_spi_set_eiss(); ++ fast_spi_enable_wp(); ++ } ++ ++ /* BIOS Lock */ ++ fast_spi_set_lock_enable(); ++ ++ /* EXT BIOS Lock */ ++ fast_spi_set_ext_bios_lock_enable(); ++ } ++} +diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c +index 7ebca1eb946..8d8acf05088 100644 +--- a/src/soc/intel/denverton_ns/lpc.c ++++ b/src/soc/intel/denverton_ns/lpc.c +@@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { + + static void finalize_chipset(void *unused) + { +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + } + + BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); +diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c +index 275413b4efa..802d02cb596 100644 +--- a/src/soc/intel/elkhartlake/finalize.c ++++ b/src/soc/intel/elkhartlake/finalize.c +@@ -43,7 +43,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && + CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) + heci_finalize(); +diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c +index 6cff7a80f30..1b68cc51786 100644 +--- a/src/soc/intel/jasperlake/finalize.c ++++ b/src/soc/intel/jasperlake/finalize.c +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + + /* Indicate finalize step with post code */ + post_code(POSTCODE_OS_BOOT); +diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c +index a977b0516e5..951153fa812 100644 +--- a/src/soc/intel/meteorlake/finalize.c ++++ b/src/soc/intel/meteorlake/finalize.c +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + tbt_finalize(); + sa_finalize(); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && +diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c +index fd80aeac1a0..a147b62e46f 100644 +--- a/src/soc/intel/skylake/finalize.c ++++ b/src/soc/intel/skylake/finalize.c +@@ -106,7 +106,8 @@ static void soc_finalize(void *unused) + pch_finalize_script(dev); + + soc_lockdown(dev); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + + /* Indicate finalize step with post code */ + post_code(POSTCODE_OS_BOOT); +diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c +index cd02745a9e6..06ce243fe72 100644 +--- a/src/soc/intel/tigerlake/finalize.c ++++ b/src/soc/intel/tigerlake/finalize.c +@@ -55,7 +55,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + tbt_finalize(); + if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) + heci1_disable(); +diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c +index af630fe8127..8e409b8c439 100644 +--- a/src/soc/intel/xeon_sp/finalize.c ++++ b/src/soc/intel/xeon_sp/finalize.c +@@ -59,7 +59,8 @@ static void soc_finalize(void *unused) + if (!CONFIG(USE_PM_ACPI_TIMER)) + setbits8(pmc_mmio_regs() + PCH_PWRM_ACPI_TMR_CTL, ACPI_TIM_DIS); + +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + lock_pam0123(); + + if (CONFIG_MAX_SOCKET > 1) { From eecc611d736ba1bde874b8e4022da29299872d87 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 06:46:14 -0400 Subject: [PATCH 02/10] bin/lock_chip: Correct PR0 statement Signed-off-by: Thierry Laurion --- initrd/bin/lock_chip | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 9519dc16..7578295f 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -15,27 +15,11 @@ if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then fi if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then - # SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature. - # SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper - # for SMM access. - # - # It uses the processor’s memory protection and paging mechanisms to restrict what - # SMM code can read and write. SMM Supervisor marks critical pages, such as its - # own code, data, and page tables, as supervisor pages, which are only accessible - # from the most privileged level (CPL0). - # - # It also marks the rest of the SMM memory as user pages, which are accessible - # from any privilege level. - # - # This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy - # that states what resources the SMI handlers (the interrupt handlers that run in SMM) - # require access to. - # - # SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, - # which prevents further changes to the SMM memory and configuration. - # Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset. - # This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers - # after the system boots. + # PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, + # which prevents further changes to the SPI controller configuration. The flash + # will become write protected in the range specified in the PR0 register. Once + # the protection is set and locked, it cannot be disabled + # until the next system reset. echo "Finalizing chipset Write Protection through SMI PR0 lockdown call" io386 -o b -b x $APM_CNT $FIN_CODE else From 7e679d6d686ed560331b5951b9ab33832ee40ea6 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 07:05:34 -0400 Subject: [PATCH 03/10] lock_chip: update documentation for skylake+ Signed-off-by: Thierry Laurion --- initrd/bin/lock_chip | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 7578295f..d9d4fbfa 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -1,9 +1,9 @@ #!/bin/sh # For this to work: -# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) -# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - io386 module needs to be enabled in board config +# - =Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y) # - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. -# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly #include ash shell functions (TRACE requires it) . /etc/ash_functions From eac77efc9b0f20709a32a747cc93a06bae383866 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 20 Oct 2024 13:22:43 -0400 Subject: [PATCH 04/10] nv41: add lock_chip current requirements for pre-skylake in board config Signed-off-by: Thierry Laurion --- boards/nitropad-nv41/nitropad-nv41.config | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/boards/nitropad-nv41/nitropad-nv41.config b/boards/nitropad-nv41/nitropad-nv41.config index 54bc0d44..d1c7c609 100644 --- a/boards/nitropad-nv41/nitropad-nv41.config +++ b/boards/nitropad-nv41/nitropad-nv41.config @@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y -CONFIG_MSRTOOLS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y + + #Remote attestation support # TPM2 requirements CONFIG_TPM2_TSS=y From de1ee26fe351832c954ea117a8bb2be64848c014 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 20 Oct 2024 13:39:02 -0400 Subject: [PATCH 05/10] nv41 coreboot config: add CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y which enables CONFIG_SPI_FLASH_SMM=y (skylake+ requirements) Signed-off-by: Thierry Laurion --- config/coreboot-nitropad-nv41.config | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config index 0449d3b2..cd9adc52 100644 --- a/config/coreboot-nitropad-nv41.config +++ b/config/coreboot-nitropad-nv41.config @@ -428,7 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y -# CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM is not set +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -621,6 +621,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y CONFIG_SPI_FLASH=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y # CONFIG_SPI_FLASH_NO_FAST_READ is not set CONFIG_TPM_INIT_RAMSTAGE=y # CONFIG_TPM_PPI is not set From e999c90a16302b9a34efb86eb8085e15d327d0cd Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 06:50:41 -0400 Subject: [PATCH 06/10] codebase: CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE -> CONFIG_FINALIZE_PLATFORM_LOCKING Signed-off-by: Thierry Laurion --- .../UNTESTED_t440p-maximized.config | 2 +- .../UNTESTED_w541-maximized/UNTESTED_w541-maximized.config | 2 +- boards/nitropad-nv41/nitropad-nv41.config | 2 +- .../optiplex-7010_9010-hotp-maximized.config | 2 +- .../optiplex-7010_9010-maximized.config | 2 +- .../optiplex-7010_9010_TXT-hotp-maximized.config | 2 +- .../optiplex-7010_9010_TXT-maximized.config | 2 +- boards/t420-hotp-maximized/t420-hotp-maximized.config | 2 +- boards/t420-maximized/t420-maximized.config | 2 +- boards/t430-hotp-maximized/t430-hotp-maximized.config | 2 +- boards/t430-maximized/t430-maximized.config | 2 +- boards/t530-hotp-maximized/t530-hotp-maximized.config | 2 +- boards/t530-maximized/t530-maximized.config | 2 +- boards/w530-hotp-maximized/w530-hotp-maximized.config | 2 +- boards/w530-maximized/w530-maximized.config | 2 +- boards/x220-hotp-maximized/x220-hotp-maximized.config | 2 +- boards/x220-maximized/x220-maximized.config | 2 +- .../x230-hotp-maximized-fhd_edp.config | 2 +- boards/x230-hotp-maximized/x230-hotp-maximized.config | 2 +- .../x230-hotp-maximized_usb-kb.config | 2 +- boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config | 2 +- boards/x230-maximized/x230-maximized.config | 2 +- boards/z220-cmt-maximized/z220-cmt-maximized.config | 2 +- initrd/bin/config-gui.sh | 6 +++--- initrd/bin/kexec-boot | 2 +- initrd/bin/lock_chip | 2 +- 26 files changed, 28 insertions(+), 28 deletions(-) diff --git a/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config b/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config index 260f320f..6ea92e2f 100644 --- a/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config +++ b/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead diff --git a/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config b/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config index 046a872a..5c7a27cd 100644 --- a/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config +++ b/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead diff --git a/boards/nitropad-nv41/nitropad-nv41.config b/boards/nitropad-nv41/nitropad-nv41.config index d1c7c609..6d9481dc 100644 --- a/boards/nitropad-nv41/nitropad-nv41.config +++ b/boards/nitropad-nv41/nitropad-nv41.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config index b034491b..e695df4f 100644 --- a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config +++ b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config index 1e0ed105..9d4e0e6f 100644 --- a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config +++ b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config @@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config index ab0d8c42..35aa57d1 100644 --- a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config +++ b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config index eef49910..03a711e4 100644 --- a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config +++ b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config @@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 9975550f..4ab33a43 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index 39475d88..1293dd2d 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index d9961116..4b64ffef 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 188048bf..4164db3d 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 213547f9..bdd005ae 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 4449e2d8..b291fa94 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index 7d7a1826..ddb91dba 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index e9bb59df..bb691ad7 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 1a777086..b8dc88e4 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 55265785..2bd094ec 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index 1bb65c31..0e8c8420 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index f4e85983..cdd0c867 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index a6dd8727..8508baa8 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -39,7 +39,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index feda20a9..7ca11057 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7b5b4a01..78cc6492 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -34,7 +34,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/z220-cmt-maximized/z220-cmt-maximized.config b/boards/z220-cmt-maximized/z220-cmt-maximized.config index 41cb9927..c254331d 100644 --- a/boards/z220-cmt-maximized/z220-cmt-maximized.config +++ b/boards/z220-cmt-maximized/z220-cmt-maximized.config @@ -43,7 +43,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 7f8142e6..1ee1d381 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -85,7 +85,7 @@ while true; do 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" ) - [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ] && dynamic_config_options+=( + [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=( 't' ' Deactivate Platform Locking to permit OS write access to firmware' ) @@ -105,8 +105,8 @@ while true; do case "$menu_choice" in "t" ) - unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE - replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + unset CONFIG_FINALIZE_PLATFORM_LOCKING + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n" combine_configs . /tmp/config ;; diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index 14478879..fa37ebf9 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -170,7 +170,7 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi -if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then lock_chip fi diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index d9d4fbfa..6085b84e 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -9,7 +9,7 @@ . /etc/ash_functions TRACE "Under /bin/lock_chip" -if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then APM_CNT=0xb2 FIN_CODE=0xcb fi From ef0b70a89a893f7db295cc7cb9bf6d3b0a0dbc3b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 06:57:04 -0400 Subject: [PATCH 07/10] ns50: add PR0 chipset locking requirements to board config and coreboot config Signed-off-by: Thierry Laurion --- boards/nitropad-ns50/nitropad-ns50.config | 7 ++++++- config/coreboot-nitropad-ns50.config | 10 ++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config index 7721927b..c0eccb69 100644 --- a/boards/nitropad-ns50/nitropad-ns50.config +++ b/boards/nitropad-ns50/nitropad-ns50.config @@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y -CONFIG_MSRTOOLS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + #Remote attestation support # TPM2 requirements CONFIG_TPM2_TSS=y diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config index 9e5dc0ee..f7f95058 100644 --- a/config/coreboot-nitropad-ns50.config +++ b/config/coreboot-nitropad-ns50.config @@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 CONFIG_RCBA_LENGTH=0x4000 @@ -617,6 +620,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y CONFIG_SPI_FLASH=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y # CONFIG_SPI_FLASH_NO_FAST_READ is not set CONFIG_TPM_INIT_RAMSTAGE=y # CONFIG_TPM_PPI is not set @@ -729,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set # CONFIG_INTEL_CBNT_SUPPORT is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y -# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security From f5fdf9a97e2d730fbaf888b33e730f51fdbdf4ed Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 28 Nov 2024 11:51:46 -0500 Subject: [PATCH 08/10] coreboot dasharo fork patch: bump patchset to upstream reviewed repro: git fetch https://review.coreboot.org/coreboot refs/changes/78/85278/3 && git format-patch -1 --stdout FETCH_HEAD > patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch Signed-off-by: Thierry Laurion --- ...002-pr0_chipset_locking-post_skylake.patch | 248 ++++++++++++------ 1 file changed, 167 insertions(+), 81 deletions(-) diff --git a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch index 768dfc16..c8e4cd25 100644 --- a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch +++ b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch @@ -1,44 +1,63 @@ -From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001 +From f9f309190246c66e92db5408c183dd8b617987f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= -Date: Sun, 20 Oct 2024 13:15:19 +0200 +Date: Sat, 23 Nov 2024 22:43:10 +0100 Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Heads payload uses APM_CNT_FINALIZE SMI to set and lock down -the SPI controller with PR0 flash protection. Add new option -to skip LPC and FAST SPI lock down in coreboot and move it -to APM_CNT_FINALIZE SMI handler. +Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI +controller with PR0 flash protection for pre-Skylake platforms. +Add new option to skip LPC and FAST SPI lock down in coreboot and move +it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN +option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path, +like it was done on pre-Skylake platforms. As the locking on modern +SOCs became more complicated, separate the SPI and LPC locking into +new modules to make linking to SMM easier. + +The expected configuration to leverage the feautre is to unselect +INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM. + +Testing various microarchitectures happens on heads repository: +https://github.com/linuxboot/heads/pull/1818 + +TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake +(Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check +if flash is unlocked in the heads recovery console. Check if flash is +locked in the kexec'ed OS. + +Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838 Signed-off-by: Michał Żygowski --- - src/soc/intel/alderlake/finalize.c | 4 ++- - src/soc/intel/cannonlake/finalize.c | 3 +- - src/soc/intel/common/block/lpc/Makefile.inc | 4 +++ - src/soc/intel/common/block/smm/smihandler.c | 10 ++++++ + src/soc/intel/alderlake/finalize.c | 4 +- + src/soc/intel/cannonlake/finalize.c | 4 +- + src/soc/intel/common/block/lpc/Makefile.mk | 4 ++ + src/soc/intel/common/block/smm/smihandler.c | 10 ++++ .../common/pch/include/intelpch/lockdown.h | 3 ++ - src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++ - .../intel/common/pch/lockdown/Makefile.inc | 5 +++ - src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------ - .../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++ - .../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++ + src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++ + src/soc/intel/common/pch/lockdown/Makefile.mk | 5 ++ + src/soc/intel/common/pch/lockdown/lockdown.c | 48 ++----------------- + .../intel/common/pch/lockdown/lockdown_lpc.c | 23 +++++++++ + .../intel/common/pch/lockdown/lockdown_spi.c | 32 +++++++++++++ src/soc/intel/denverton_ns/lpc.c | 3 +- - src/soc/intel/elkhartlake/finalize.c | 3 +- + src/soc/intel/elkhartlake/finalize.c | 4 +- src/soc/intel/jasperlake/finalize.c | 3 +- - src/soc/intel/meteorlake/finalize.c | 3 +- + src/soc/intel/meteorlake/finalize.c | 4 +- + src/soc/intel/pantherlake/finalize.c | 4 +- src/soc/intel/skylake/finalize.c | 3 +- - src/soc/intel/tigerlake/finalize.c | 3 +- + src/soc/intel/tigerlake/finalize.c | 4 +- src/soc/intel/xeon_sp/finalize.c | 3 +- - 17 files changed, 123 insertions(+), 33 deletions(-) + src/soc/intel/xeon_sp/lockdown.c | 18 ++----- + 19 files changed, 127 insertions(+), 67 deletions(-) create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c -index 460c8af174e..9cd9351d96a 100644 +index 700fde977b..615729d3dd 100644 --- a/src/soc/intel/alderlake/finalize.c +++ b/src/soc/intel/alderlake/finalize.c -@@ -84,7 +84,9 @@ static void soc_finalize(void *unused) +@@ -85,7 +85,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); @@ -50,23 +69,24 @@ index 460c8af174e..9cd9351d96a 100644 if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c -index ba7fc69b552..b5f727e97c7 100644 +index 974794bd97..461ba3a884 100644 --- a/src/soc/intel/cannonlake/finalize.c +++ b/src/soc/intel/cannonlake/finalize.c -@@ -87,7 +87,8 @@ static void soc_finalize(void *unused) +@@ -87,7 +87,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) heci1_disable(); -diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc -index b510cd0ec35..60792654b5a 100644 ---- a/src/soc/intel/common/block/lpc/Makefile.inc -+++ b/src/soc/intel/common/block/lpc/Makefile.inc +diff --git a/src/soc/intel/common/block/lpc/Makefile.mk b/src/soc/intel/common/block/lpc/Makefile.mk +index b510cd0ec3..60792654b5 100644 +--- a/src/soc/intel/common/block/lpc/Makefile.mk ++++ b/src/soc/intel/common/block/lpc/Makefile.mk @@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c @@ -76,10 +96,10 @@ index b510cd0ec35..60792654b5a 100644 +smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c +endif diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c -index 4bfd17bfd07..dcd74764957 100644 +index 59489a4f03..2a1f26d2eb 100644 --- a/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c -@@ -15,12 +15,14 @@ +@@ -14,12 +14,14 @@ #include #include #include @@ -94,7 +114,7 @@ index 4bfd17bfd07..dcd74764957 100644 #include #include #include -@@ -343,6 +345,14 @@ static void finalize(void) +@@ -345,6 +347,14 @@ static void finalize(void) } finalize_done = 1; @@ -110,7 +130,7 @@ index 4bfd17bfd07..dcd74764957 100644 /* Re-init SPI driver to handle locked BAR */ fast_spi_init(); diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h -index b5aba06fe0e..1b96f41a2a4 100644 +index b5aba06fe0..1b96f41a2a 100644 --- a/src/soc/intel/common/pch/include/intelpch/lockdown.h +++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h @@ -22,4 +22,7 @@ int get_lockdown_config(void); @@ -122,10 +142,10 @@ index b5aba06fe0e..1b96f41a2a4 100644 + #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig -index 8fce5e785c2..fbeb341e9ac 100644 +index 38f60d2056..545185c52f 100644 --- a/src/soc/intel/common/pch/lockdown/Kconfig +++ b/src/soc/intel/common/pch/lockdown/Kconfig -@@ -1,7 +1,22 @@ +@@ -3,7 +3,22 @@ config SOC_INTEL_COMMON_PCH_LOCKDOWN bool default n @@ -138,7 +158,7 @@ index 8fce5e785c2..fbeb341e9ac 100644 +config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM + bool "Lock down SPI controller in SMM" + default n -+ depends on HAVE_SMI_HANDLER ++ depends on HAVE_SMI_HANDLER && !INTEL_CHIPSET_LOCKDOWN + select SPI_FLASH_SMM + help + This option allows to have chipset lockdown for FAST_SPI and LPC for @@ -146,13 +166,12 @@ index 8fce5e785c2..fbeb341e9ac 100644 + and LPC controller. The payload or OS is responsible for locking it + using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash + protection. -+ ++ + If unsure, say N. -\ No newline at end of file -diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc -index 71466f8edd1..64aad562acf 100644 ---- a/src/soc/intel/common/pch/lockdown/Makefile.inc -+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc +diff --git a/src/soc/intel/common/pch/lockdown/Makefile.mk b/src/soc/intel/common/pch/lockdown/Makefile.mk +index 71466f8edd..64aad562ac 100644 +--- a/src/soc/intel/common/pch/lockdown/Makefile.mk ++++ b/src/soc/intel/common/pch/lockdown/Makefile.mk @@ -1,2 +1,7 @@ ## SPDX-License-Identifier: GPL-2.0-only ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c @@ -162,10 +181,10 @@ index 71466f8edd1..64aad562acf 100644 +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c -index 1b1d99cc0c9..7e52fb826fe 100644 +index eec3beb01b..2d229e1a90 100644 --- a/src/soc/intel/common/pch/lockdown/lockdown.c +++ b/src/soc/intel/common/pch/lockdown/lockdown.c -@@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) +@@ -60,56 +60,17 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) /* Set FAST_SPI opcode menu */ fast_spi_set_opcode_menu(); @@ -184,22 +203,25 @@ index 1b1d99cc0c9..7e52fb826fe 100644 /* Set Vendor Component Lock (VCL) */ fast_spi_vscc0_lock(); -+ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) -+ return; -+ -+ /* Discrete Lock Flash PR registers */ -+ fast_spi_pr_dlock(); -+ -+ /* Lock FAST_SPIBAR */ -+ fast_spi_lock_bar(); -+ - /* Set BIOS Interface Lock, BIOS Lock */ - if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { - /* BIOS Interface Lock */ -@@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) - } - } - +- /* Set BIOS Interface Lock, BIOS Lock */ +- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { +- /* BIOS Interface Lock */ +- fast_spi_set_bios_interface_lock_down(); +- +- /* Only allow writes in SMM */ +- if (CONFIG(BOOTMEDIA_SMM_BWP)) { +- fast_spi_set_eiss(); +- fast_spi_enable_wp(); +- } +- +- /* BIOS Lock */ +- fast_spi_set_lock_enable(); +- +- /* EXT BIOS Lock */ +- fast_spi_set_ext_bios_lock_enable(); +- } +-} +- -static void lpc_lockdown_config(int chipset_lockdown) -{ - /* Set BIOS Interface Lock, BIOS Lock */ @@ -208,7 +230,7 @@ index 1b1d99cc0c9..7e52fb826fe 100644 - lpc_set_bios_interface_lock_down(); - - /* Only allow writes in SMM */ -- if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { +- if (CONFIG(BOOTMEDIA_SMM_BWP)) { - lpc_set_eiss(); - lpc_enable_wp(); - } @@ -216,14 +238,26 @@ index 1b1d99cc0c9..7e52fb826fe 100644 - /* BIOS Lock */ - lpc_set_lock_enable(); - } --} -- ++ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ fast_spi_lockdown_bios(chipset_lockdown); + } + static void sa_lockdown_config(int chipset_lockdown) - { - if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA)) +@@ -135,8 +96,9 @@ static void platform_lockdown_config(void *unused) + /* SPI lock down configuration */ + fast_spi_lockdown_cfg(chipset_lockdown); + +- /* LPC/eSPI lock down configuration */ +- lpc_lockdown_config(chipset_lockdown); ++ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ /* LPC/eSPI lock down configuration */ ++ lpc_lockdown_config(chipset_lockdown); + + /* GPMR lock down configuration */ + gpmr_lockdown_cfg(); diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c new file mode 100644 -index 00000000000..69278ea343f +index 0000000000..69278ea343 --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c @@ -0,0 +1,23 @@ @@ -252,10 +286,10 @@ index 00000000000..69278ea343f +} diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c new file mode 100644 -index 00000000000..fa09cec7c2e +index 0000000000..8dbe93013e --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c -@@ -0,0 +1,35 @@ +@@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#include @@ -264,9 +298,6 @@ index 00000000000..fa09cec7c2e + +void fast_spi_lockdown_bios(int chipset_lockdown) +{ -+ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI)) -+ return; -+ + /* Discrete Lock Flash PR registers */ + fast_spi_pr_dlock(); + @@ -292,7 +323,7 @@ index 00000000000..fa09cec7c2e + } +} diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c -index 7ebca1eb946..8d8acf05088 100644 +index 7dc971ea92..c4f7681c62 100644 --- a/src/soc/intel/denverton_ns/lpc.c +++ b/src/soc/intel/denverton_ns/lpc.c @@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { @@ -306,24 +337,25 @@ index 7ebca1eb946..8d8acf05088 100644 BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c -index 275413b4efa..802d02cb596 100644 +index 275413b4ef..fc54710303 100644 --- a/src/soc/intel/elkhartlake/finalize.c +++ b/src/soc/intel/elkhartlake/finalize.c -@@ -43,7 +43,8 @@ static void soc_finalize(void *unused) +@@ -43,7 +43,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) heci_finalize(); diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c -index 6cff7a80f30..1b68cc51786 100644 +index 8788db155d..4840c0c04c 100644 --- a/src/soc/intel/jasperlake/finalize.c +++ b/src/soc/intel/jasperlake/finalize.c -@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) +@@ -76,7 +76,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); @@ -334,21 +366,37 @@ index 6cff7a80f30..1b68cc51786 100644 /* Indicate finalize step with post code */ post_code(POSTCODE_OS_BOOT); diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c -index a977b0516e5..951153fa812 100644 +index 1fd1d98fb5..80802db285 100644 --- a/src/soc/intel/meteorlake/finalize.c +++ b/src/soc/intel/meteorlake/finalize.c -@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) +@@ -64,7 +64,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); ++ + tbt_finalize(); + sa_finalize(); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && +diff --git a/src/soc/intel/pantherlake/finalize.c b/src/soc/intel/pantherlake/finalize.c +index 05ec3eaaca..1d47dd7a0b 100644 +--- a/src/soc/intel/pantherlake/finalize.c ++++ b/src/soc/intel/pantherlake/finalize.c +@@ -63,7 +63,9 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); ++ tbt_finalize(); sa_finalize(); if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c -index fd80aeac1a0..a147b62e46f 100644 +index fd80aeac1a..a147b62e46 100644 --- a/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c @@ -106,7 +106,8 @@ static void soc_finalize(void *unused) @@ -362,21 +410,22 @@ index fd80aeac1a0..a147b62e46f 100644 /* Indicate finalize step with post code */ post_code(POSTCODE_OS_BOOT); diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c -index cd02745a9e6..06ce243fe72 100644 +index cd02745a9e..158b2fb691 100644 --- a/src/soc/intel/tigerlake/finalize.c +++ b/src/soc/intel/tigerlake/finalize.c -@@ -55,7 +55,8 @@ static void soc_finalize(void *unused) +@@ -55,7 +55,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); ++ tbt_finalize(); if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) heci1_disable(); diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c -index af630fe8127..8e409b8c439 100644 +index a7b3602744..f0cd8a1998 100644 --- a/src/soc/intel/xeon_sp/finalize.c +++ b/src/soc/intel/xeon_sp/finalize.c @@ -59,7 +59,8 @@ static void soc_finalize(void *unused) @@ -386,6 +435,43 @@ index af630fe8127..8e409b8c439 100644 - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); - lock_pam0123(); if (CONFIG_MAX_SOCKET > 1) { + /* This MSR is package scope but run for all cpus for code simplicity */ +diff --git a/src/soc/intel/xeon_sp/lockdown.c b/src/soc/intel/xeon_sp/lockdown.c +index a3d17b46c3..51a5cf5431 100644 +--- a/src/soc/intel/xeon_sp/lockdown.c ++++ b/src/soc/intel/xeon_sp/lockdown.c +@@ -6,25 +6,15 @@ + #include + #include + +-static void lpc_lockdown_config(void) +-{ +- /* Set BIOS Interface Lock, BIOS Lock */ +- lpc_set_bios_interface_lock_down(); +- +- /* Only allow writes in SMM */ +- if (CONFIG(BOOTMEDIA_SMM_BWP)) { +- lpc_set_eiss(); +- lpc_enable_wp(); +- } +- lpc_set_lock_enable(); +-} +- + void soc_lockdown_config(int chipset_lockdown) + { + if (chipset_lockdown == CHIPSET_LOCKDOWN_FSP) + return; + +- lpc_lockdown_config(); ++ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ /* LPC/eSPI lock down configuration */ ++ lpc_lockdown_config(chipset_lockdown); ++ + pmc_lockdown_config(); + sata_lockdown_config(chipset_lockdown); + spi_lockdown_config(chipset_lockdown); +-- +2.39.5 + From 43b03fbe6000ade1b0a461369b7129b25bbd7421 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 28 Nov 2024 13:24:02 -0500 Subject: [PATCH 09/10] Revert "coreboot dasharo fork patch: bump patchset to upstream reviewed" This reverts commit f5fdf9a97e2d730fbaf888b33e730f51fdbdf4ed. Unfortunately, patch doesn't apply to dasharo current fork pointed under modules/coreboot Waiting for Dasharo to provide a patch updated to heads used fork/dasahro bumping to newer coreboot version for which patchset applies clealy Signed-off-by: Thierry Laurion --- ...002-pr0_chipset_locking-post_skylake.patch | 248 ++++++------------ 1 file changed, 81 insertions(+), 167 deletions(-) diff --git a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch index c8e4cd25..768dfc16 100644 --- a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch +++ b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch @@ -1,63 +1,44 @@ -From f9f309190246c66e92db5408c183dd8b617987f3 Mon Sep 17 00:00:00 2001 +From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= -Date: Sat, 23 Nov 2024 22:43:10 +0100 +Date: Sun, 20 Oct 2024 13:15:19 +0200 Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI -controller with PR0 flash protection for pre-Skylake platforms. +Heads payload uses APM_CNT_FINALIZE SMI to set and lock down +the SPI controller with PR0 flash protection. Add new option +to skip LPC and FAST SPI lock down in coreboot and move it +to APM_CNT_FINALIZE SMI handler. -Add new option to skip LPC and FAST SPI lock down in coreboot and move -it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN -option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path, -like it was done on pre-Skylake platforms. As the locking on modern -SOCs became more complicated, separate the SPI and LPC locking into -new modules to make linking to SMM easier. - -The expected configuration to leverage the feautre is to unselect -INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM. - -Testing various microarchitectures happens on heads repository: -https://github.com/linuxboot/heads/pull/1818 - -TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake -(Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check -if flash is unlocked in the heads recovery console. Check if flash is -locked in the kexec'ed OS. - -Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838 Signed-off-by: Michał Żygowski --- - src/soc/intel/alderlake/finalize.c | 4 +- - src/soc/intel/cannonlake/finalize.c | 4 +- - src/soc/intel/common/block/lpc/Makefile.mk | 4 ++ - src/soc/intel/common/block/smm/smihandler.c | 10 ++++ + src/soc/intel/alderlake/finalize.c | 4 ++- + src/soc/intel/cannonlake/finalize.c | 3 +- + src/soc/intel/common/block/lpc/Makefile.inc | 4 +++ + src/soc/intel/common/block/smm/smihandler.c | 10 ++++++ .../common/pch/include/intelpch/lockdown.h | 3 ++ - src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++ - src/soc/intel/common/pch/lockdown/Makefile.mk | 5 ++ - src/soc/intel/common/pch/lockdown/lockdown.c | 48 ++----------------- - .../intel/common/pch/lockdown/lockdown_lpc.c | 23 +++++++++ - .../intel/common/pch/lockdown/lockdown_spi.c | 32 +++++++++++++ + src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++ + .../intel/common/pch/lockdown/Makefile.inc | 5 +++ + src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------ + .../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++ + .../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++ src/soc/intel/denverton_ns/lpc.c | 3 +- - src/soc/intel/elkhartlake/finalize.c | 4 +- + src/soc/intel/elkhartlake/finalize.c | 3 +- src/soc/intel/jasperlake/finalize.c | 3 +- - src/soc/intel/meteorlake/finalize.c | 4 +- - src/soc/intel/pantherlake/finalize.c | 4 +- + src/soc/intel/meteorlake/finalize.c | 3 +- src/soc/intel/skylake/finalize.c | 3 +- - src/soc/intel/tigerlake/finalize.c | 4 +- + src/soc/intel/tigerlake/finalize.c | 3 +- src/soc/intel/xeon_sp/finalize.c | 3 +- - src/soc/intel/xeon_sp/lockdown.c | 18 ++----- - 19 files changed, 127 insertions(+), 67 deletions(-) + 17 files changed, 123 insertions(+), 33 deletions(-) create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c -index 700fde977b..615729d3dd 100644 +index 460c8af174e..9cd9351d96a 100644 --- a/src/soc/intel/alderlake/finalize.c +++ b/src/soc/intel/alderlake/finalize.c -@@ -85,7 +85,9 @@ static void soc_finalize(void *unused) +@@ -84,7 +84,9 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); @@ -69,24 +50,23 @@ index 700fde977b..615729d3dd 100644 if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c -index 974794bd97..461ba3a884 100644 +index ba7fc69b552..b5f727e97c7 100644 --- a/src/soc/intel/cannonlake/finalize.c +++ b/src/soc/intel/cannonlake/finalize.c -@@ -87,7 +87,9 @@ static void soc_finalize(void *unused) +@@ -87,7 +87,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); -+ if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) heci1_disable(); -diff --git a/src/soc/intel/common/block/lpc/Makefile.mk b/src/soc/intel/common/block/lpc/Makefile.mk -index b510cd0ec3..60792654b5 100644 ---- a/src/soc/intel/common/block/lpc/Makefile.mk -+++ b/src/soc/intel/common/block/lpc/Makefile.mk +diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc +index b510cd0ec35..60792654b5a 100644 +--- a/src/soc/intel/common/block/lpc/Makefile.inc ++++ b/src/soc/intel/common/block/lpc/Makefile.inc @@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c @@ -96,10 +76,10 @@ index b510cd0ec3..60792654b5 100644 +smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c +endif diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c -index 59489a4f03..2a1f26d2eb 100644 +index 4bfd17bfd07..dcd74764957 100644 --- a/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c -@@ -14,12 +14,14 @@ +@@ -15,12 +15,14 @@ #include #include #include @@ -114,7 +94,7 @@ index 59489a4f03..2a1f26d2eb 100644 #include #include #include -@@ -345,6 +347,14 @@ static void finalize(void) +@@ -343,6 +345,14 @@ static void finalize(void) } finalize_done = 1; @@ -130,7 +110,7 @@ index 59489a4f03..2a1f26d2eb 100644 /* Re-init SPI driver to handle locked BAR */ fast_spi_init(); diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h -index b5aba06fe0..1b96f41a2a 100644 +index b5aba06fe0e..1b96f41a2a4 100644 --- a/src/soc/intel/common/pch/include/intelpch/lockdown.h +++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h @@ -22,4 +22,7 @@ int get_lockdown_config(void); @@ -142,10 +122,10 @@ index b5aba06fe0..1b96f41a2a 100644 + #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig -index 38f60d2056..545185c52f 100644 +index 8fce5e785c2..fbeb341e9ac 100644 --- a/src/soc/intel/common/pch/lockdown/Kconfig +++ b/src/soc/intel/common/pch/lockdown/Kconfig -@@ -3,7 +3,22 @@ +@@ -1,7 +1,22 @@ config SOC_INTEL_COMMON_PCH_LOCKDOWN bool default n @@ -158,7 +138,7 @@ index 38f60d2056..545185c52f 100644 +config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM + bool "Lock down SPI controller in SMM" + default n -+ depends on HAVE_SMI_HANDLER && !INTEL_CHIPSET_LOCKDOWN ++ depends on HAVE_SMI_HANDLER + select SPI_FLASH_SMM + help + This option allows to have chipset lockdown for FAST_SPI and LPC for @@ -166,12 +146,13 @@ index 38f60d2056..545185c52f 100644 + and LPC controller. The payload or OS is responsible for locking it + using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash + protection. -+ ++ + If unsure, say N. -diff --git a/src/soc/intel/common/pch/lockdown/Makefile.mk b/src/soc/intel/common/pch/lockdown/Makefile.mk -index 71466f8edd..64aad562ac 100644 ---- a/src/soc/intel/common/pch/lockdown/Makefile.mk -+++ b/src/soc/intel/common/pch/lockdown/Makefile.mk +\ No newline at end of file +diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc +index 71466f8edd1..64aad562acf 100644 +--- a/src/soc/intel/common/pch/lockdown/Makefile.inc ++++ b/src/soc/intel/common/pch/lockdown/Makefile.inc @@ -1,2 +1,7 @@ ## SPDX-License-Identifier: GPL-2.0-only ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c @@ -181,10 +162,10 @@ index 71466f8edd..64aad562ac 100644 +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c -index eec3beb01b..2d229e1a90 100644 +index 1b1d99cc0c9..7e52fb826fe 100644 --- a/src/soc/intel/common/pch/lockdown/lockdown.c +++ b/src/soc/intel/common/pch/lockdown/lockdown.c -@@ -60,56 +60,17 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) +@@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) /* Set FAST_SPI opcode menu */ fast_spi_set_opcode_menu(); @@ -203,25 +184,22 @@ index eec3beb01b..2d229e1a90 100644 /* Set Vendor Component Lock (VCL) */ fast_spi_vscc0_lock(); -- /* Set BIOS Interface Lock, BIOS Lock */ -- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { -- /* BIOS Interface Lock */ -- fast_spi_set_bios_interface_lock_down(); -- -- /* Only allow writes in SMM */ -- if (CONFIG(BOOTMEDIA_SMM_BWP)) { -- fast_spi_set_eiss(); -- fast_spi_enable_wp(); -- } -- -- /* BIOS Lock */ -- fast_spi_set_lock_enable(); -- -- /* EXT BIOS Lock */ -- fast_spi_set_ext_bios_lock_enable(); -- } --} -- ++ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ return; ++ ++ /* Discrete Lock Flash PR registers */ ++ fast_spi_pr_dlock(); ++ ++ /* Lock FAST_SPIBAR */ ++ fast_spi_lock_bar(); ++ + /* Set BIOS Interface Lock, BIOS Lock */ + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + /* BIOS Interface Lock */ +@@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) + } + } + -static void lpc_lockdown_config(int chipset_lockdown) -{ - /* Set BIOS Interface Lock, BIOS Lock */ @@ -230,7 +208,7 @@ index eec3beb01b..2d229e1a90 100644 - lpc_set_bios_interface_lock_down(); - - /* Only allow writes in SMM */ -- if (CONFIG(BOOTMEDIA_SMM_BWP)) { +- if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { - lpc_set_eiss(); - lpc_enable_wp(); - } @@ -238,26 +216,14 @@ index eec3beb01b..2d229e1a90 100644 - /* BIOS Lock */ - lpc_set_lock_enable(); - } -+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) -+ fast_spi_lockdown_bios(chipset_lockdown); - } - +-} +- static void sa_lockdown_config(int chipset_lockdown) -@@ -135,8 +96,9 @@ static void platform_lockdown_config(void *unused) - /* SPI lock down configuration */ - fast_spi_lockdown_cfg(chipset_lockdown); - -- /* LPC/eSPI lock down configuration */ -- lpc_lockdown_config(chipset_lockdown); -+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) -+ /* LPC/eSPI lock down configuration */ -+ lpc_lockdown_config(chipset_lockdown); - - /* GPMR lock down configuration */ - gpmr_lockdown_cfg(); + { + if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA)) diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c new file mode 100644 -index 0000000000..69278ea343 +index 00000000000..69278ea343f --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c @@ -0,0 +1,23 @@ @@ -286,10 +252,10 @@ index 0000000000..69278ea343 +} diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c new file mode 100644 -index 0000000000..8dbe93013e +index 00000000000..fa09cec7c2e --- /dev/null +++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c -@@ -0,0 +1,32 @@ +@@ -0,0 +1,35 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ + +#include @@ -298,6 +264,9 @@ index 0000000000..8dbe93013e + +void fast_spi_lockdown_bios(int chipset_lockdown) +{ ++ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI)) ++ return; ++ + /* Discrete Lock Flash PR registers */ + fast_spi_pr_dlock(); + @@ -323,7 +292,7 @@ index 0000000000..8dbe93013e + } +} diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c -index 7dc971ea92..c4f7681c62 100644 +index 7ebca1eb946..8d8acf05088 100644 --- a/src/soc/intel/denverton_ns/lpc.c +++ b/src/soc/intel/denverton_ns/lpc.c @@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { @@ -337,25 +306,24 @@ index 7dc971ea92..c4f7681c62 100644 BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c -index 275413b4ef..fc54710303 100644 +index 275413b4efa..802d02cb596 100644 --- a/src/soc/intel/elkhartlake/finalize.c +++ b/src/soc/intel/elkhartlake/finalize.c -@@ -43,7 +43,9 @@ static void soc_finalize(void *unused) +@@ -43,7 +43,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); -+ if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) heci_finalize(); diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c -index 8788db155d..4840c0c04c 100644 +index 6cff7a80f30..1b68cc51786 100644 --- a/src/soc/intel/jasperlake/finalize.c +++ b/src/soc/intel/jasperlake/finalize.c -@@ -76,7 +76,8 @@ static void soc_finalize(void *unused) +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); @@ -366,37 +334,21 @@ index 8788db155d..4840c0c04c 100644 /* Indicate finalize step with post code */ post_code(POSTCODE_OS_BOOT); diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c -index 1fd1d98fb5..80802db285 100644 +index a977b0516e5..951153fa812 100644 --- a/src/soc/intel/meteorlake/finalize.c +++ b/src/soc/intel/meteorlake/finalize.c -@@ -64,7 +64,9 @@ static void soc_finalize(void *unused) +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); -+ - tbt_finalize(); - sa_finalize(); - if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && -diff --git a/src/soc/intel/pantherlake/finalize.c b/src/soc/intel/pantherlake/finalize.c -index 05ec3eaaca..1d47dd7a0b 100644 ---- a/src/soc/intel/pantherlake/finalize.c -+++ b/src/soc/intel/pantherlake/finalize.c -@@ -63,7 +63,9 @@ static void soc_finalize(void *unused) - printk(BIOS_DEBUG, "Finalizing chipset.\n"); - - pch_finalize(); -- apm_control(APM_CNT_FINALIZE); -+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) -+ apm_control(APM_CNT_FINALIZE); -+ tbt_finalize(); sa_finalize(); if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c -index fd80aeac1a..a147b62e46 100644 +index fd80aeac1a0..a147b62e46f 100644 --- a/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c @@ -106,7 +106,8 @@ static void soc_finalize(void *unused) @@ -410,22 +362,21 @@ index fd80aeac1a..a147b62e46 100644 /* Indicate finalize step with post code */ post_code(POSTCODE_OS_BOOT); diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c -index cd02745a9e..158b2fb691 100644 +index cd02745a9e6..06ce243fe72 100644 --- a/src/soc/intel/tigerlake/finalize.c +++ b/src/soc/intel/tigerlake/finalize.c -@@ -55,7 +55,9 @@ static void soc_finalize(void *unused) +@@ -55,7 +55,8 @@ static void soc_finalize(void *unused) printk(BIOS_DEBUG, "Finalizing chipset.\n"); pch_finalize(); - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); -+ tbt_finalize(); if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) heci1_disable(); diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c -index a7b3602744..f0cd8a1998 100644 +index af630fe8127..8e409b8c439 100644 --- a/src/soc/intel/xeon_sp/finalize.c +++ b/src/soc/intel/xeon_sp/finalize.c @@ -59,7 +59,8 @@ static void soc_finalize(void *unused) @@ -435,43 +386,6 @@ index a7b3602744..f0cd8a1998 100644 - apm_control(APM_CNT_FINALIZE); + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + apm_control(APM_CNT_FINALIZE); + lock_pam0123(); if (CONFIG_MAX_SOCKET > 1) { - /* This MSR is package scope but run for all cpus for code simplicity */ -diff --git a/src/soc/intel/xeon_sp/lockdown.c b/src/soc/intel/xeon_sp/lockdown.c -index a3d17b46c3..51a5cf5431 100644 ---- a/src/soc/intel/xeon_sp/lockdown.c -+++ b/src/soc/intel/xeon_sp/lockdown.c -@@ -6,25 +6,15 @@ - #include - #include - --static void lpc_lockdown_config(void) --{ -- /* Set BIOS Interface Lock, BIOS Lock */ -- lpc_set_bios_interface_lock_down(); -- -- /* Only allow writes in SMM */ -- if (CONFIG(BOOTMEDIA_SMM_BWP)) { -- lpc_set_eiss(); -- lpc_enable_wp(); -- } -- lpc_set_lock_enable(); --} -- - void soc_lockdown_config(int chipset_lockdown) - { - if (chipset_lockdown == CHIPSET_LOCKDOWN_FSP) - return; - -- lpc_lockdown_config(); -+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) -+ /* LPC/eSPI lock down configuration */ -+ lpc_lockdown_config(chipset_lockdown); -+ - pmc_lockdown_config(); - sata_lockdown_config(chipset_lockdown); - spi_lockdown_config(chipset_lockdown); --- -2.39.5 - From f8b03b30878debd3e3dfd8c8365ea245ccedc8c2 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 29 Nov 2024 11:17:02 -0500 Subject: [PATCH 10/10] nitropad-ns50: remove PR0 until tested and readded in seperate PR Signed-off-by: Thierry Laurion --- boards/nitropad-ns50/nitropad-ns50.config | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config index c0eccb69..ffcb9457 100644 --- a/boards/nitropad-ns50/nitropad-ns50.config +++ b/boards/nitropad-ns50/nitropad-ns50.config @@ -30,9 +30,10 @@ CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y +#TODO: readd when tested #platform locking finalization (PR0) -CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING=y +#CONFIG_IO386=y +#export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support