coreboot dasharo fork patch: bump patchset to upstream reviewed

repro:
git fetch https://review.coreboot.org/coreboot refs/changes/78/85278/3 && git format-patch -1 --stdout FETCH_HEAD > patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-11-28 11:51:46 -05:00
parent ef0b70a89a
commit f5fdf9a97e
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461

View File

@ -1,44 +1,63 @@
From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001 From f9f309190246c66e92db5408c183dd8b617987f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com> From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= <michal.zygowski@3mdeb.com>
Date: Sun, 20 Oct 2024 13:15:19 +0200 Date: Sat, 23 Nov 2024 22:43:10 +0100
Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM
MIME-Version: 1.0 MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit Content-Transfer-Encoding: 8bit
Heads payload uses APM_CNT_FINALIZE SMI to set and lock down Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI
the SPI controller with PR0 flash protection. Add new option controller with PR0 flash protection for pre-Skylake platforms.
to skip LPC and FAST SPI lock down in coreboot and move it
to APM_CNT_FINALIZE SMI handler.
Add new option to skip LPC and FAST SPI lock down in coreboot and move
it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN
option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path,
like it was done on pre-Skylake platforms. As the locking on modern
SOCs became more complicated, separate the SPI and LPC locking into
new modules to make linking to SMM easier.
The expected configuration to leverage the feautre is to unselect
INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM.
Testing various microarchitectures happens on heads repository:
https://github.com/linuxboot/heads/pull/1818
TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake
(Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check
if flash is unlocked in the heads recovery console. Check if flash is
locked in the kexec'ed OS.
Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com> Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
--- ---
src/soc/intel/alderlake/finalize.c | 4 ++- src/soc/intel/alderlake/finalize.c | 4 +-
src/soc/intel/cannonlake/finalize.c | 3 +- src/soc/intel/cannonlake/finalize.c | 4 +-
src/soc/intel/common/block/lpc/Makefile.inc | 4 +++ src/soc/intel/common/block/lpc/Makefile.mk | 4 ++
src/soc/intel/common/block/smm/smihandler.c | 10 ++++++ src/soc/intel/common/block/smm/smihandler.c | 10 ++++
.../common/pch/include/intelpch/lockdown.h | 3 ++ .../common/pch/include/intelpch/lockdown.h | 3 ++
src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++ src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++
.../intel/common/pch/lockdown/Makefile.inc | 5 +++ src/soc/intel/common/pch/lockdown/Makefile.mk | 5 ++
src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------ src/soc/intel/common/pch/lockdown/lockdown.c | 48 ++-----------------
.../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++ .../intel/common/pch/lockdown/lockdown_lpc.c | 23 +++++++++
.../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++ .../intel/common/pch/lockdown/lockdown_spi.c | 32 +++++++++++++
src/soc/intel/denverton_ns/lpc.c | 3 +- src/soc/intel/denverton_ns/lpc.c | 3 +-
src/soc/intel/elkhartlake/finalize.c | 3 +- src/soc/intel/elkhartlake/finalize.c | 4 +-
src/soc/intel/jasperlake/finalize.c | 3 +- src/soc/intel/jasperlake/finalize.c | 3 +-
src/soc/intel/meteorlake/finalize.c | 3 +- src/soc/intel/meteorlake/finalize.c | 4 +-
src/soc/intel/pantherlake/finalize.c | 4 +-
src/soc/intel/skylake/finalize.c | 3 +- src/soc/intel/skylake/finalize.c | 3 +-
src/soc/intel/tigerlake/finalize.c | 3 +- src/soc/intel/tigerlake/finalize.c | 4 +-
src/soc/intel/xeon_sp/finalize.c | 3 +- src/soc/intel/xeon_sp/finalize.c | 3 +-
17 files changed, 123 insertions(+), 33 deletions(-) src/soc/intel/xeon_sp/lockdown.c | 18 ++-----
19 files changed, 127 insertions(+), 67 deletions(-)
create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c
create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c
diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c
index 460c8af174e..9cd9351d96a 100644 index 700fde977b..615729d3dd 100644
--- a/src/soc/intel/alderlake/finalize.c --- a/src/soc/intel/alderlake/finalize.c
+++ b/src/soc/intel/alderlake/finalize.c +++ b/src/soc/intel/alderlake/finalize.c
@@ -84,7 +84,9 @@ static void soc_finalize(void *unused) @@ -85,7 +85,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
@ -50,23 +69,24 @@ index 460c8af174e..9cd9351d96a 100644
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE))
diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c
index ba7fc69b552..b5f727e97c7 100644 index 974794bd97..461ba3a884 100644
--- a/src/soc/intel/cannonlake/finalize.c --- a/src/soc/intel/cannonlake/finalize.c
+++ b/src/soc/intel/cannonlake/finalize.c +++ b/src/soc/intel/cannonlake/finalize.c
@@ -87,7 +87,8 @@ static void soc_finalize(void *unused) @@ -87,7 +87,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) &&
CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC))
heci1_disable(); heci1_disable();
diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc diff --git a/src/soc/intel/common/block/lpc/Makefile.mk b/src/soc/intel/common/block/lpc/Makefile.mk
index b510cd0ec35..60792654b5a 100644 index b510cd0ec3..60792654b5 100644
--- a/src/soc/intel/common/block/lpc/Makefile.inc --- a/src/soc/intel/common/block/lpc/Makefile.mk
+++ b/src/soc/intel/common/block/lpc/Makefile.inc +++ b/src/soc/intel/common/block/lpc/Makefile.mk
@@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c @@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
@ -76,10 +96,10 @@ index b510cd0ec35..60792654b5a 100644
+smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c +smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c
+endif +endif
diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c
index 4bfd17bfd07..dcd74764957 100644 index 59489a4f03..2a1f26d2eb 100644
--- a/src/soc/intel/common/block/smm/smihandler.c --- a/src/soc/intel/common/block/smm/smihandler.c
+++ b/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c
@@ -15,12 +15,14 @@ @@ -14,12 +14,14 @@
#include <device/pci_def.h> #include <device/pci_def.h>
#include <device/pci_ops.h> #include <device/pci_ops.h>
#include <elog.h> #include <elog.h>
@ -94,7 +114,7 @@ index 4bfd17bfd07..dcd74764957 100644
#include <smmstore.h> #include <smmstore.h>
#include <soc/nvs.h> #include <soc/nvs.h>
#include <soc/pci_devs.h> #include <soc/pci_devs.h>
@@ -343,6 +345,14 @@ static void finalize(void) @@ -345,6 +347,14 @@ static void finalize(void)
} }
finalize_done = 1; finalize_done = 1;
@ -110,7 +130,7 @@ index 4bfd17bfd07..dcd74764957 100644
/* Re-init SPI driver to handle locked BAR */ /* Re-init SPI driver to handle locked BAR */
fast_spi_init(); fast_spi_init();
diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h
index b5aba06fe0e..1b96f41a2a4 100644 index b5aba06fe0..1b96f41a2a 100644
--- a/src/soc/intel/common/pch/include/intelpch/lockdown.h --- a/src/soc/intel/common/pch/include/intelpch/lockdown.h
+++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h +++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h
@@ -22,4 +22,7 @@ int get_lockdown_config(void); @@ -22,4 +22,7 @@ int get_lockdown_config(void);
@ -122,10 +142,10 @@ index b5aba06fe0e..1b96f41a2a4 100644
+ +
#endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */
diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig
index 8fce5e785c2..fbeb341e9ac 100644 index 38f60d2056..545185c52f 100644
--- a/src/soc/intel/common/pch/lockdown/Kconfig --- a/src/soc/intel/common/pch/lockdown/Kconfig
+++ b/src/soc/intel/common/pch/lockdown/Kconfig +++ b/src/soc/intel/common/pch/lockdown/Kconfig
@@ -1,7 +1,22 @@ @@ -3,7 +3,22 @@
config SOC_INTEL_COMMON_PCH_LOCKDOWN config SOC_INTEL_COMMON_PCH_LOCKDOWN
bool bool
default n default n
@ -138,7 +158,7 @@ index 8fce5e785c2..fbeb341e9ac 100644
+config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM +config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM
+ bool "Lock down SPI controller in SMM" + bool "Lock down SPI controller in SMM"
+ default n + default n
+ depends on HAVE_SMI_HANDLER + depends on HAVE_SMI_HANDLER && !INTEL_CHIPSET_LOCKDOWN
+ select SPI_FLASH_SMM + select SPI_FLASH_SMM
+ help + help
+ This option allows to have chipset lockdown for FAST_SPI and LPC for + This option allows to have chipset lockdown for FAST_SPI and LPC for
@ -148,11 +168,10 @@ index 8fce5e785c2..fbeb341e9ac 100644
+ protection. + protection.
+ +
+ If unsure, say N. + If unsure, say N.
\ No newline at end of file diff --git a/src/soc/intel/common/pch/lockdown/Makefile.mk b/src/soc/intel/common/pch/lockdown/Makefile.mk
diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc index 71466f8edd..64aad562ac 100644
index 71466f8edd1..64aad562acf 100644 --- a/src/soc/intel/common/pch/lockdown/Makefile.mk
--- a/src/soc/intel/common/pch/lockdown/Makefile.inc +++ b/src/soc/intel/common/pch/lockdown/Makefile.mk
+++ b/src/soc/intel/common/pch/lockdown/Makefile.inc
@@ -1,2 +1,7 @@ @@ -1,2 +1,7 @@
## SPDX-License-Identifier: GPL-2.0-only ## SPDX-License-Identifier: GPL-2.0-only
ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c
@ -162,10 +181,10 @@ index 71466f8edd1..64aad562acf 100644
+smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c
+smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c +smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c
diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c
index 1b1d99cc0c9..7e52fb826fe 100644 index eec3beb01b..2d229e1a90 100644
--- a/src/soc/intel/common/pch/lockdown/lockdown.c --- a/src/soc/intel/common/pch/lockdown/lockdown.c
+++ b/src/soc/intel/common/pch/lockdown/lockdown.c +++ b/src/soc/intel/common/pch/lockdown/lockdown.c
@@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) @@ -60,56 +60,17 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown)
/* Set FAST_SPI opcode menu */ /* Set FAST_SPI opcode menu */
fast_spi_set_opcode_menu(); fast_spi_set_opcode_menu();
@ -184,22 +203,25 @@ index 1b1d99cc0c9..7e52fb826fe 100644
/* Set Vendor Component Lock (VCL) */ /* Set Vendor Component Lock (VCL) */
fast_spi_vscc0_lock(); fast_spi_vscc0_lock();
+ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) - /* Set BIOS Interface Lock, BIOS Lock */
+ return; - if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+ - /* BIOS Interface Lock */
+ /* Discrete Lock Flash PR registers */ - fast_spi_set_bios_interface_lock_down();
+ fast_spi_pr_dlock(); -
+ - /* Only allow writes in SMM */
+ /* Lock FAST_SPIBAR */ - if (CONFIG(BOOTMEDIA_SMM_BWP)) {
+ fast_spi_lock_bar(); - fast_spi_set_eiss();
+ - fast_spi_enable_wp();
/* Set BIOS Interface Lock, BIOS Lock */ - }
if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { -
/* BIOS Interface Lock */ - /* BIOS Lock */
@@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) - fast_spi_set_lock_enable();
} -
} - /* EXT BIOS Lock */
- fast_spi_set_ext_bios_lock_enable();
- }
-}
-
-static void lpc_lockdown_config(int chipset_lockdown) -static void lpc_lockdown_config(int chipset_lockdown)
-{ -{
- /* Set BIOS Interface Lock, BIOS Lock */ - /* Set BIOS Interface Lock, BIOS Lock */
@ -208,7 +230,7 @@ index 1b1d99cc0c9..7e52fb826fe 100644
- lpc_set_bios_interface_lock_down(); - lpc_set_bios_interface_lock_down();
- -
- /* Only allow writes in SMM */ - /* Only allow writes in SMM */
- if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { - if (CONFIG(BOOTMEDIA_SMM_BWP)) {
- lpc_set_eiss(); - lpc_set_eiss();
- lpc_enable_wp(); - lpc_enable_wp();
- } - }
@ -216,14 +238,26 @@ index 1b1d99cc0c9..7e52fb826fe 100644
- /* BIOS Lock */ - /* BIOS Lock */
- lpc_set_lock_enable(); - lpc_set_lock_enable();
- } - }
-} + if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
- + fast_spi_lockdown_bios(chipset_lockdown);
}
static void sa_lockdown_config(int chipset_lockdown) static void sa_lockdown_config(int chipset_lockdown)
{ @@ -135,8 +96,9 @@ static void platform_lockdown_config(void *unused)
if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA)) /* SPI lock down configuration */
fast_spi_lockdown_cfg(chipset_lockdown);
- /* LPC/eSPI lock down configuration */
- lpc_lockdown_config(chipset_lockdown);
+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
+ /* LPC/eSPI lock down configuration */
+ lpc_lockdown_config(chipset_lockdown);
/* GPMR lock down configuration */
gpmr_lockdown_cfg();
diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c
new file mode 100644 new file mode 100644
index 00000000000..69278ea343f index 0000000000..69278ea343
--- /dev/null --- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
@ -252,10 +286,10 @@ index 00000000000..69278ea343f
+} +}
diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c
new file mode 100644 new file mode 100644
index 00000000000..fa09cec7c2e index 0000000000..8dbe93013e
--- /dev/null --- /dev/null
+++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c
@@ -0,0 +1,35 @@ @@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0-only */ +/* SPDX-License-Identifier: GPL-2.0-only */
+ +
+#include <intelblocks/cfg.h> +#include <intelblocks/cfg.h>
@ -264,9 +298,6 @@ index 00000000000..fa09cec7c2e
+ +
+void fast_spi_lockdown_bios(int chipset_lockdown) +void fast_spi_lockdown_bios(int chipset_lockdown)
+{ +{
+ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI))
+ return;
+
+ /* Discrete Lock Flash PR registers */ + /* Discrete Lock Flash PR registers */
+ fast_spi_pr_dlock(); + fast_spi_pr_dlock();
+ +
@ -292,7 +323,7 @@ index 00000000000..fa09cec7c2e
+ } + }
+} +}
diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c
index 7ebca1eb946..8d8acf05088 100644 index 7dc971ea92..c4f7681c62 100644
--- a/src/soc/intel/denverton_ns/lpc.c --- a/src/soc/intel/denverton_ns/lpc.c
+++ b/src/soc/intel/denverton_ns/lpc.c +++ b/src/soc/intel/denverton_ns/lpc.c
@@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { @@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = {
@ -306,24 +337,25 @@ index 7ebca1eb946..8d8acf05088 100644
BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL);
diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c
index 275413b4efa..802d02cb596 100644 index 275413b4ef..fc54710303 100644
--- a/src/soc/intel/elkhartlake/finalize.c --- a/src/soc/intel/elkhartlake/finalize.c
+++ b/src/soc/intel/elkhartlake/finalize.c +++ b/src/soc/intel/elkhartlake/finalize.c
@@ -43,7 +43,8 @@ static void soc_finalize(void *unused) @@ -43,7 +43,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE))
heci_finalize(); heci_finalize();
diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c
index 6cff7a80f30..1b68cc51786 100644 index 8788db155d..4840c0c04c 100644
--- a/src/soc/intel/jasperlake/finalize.c --- a/src/soc/intel/jasperlake/finalize.c
+++ b/src/soc/intel/jasperlake/finalize.c +++ b/src/soc/intel/jasperlake/finalize.c
@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) @@ -76,7 +76,8 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
@ -334,21 +366,37 @@ index 6cff7a80f30..1b68cc51786 100644
/* Indicate finalize step with post code */ /* Indicate finalize step with post code */
post_code(POSTCODE_OS_BOOT); post_code(POSTCODE_OS_BOOT);
diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c
index a977b0516e5..951153fa812 100644 index 1fd1d98fb5..80802db285 100644
--- a/src/soc/intel/meteorlake/finalize.c --- a/src/soc/intel/meteorlake/finalize.c
+++ b/src/soc/intel/meteorlake/finalize.c +++ b/src/soc/intel/meteorlake/finalize.c
@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) @@ -64,7 +64,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
tbt_finalize();
sa_finalize();
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
diff --git a/src/soc/intel/pantherlake/finalize.c b/src/soc/intel/pantherlake/finalize.c
index 05ec3eaaca..1d47dd7a0b 100644
--- a/src/soc/intel/pantherlake/finalize.c
+++ b/src/soc/intel/pantherlake/finalize.c
@@ -63,7 +63,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize();
- apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE);
+
tbt_finalize(); tbt_finalize();
sa_finalize(); sa_finalize();
if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) &&
diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c
index fd80aeac1a0..a147b62e46f 100644 index fd80aeac1a..a147b62e46 100644
--- a/src/soc/intel/skylake/finalize.c --- a/src/soc/intel/skylake/finalize.c
+++ b/src/soc/intel/skylake/finalize.c +++ b/src/soc/intel/skylake/finalize.c
@@ -106,7 +106,8 @@ static void soc_finalize(void *unused) @@ -106,7 +106,8 @@ static void soc_finalize(void *unused)
@ -362,21 +410,22 @@ index fd80aeac1a0..a147b62e46f 100644
/* Indicate finalize step with post code */ /* Indicate finalize step with post code */
post_code(POSTCODE_OS_BOOT); post_code(POSTCODE_OS_BOOT);
diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c
index cd02745a9e6..06ce243fe72 100644 index cd02745a9e..158b2fb691 100644
--- a/src/soc/intel/tigerlake/finalize.c --- a/src/soc/intel/tigerlake/finalize.c
+++ b/src/soc/intel/tigerlake/finalize.c +++ b/src/soc/intel/tigerlake/finalize.c
@@ -55,7 +55,8 @@ static void soc_finalize(void *unused) @@ -55,7 +55,9 @@ static void soc_finalize(void *unused)
printk(BIOS_DEBUG, "Finalizing chipset.\n"); printk(BIOS_DEBUG, "Finalizing chipset.\n");
pch_finalize(); pch_finalize();
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
+
tbt_finalize(); tbt_finalize();
if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT))
heci1_disable(); heci1_disable();
diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c
index af630fe8127..8e409b8c439 100644 index a7b3602744..f0cd8a1998 100644
--- a/src/soc/intel/xeon_sp/finalize.c --- a/src/soc/intel/xeon_sp/finalize.c
+++ b/src/soc/intel/xeon_sp/finalize.c +++ b/src/soc/intel/xeon_sp/finalize.c
@@ -59,7 +59,8 @@ static void soc_finalize(void *unused) @@ -59,7 +59,8 @@ static void soc_finalize(void *unused)
@ -386,6 +435,43 @@ index af630fe8127..8e409b8c439 100644
- apm_control(APM_CNT_FINALIZE); - apm_control(APM_CNT_FINALIZE);
+ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) + if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3())
+ apm_control(APM_CNT_FINALIZE); + apm_control(APM_CNT_FINALIZE);
lock_pam0123();
if (CONFIG_MAX_SOCKET > 1) { if (CONFIG_MAX_SOCKET > 1) {
/* This MSR is package scope but run for all cpus for code simplicity */
diff --git a/src/soc/intel/xeon_sp/lockdown.c b/src/soc/intel/xeon_sp/lockdown.c
index a3d17b46c3..51a5cf5431 100644
--- a/src/soc/intel/xeon_sp/lockdown.c
+++ b/src/soc/intel/xeon_sp/lockdown.c
@@ -6,25 +6,15 @@
#include <soc/lockdown.h>
#include <soc/pm.h>
-static void lpc_lockdown_config(void)
-{
- /* Set BIOS Interface Lock, BIOS Lock */
- lpc_set_bios_interface_lock_down();
-
- /* Only allow writes in SMM */
- if (CONFIG(BOOTMEDIA_SMM_BWP)) {
- lpc_set_eiss();
- lpc_enable_wp();
- }
- lpc_set_lock_enable();
-}
-
void soc_lockdown_config(int chipset_lockdown)
{
if (chipset_lockdown == CHIPSET_LOCKDOWN_FSP)
return;
- lpc_lockdown_config();
+ if (!CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM))
+ /* LPC/eSPI lock down configuration */
+ lpc_lockdown_config(chipset_lockdown);
+
pmc_lockdown_config();
sata_lockdown_config(chipset_lockdown);
spi_lockdown_config(chipset_lockdown);
--
2.39.5