<p>Duncan Laurie has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/25347">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">soc/intel: Limit xDCI feature when VBOOT is enabled<br><br>When CONFIG_VBOOT is enabled then the xDCI controller should only be<br>enabled if the system is in developer mode. This prevents a system<br>in normal/verified mode from being used as a USB peripheral device<br>which could potentially be used to access user data.<br><br>Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b<br>Signed-off-by: Duncan Laurie <dlaurie@chromium.org><br>---<br>M src/soc/intel/apollolake/chip.c<br>M src/soc/intel/apollolake/xdci.c<br>M src/soc/intel/cannonlake/Kconfig<br>M src/soc/intel/cannonlake/chip.c<br>M src/soc/intel/common/block/include/intelblocks/xdci.h<br>M src/soc/intel/common/block/xdci/xdci.c<br>M src/soc/intel/skylake/Kconfig<br>M src/soc/intel/skylake/chip_fsp20.c<br>8 files changed, 23 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/25347/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/soc/intel/apollolake/chip.c b/src/soc/intel/apollolake/chip.c</span><br><span>index cac2f11..d93985e 100644</span><br><span>--- a/src/soc/intel/apollolake/chip.c</span><br><span>+++ b/src/soc/intel/apollolake/chip.c</span><br><span>@@ -30,6 +30,7 @@</span><br><span> #include <intelblocks/fast_spi.h></span><br><span> #include <intelblocks/p2sb.h></span><br><span> #include <intelblocks/msr.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <intelblocks/xdci.h></span><br><span> #include <fsp/api.h></span><br><span> #include <fsp/util.h></span><br><span> #include <intelblocks/cpulib.h></span><br><span>@@ -585,6 +586,10 @@</span><br><span> glk_fsp_silicon_init_params_cb(cfg, silconfig);</span><br><span> else</span><br><span> apl_fsp_silicon_init_params_cb(cfg, silconfig);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Disable xDCI device if it should not be enabled */</span><br><span style="color: hsl(120, 100%, 40%);">+ dev = dev_find_slot(0, PCH_DEVFN_XDCI);</span><br><span style="color: hsl(120, 100%, 40%);">+ silconfig->UsbOtg = xdci_can_enable() ? dev->enabled : 0;</span><br><span> }</span><br><span> </span><br><span> struct chip_operations soc_intel_apollolake_ops = {</span><br><span>diff --git a/src/soc/intel/apollolake/xdci.c b/src/soc/intel/apollolake/xdci.c</span><br><span>index 4c3047c..07207b3 100644</span><br><span>--- a/src/soc/intel/apollolake/xdci.c</span><br><span>+++ b/src/soc/intel/apollolake/xdci.c</span><br><span>@@ -54,7 +54,7 @@</span><br><span> * enabled. If it's disabled assume the switch was already done</span><br><span> * in FSP.</span><br><span> */</span><br><span style="color: hsl(0, 100%, 40%);">- if (!dev->enabled || !xdci_dev->enabled)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!dev->enabled || !xdci_dev->enabled || !xdci_can_enable())</span><br><span> return;</span><br><span> </span><br><span> printk(BIOS_INFO, "Putting port 0 into host mode.\n");</span><br><span>diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig</span><br><span>index dab6622..fc73210 100644</span><br><span>--- a/src/soc/intel/cannonlake/Kconfig</span><br><span>+++ b/src/soc/intel/cannonlake/Kconfig</span><br><span>@@ -70,6 +70,7 @@</span><br><span> select SOC_INTEL_COMMON_BLOCK_SPI</span><br><span> select SOC_INTEL_COMMON_BLOCK_TIMER</span><br><span> select SOC_INTEL_COMMON_BLOCK_UART</span><br><span style="color: hsl(120, 100%, 40%);">+ select SOC_INTEL_COMMON_BLOCK_XDCI</span><br><span> select SOC_INTEL_COMMON_NHLT</span><br><span> select SOC_INTEL_COMMON_RESET</span><br><span> select SSE2</span><br><span>diff --git a/src/soc/intel/cannonlake/chip.c b/src/soc/intel/cannonlake/chip.c</span><br><span>index b2689b0..c64de71 100644</span><br><span>--- a/src/soc/intel/cannonlake/chip.c</span><br><span>+++ b/src/soc/intel/cannonlake/chip.c</span><br><span>@@ -19,6 +19,7 @@</span><br><span> #include <device/pci.h></span><br><span> #include <fsp/api.h></span><br><span> #include <fsp/util.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <intelblocks/xdci.h></span><br><span> #include <romstage_handoff.h></span><br><span> #include <soc/intel/common/vbt.h></span><br><span> #include <soc/pci_devs.h></span><br><span>@@ -262,7 +263,7 @@</span><br><span> }</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- params->XdciEnable = config->XdciEnable;</span><br><span style="color: hsl(120, 100%, 40%);">+ params->XdciEnable = xdci_can_enable() ? config->XdciEnable : 0;</span><br><span> </span><br><span> /* PCI Express */</span><br><span> for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {</span><br><span>diff --git a/src/soc/intel/common/block/include/intelblocks/xdci.h b/src/soc/intel/common/block/include/intelblocks/xdci.h</span><br><span>index fa25513..1158056 100644</span><br><span>--- a/src/soc/intel/common/block/include/intelblocks/xdci.h</span><br><span>+++ b/src/soc/intel/common/block/include/intelblocks/xdci.h</span><br><span>@@ -17,5 +17,6 @@</span><br><span> #define SOC_INTEL_COMMON_BLOCK_XDCI_H</span><br><span> </span><br><span> void soc_xdci_init(struct device *dev);</span><br><span style="color: hsl(120, 100%, 40%);">+int xdci_can_enable(void);</span><br><span> </span><br><span> #endif /* SOC_INTEL_COMMON_BLOCK_XDCI_H */</span><br><span>diff --git a/src/soc/intel/common/block/xdci/xdci.c b/src/soc/intel/common/block/xdci/xdci.c</span><br><span>index 10e6f0d..07093df 100644</span><br><span>--- a/src/soc/intel/common/block/xdci/xdci.c</span><br><span>+++ b/src/soc/intel/common/block/xdci/xdci.c</span><br><span>@@ -19,9 +19,19 @@</span><br><span> #include <device/pci.h></span><br><span> #include <device/pci_ids.h></span><br><span> #include <intelblocks/xdci.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <security/vboot/vboot_common.h></span><br><span> </span><br><span> __attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/* Only allow xDCI controller in developer mode if VBOOT is enabled */</span><br><span style="color: hsl(120, 100%, 40%);">+int xdci_can_enable(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ if (IS_ENABLED(CONFIG_VBOOT))</span><br><span style="color: hsl(120, 100%, 40%);">+ return vboot_developer_mode_enabled() ? 1 : 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ else</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static struct device_operations usb_xdci_ops = {</span><br><span> .read_resources = &pci_dev_read_resources,</span><br><span> .set_resources = &pci_dev_set_resources,</span><br><span>diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig</span><br><span>index aac4a8f..f3719a5 100644</span><br><span>--- a/src/soc/intel/skylake/Kconfig</span><br><span>+++ b/src/soc/intel/skylake/Kconfig</span><br><span>@@ -84,6 +84,7 @@</span><br><span> select SOC_INTEL_COMMON_BLOCK_SPI</span><br><span> select SOC_INTEL_COMMON_BLOCK_TIMER</span><br><span> select SOC_INTEL_COMMON_BLOCK_UART</span><br><span style="color: hsl(120, 100%, 40%);">+ select SOC_INTEL_COMMON_BLOCK_XDCI</span><br><span> select SOC_INTEL_COMMON_BLOCK_XHCI</span><br><span> select SOC_INTEL_COMMON_GFX_OPREGION</span><br><span> select SOC_INTEL_COMMON_NHLT</span><br><span>diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c</span><br><span>index 3bc66b2..3b1407b 100644</span><br><span>--- a/src/soc/intel/skylake/chip_fsp20.c</span><br><span>+++ b/src/soc/intel/skylake/chip_fsp20.c</span><br><span>@@ -26,6 +26,7 @@</span><br><span> #include <device/pci.h></span><br><span> #include <fsp/api.h></span><br><span> #include <fsp/util.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <intelblocks/xdci.h></span><br><span> #include <romstage_handoff.h></span><br><span> #include <soc/acpi.h></span><br><span> #include <soc/intel/common/vbt.h></span><br><span>@@ -221,7 +222,7 @@</span><br><span> params->PchHdaEnable = config->EnableAzalia;</span><br><span> params->PchHdaIoBufferOwnership = config->IoBufferOwnership;</span><br><span> params->PchHdaDspEnable = config->DspEnable;</span><br><span style="color: hsl(0, 100%, 40%);">- params->XdciEnable = config->XdciEnable;</span><br><span style="color: hsl(120, 100%, 40%);">+ params->XdciEnable = xdci_can_enable() ? config->XdciEnable : 0;</span><br><span> params->Device4Enable = config->Device4Enable;</span><br><span> params->SataEnable = config->EnableSata;</span><br><span> params->SataMode = config->SataMode;</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/25347">change 25347</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/25347"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b </div>
<div style="display:none"> Gerrit-Change-Number: 25347 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Duncan Laurie <dlaurie@chromium.org> </div>