Felix Held has submitted this change. ( https://review.coreboot.org/c/coreboot/+/75625?usp=email )
Change subject: soc/intel/common: Add configs for TME exclusion range and new key gen
......................................................................
soc/intel/common: Add configs for TME exclusion range and new key gen
Add following config options.
1. TME_GENERATE_NEW_KEY_ON_WARM_BOOT
Program Intel TME to generate a new key for each warm boot. TME
always generates a new key on each cold boot. With this option
enabled TME generates a new key even in warm boot. Without this
option TME reuses the key for warm boot.
2. TME_EXCLUDE_CBMEM_ENCRYPTION
This option allows to exclude the CBMEM region from being encrypted
by Intel TME. When TME is enabled it encrypts whole DRAM. TME
provides option to carve out a region of physical memory to get
excluded from encryption. With this config enabled, CBMEM region
does not get encrypted by TME. If TME is not programmed to generate
a new key in warm boot, exclusion range does not need be programmed
due to the fact that TME uses same key in warm boot if
TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is
programmed to generate a new key in warm boot, contents of the CBMEM
get encrypted with a new key in each warm boot case hence, that leads
to loss of CBMEM data from previous warm boot. So enabling this
config allows CBMEM region to get excluded from being encrypted and
can be accessible irrespective of the type of the platform reset.
Bug=b:276120526
TEST=Able to build rex
Signed-off-by: Pratikkumar Prajapati <pratikkumar.v.prajapati(a)intel.com>
Change-Id: Id5008fee07b97faadc7dd585f445295425173782
Reviewed-on: https://review.coreboot.org/c/coreboot/+/75625
Reviewed-by: Subrata Banik <subratabanik(a)google.com>
Tested-by: build bot (Jenkins) <no-reply(a)coreboot.org>
---
M src/soc/intel/common/block/cpu/Kconfig
1 file changed, 29 insertions(+), 0 deletions(-)
Approvals:
build bot (Jenkins): Verified
Subrata Banik: Looks good to me, approved
diff --git a/src/soc/intel/common/block/cpu/Kconfig b/src/soc/intel/common/block/cpu/Kconfig
index 8b30dcf..fb1e251 100644
--- a/src/soc/intel/common/block/cpu/Kconfig
+++ b/src/soc/intel/common/block/cpu/Kconfig
@@ -142,6 +142,35 @@
it would get enabled. If CPU supports MKTME, this same config option
enables MKTME.
+config TME_GENERATE_NEW_KEY_ON_WARM_BOOT
+ bool "Generate new TME key on each warm boot"
+ depends on INTEL_TME
+ default n
+ help
+ Program Intel TME to generate a new key for each warm boot. TME always
+ generates a new key on each cold boot. With this option enabled TME
+ generates a new key even in warm boot. Without this option TME reuses
+ the key for warm boot.
+
+config TME_EXCLUDE_CBMEM_ENCRYPTION
+ bool "Exclude CBMEM from TME encryption"
+ depends on INTEL_TME
+ default n
+ help
+ This option allows to exclude the CBMEM region from being encrypted by
+ Intel TME. When TME is enabled it encrypts whole DRAM. TME provides
+ option to carve out a region of physical memory to get excluded from
+ encryption. With this config enabled, CBMEM region does not get
+ encrypted by TME. If TME is not programmed to generate a new key in
+ warm boot, exclusion range does not need be programmed due to the
+ fact that TME uses same key in warm boot if
+ TME_GENERATE_NEW_KEY_ON_WARM_BOOT is not set. But if TME is programmed
+ to generate a new key in warm boot, contents of the CBMEM get
+ encrypted with a new key in each warm boot case hence, that leads to
+ loss of CBMEM data from previous warm boot. So enabling this config
+ allows CBMEM region to get excluded from being encrypted and can be
+ accessible irrespective of the type of the platform reset.
+
config CPU_XTAL_HZ
int
help
--
To view, visit https://review.coreboot.org/c/coreboot/+/75625?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Id5008fee07b97faadc7dd585f445295425173782
Gerrit-Change-Number: 75625
Gerrit-PatchSet: 7
Gerrit-Owner: Pratikkumar V Prajapati <pratikkumar.v.prajapati(a)intel.com>
Gerrit-Reviewer: Felix Held <felix-coreboot(a)felixheld.de>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org>
Gerrit-MessageType: merged
Attention is currently required from: Kapil Porwal, Sridhar Siricilla, Subrata Banik.
Hello Kapil Porwal, Sridhar Siricilla, Subrata Banik, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/74995?usp=email
to look at the new patch set (#41).
Change subject: soc/intel/cmd/blk/cse: Implement APIs to access FW versions in CMOS
......................................................................
soc/intel/cmd/blk/cse: Implement APIs to access FW versions in CMOS
This patch implements APIs to access the FW versions in CMOS. The get
API allows users to retrieve the current version from CMOS memory.
The set API allows users to set the version in CMOS memory.
BUG=b:280722061
TEST=APIs verified on nivviks and marasov board.
Signed-off-by: Dinesh Gehlot <digehlot(a)google.com>
Change-Id: Idd0ee19575683691c0a82a291e1fd3b2ffb11786
---
M src/soc/intel/common/block/cse/Kconfig
M src/soc/intel/common/block/cse/Makefile.inc
A src/soc/intel/common/block/cse/cse_lite_cmos.c
A src/soc/intel/common/block/include/intelblocks/cse_lite_cmos.h
4 files changed, 213 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/95/74995/41
--
To view, visit https://review.coreboot.org/c/coreboot/+/74995?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Idd0ee19575683691c0a82a291e1fd3b2ffb11786
Gerrit-Change-Number: 74995
Gerrit-PatchSet: 41
Gerrit-Owner: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Reviewer: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Reviewer: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org>
Gerrit-Attention: Subrata Banik <subratabanik(a)google.com>
Gerrit-Attention: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Attention: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-MessageType: newpatchset
Attention is currently required from: Kapil Porwal, Subrata Banik.
Dinesh Gehlot has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/75755?usp=email )
Change subject: soc/intel/cmd/blk/cse: Store fw versions in CMOS memory for cold boot
......................................................................
Patch Set 11:
(7 comments)
File src/soc/intel/common/block/cse/cse_lite.c:
https://review.coreboot.org/c/coreboot/+/75755/comment/5aebf2e9_a5fc0f06 :
PS9, Line 137: static bool is_cse_fw_updated, is_cold_boot;
> use a structure with two member variable (if needed)
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/d1b8eae4_1951f367 :
PS9, Line 1205: /* cse has been updated*/
> space?
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/d9e559ba_96d1c1af :
PS9, Line 1207: /* write cse rw fw version to CMOS and CBMEM */
> ``` […]
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/a4e7b603_7bf74bdc :
PS9, Line 1211: /* Current running CSE version is same as previous stored CSE version */
> ``` […]
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/7a6fdff3_a88bea0d :
PS9, Line 1218: memcpy(&(version->cur_cse_fw_version), &(cse_bp->fw_ver), size);
> can we do something like this at line#1220 (outside loop) and drop this line here and from 1209 as w […]
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/1744f52e_5918ab4e :
PS9, Line 1306: set_cmos_ish_version(&(resp.manifest_data.version));
: memcpy(&(version->ish_partition_info.cur_ish_fw_version),
: &(resp.manifest_data.version), size);
> ``` […]
Acknowledged
https://review.coreboot.org/c/coreboot/+/75755/comment/601edb82_f03ecaab :
PS9, Line 1311: /*
: * The CBMEM was reset during cold reboot, so the ISH version in CBMEM
: * needs to be updated to the version stored in CMOS.
: */
> ``` […]
Acknowledged
--
To view, visit https://review.coreboot.org/c/coreboot/+/75755?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ibc5a027aa2bb7217e5032f56fece0846783557a5
Gerrit-Change-Number: 75755
Gerrit-PatchSet: 11
Gerrit-Owner: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Reviewer: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-Attention: Subrata Banik <subratabanik(a)google.com>
Gerrit-Attention: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Comment-Date: Fri, 16 Jun 2023 13:59:56 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Subrata Banik <subratabanik(a)google.com>
Gerrit-MessageType: comment
Attention is currently required from: Kapil Porwal, Sridhar Siricilla, Subrata Banik.
Dinesh Gehlot has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/74995?usp=email )
Change subject: soc/intel/cmd/blk/cse: Implement APIs to access FW versions in CMOS
......................................................................
Patch Set 40:
(9 comments)
File src/soc/intel/common/block/cse/cse_lite_cmos.c:
https://review.coreboot.org/c/coreboot/+/74995/comment/de355601_d73c0aa5 :
PS38, Line 49: read_cmos_partition_version
> cmos_read_parition_version
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/f6689672_4860f7b2 :
PS38, Line 75: write_cmos_partition_version
> start with cmos
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/c8fa4722_2d56de8e :
PS38, Line 89: u8 i, *p, offset = PARTITION_FW_CMOS_OFFSET;
> please give one line break
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/7a6f62e0_e19c6d2b :
PS38, Line 102: struct cse_fw_table version;
> same
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/3c7655cd_8bd2bbab :
PS38, Line 103: if (read_cmos_partition_version(&version)) {
: /*
: * CMOS failed to read the CSE version. This may be because the firmware version at
: * cmos has not yet been initialized.
: */
: init_cmos_partition_version(&version);
: }
> can we create a helper function? […]
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/324e52c6_f10533c2 :
PS38, Line 116: struct cse_fw_table version;
: if (read_cmos_partition_version(&version)) {
: /*
: * CMOS failed to read the CSE version. This may be because the firmware version at
: * cmos has not yet been initialized.
: */
: init_cmos_partition_version(&version);
: }
> reuse the helper function
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/617a0e4f_4b9a1d5c :
PS38, Line 132: if (read_cmos_partition_version(&version)) {
: /* CMOS ISH read fail, possibly firmware version has not yet initialized. */
: init_cmos_partition_version(&version);
: }
> same
Acknowledged
https://review.coreboot.org/c/coreboot/+/74995/comment/606069a2_5df9e690 :
PS38, Line 143: if (read_cmos_partition_version(&version)) {
: /* CMOS ISH read fail, possibly firmware version has not yet initialized. */
: init_cmos_partition_version(&version);
: }
> same
Acknowledged
File src/soc/intel/common/block/cse/cse_lite_cmos.c:
https://review.coreboot.org/c/coreboot/+/74995/comment/c356c580_3b3ea331 :
PS39, Line 49:
> tab
Acknowledged
--
To view, visit https://review.coreboot.org/c/coreboot/+/74995?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Idd0ee19575683691c0a82a291e1fd3b2ffb11786
Gerrit-Change-Number: 74995
Gerrit-PatchSet: 40
Gerrit-Owner: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Reviewer: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Reviewer: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org>
Gerrit-Attention: Subrata Banik <subratabanik(a)google.com>
Gerrit-Attention: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Attention: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-Comment-Date: Fri, 16 Jun 2023 13:59:48 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Subrata Banik <subratabanik(a)google.com>
Gerrit-MessageType: comment
Attention is currently required from: Dinesh Gehlot, Kapil Porwal, Sridhar Siricilla.
Hello Kapil Porwal, Sridhar Siricilla, Subrata Banik, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/74995?usp=email
to look at the new patch set (#40).
Change subject: soc/intel/cmd/blk/cse: Implement APIs to access FW versions in CMOS
......................................................................
soc/intel/cmd/blk/cse: Implement APIs to access FW versions in CMOS
This patch implements APIs to access the FW versions in CMOS. The get
API allows users to retrieve the current version from CMOS memory.
The set API allows users to set the version in CMOS memory.
BUG=b:280722061
TEST=APIs verified on nivviks and marasov board.
Signed-off-by: Dinesh Gehlot <digehlot(a)google.com>
Change-Id: Idd0ee19575683691c0a82a291e1fd3b2ffb11786
---
M src/soc/intel/common/block/cse/Kconfig
M src/soc/intel/common/block/cse/Makefile.inc
A src/soc/intel/common/block/cse/cse_lite_cmos.c
A src/soc/intel/common/block/include/intelblocks/cse_lite_cmos.h
4 files changed, 213 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/95/74995/40
--
To view, visit https://review.coreboot.org/c/coreboot/+/74995?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Idd0ee19575683691c0a82a291e1fd3b2ffb11786
Gerrit-Change-Number: 74995
Gerrit-PatchSet: 40
Gerrit-Owner: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Reviewer: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Reviewer: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-CC: Paul Menzel <paulepanter(a)mailbox.org>
Gerrit-Attention: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Attention: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Attention: Sridhar Siricilla <sridhar.siricilla(a)intel.com>
Gerrit-MessageType: newpatchset
Attention is currently required from: Dinesh Gehlot, Kapil Porwal.
Hello Kapil Porwal, Subrata Banik, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/75890?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+1 by Kapil Porwal, Verified+1 by build bot (Jenkins)
Change subject: {driver, soc}: Remove unused CBMEM structure members for fw versions
......................................................................
{driver, soc}: Remove unused CBMEM structure members for fw versions
This patch removes unused CBMEM structure members that were used to
store a copy of data for CSE and ISH versions before CMOS backup was
implemented.
BUG=b:280722061
Test=Verified the changes on nissa board.
Signed-off-by: Dinesh Gehlot <digehlot(a)google.com>
Change-Id: I3824b6429d2c665dd84da9b69ae4bd82ddde10b2
---
M src/drivers/intel/ish/ish.c
M src/soc/intel/common/block/cse/cse.c
M src/soc/intel/common/block/cse/cse_lite.c
M src/soc/intel/common/block/include/intelblocks/cse.h
4 files changed, 15 insertions(+), 23 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/90/75890/3
--
To view, visit https://review.coreboot.org/c/coreboot/+/75890?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I3824b6429d2c665dd84da9b69ae4bd82ddde10b2
Gerrit-Change-Number: 75890
Gerrit-PatchSet: 3
Gerrit-Owner: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-Reviewer: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Reviewer: Subrata Banik <subratabanik(a)google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-Attention: Kapil Porwal <kapilporwal(a)google.com>
Gerrit-Attention: Dinesh Gehlot <digehlot(a)google.com>
Gerrit-MessageType: newpatchset