[coreboot-gerrit] Change in coreboot[master]: soc/intel/common/cpu: Use SoC overrides to get CPU privilege level

Subrata Banik has submitted this change. ( https://review.coreboot.org/c/coreboot/+/60900 )

Change subject: soc/intel/common/cpu: Use SoC overrides to get CPU privilege level ......................................................................

soc/intel/common/cpu: Use SoC overrides to get CPU privilege level

This patch implements a SoC overrides to check CPU privilege level as the MSR is not consistent across platforms.

For example: On APL/GLK/DNV, it's MSR 0x120 and CNL onwards it's MSR 0x151.

BUG=b:211573253, b:211950520

Signed-off-by: Subrata Banik subratabanik@google.com Change-Id: I515f0a3548bc5d6250e30f963d46f28f3c1b90b3 Reviewed-on: https://review.coreboot.org/c/coreboot/+/60900 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Angel Pons th3fanbus@gmail.com --- M src/soc/intel/alderlake/cpu.c M src/soc/intel/alderlake/include/soc/msr.h M src/soc/intel/apollolake/cpu.c M src/soc/intel/cannonlake/cpu.c M src/soc/intel/cannonlake/include/soc/msr.h M src/soc/intel/common/block/include/intelblocks/cpulib.h M src/soc/intel/denverton_ns/cpu.c M src/soc/intel/denverton_ns/include/soc/msr.h M src/soc/intel/elkhartlake/cpu.c M src/soc/intel/elkhartlake/include/soc/msr.h M src/soc/intel/icelake/cpu.c M src/soc/intel/icelake/include/soc/msr.h M src/soc/intel/jasperlake/cpu.c M src/soc/intel/jasperlake/include/soc/msr.h M src/soc/intel/skylake/cpu.c M src/soc/intel/skylake/include/soc/msr.h M src/soc/intel/tigerlake/cpu.c M src/soc/intel/tigerlake/include/soc/msr.h M src/soc/intel/xeon_sp/cpx/cpu.c M src/soc/intel/xeon_sp/skx/cpu.c 20 files changed, 116 insertions(+), 4 deletions(-)

Approvals: build bot (Jenkins): Verified Angel Pons: Looks good to me, approved

diff --git a/src/soc/intel/alderlake/cpu.c b/src/soc/intel/alderlake/cpu.c index 95f8a50..92ffe87 100644 --- a/src/soc/intel/alderlake/cpu.c +++ b/src/soc/intel/alderlake/cpu.c @@ -25,6 +25,14 @@ #include <soc/soc_chip.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/alderlake/include/soc/msr.h b/src/soc/intel/alderlake/include/soc/msr.h index 954fce0..5bdbf92 100644 --- a/src/soc/intel/alderlake/include/soc/msr.h +++ b/src/soc/intel/alderlake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

-#define MSR_VR_MISC_CONFIG2 0x636 +#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) +#define MSR_VR_MISC_CONFIG2 0x636

#endif diff --git a/src/soc/intel/apollolake/cpu.c b/src/soc/intel/apollolake/cpu.c index af0a6dc..74aeee9 100644 --- a/src/soc/intel/apollolake/cpu.c +++ b/src/soc/intel/apollolake/cpu.c @@ -47,6 +47,14 @@ REG_SCRIPT_END };

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_POWER_MISC); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + void soc_core_init(struct device *cpu) { /* Configure Core PRMRR for SGX. */ diff --git a/src/soc/intel/cannonlake/cpu.c b/src/soc/intel/cannonlake/cpu.c index 4f67208..6af3e1a 100644 --- a/src/soc/intel/cannonlake/cpu.c +++ b/src/soc/intel/cannonlake/cpu.c @@ -20,6 +20,14 @@

#include "chip.h"

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/cannonlake/include/soc/msr.h b/src/soc/intel/cannonlake/include/soc/msr.h index 1c902d5..cc95fe68 100644 --- a/src/soc/intel/cannonlake/include/soc/msr.h +++ b/src/soc/intel/cannonlake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

+#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) #define MSR_VR_CURRENT_CONFIG 0x601 #define MSR_PL3_CONTROL 0x615 #define MSR_VR_MISC_CONFIG2 0x636 diff --git a/src/soc/intel/common/block/include/intelblocks/cpulib.h b/src/soc/intel/common/block/include/intelblocks/cpulib.h index 3ce80b2..b9c3ab7 100644 --- a/src/soc/intel/common/block/include/intelblocks/cpulib.h +++ b/src/soc/intel/common/block/include/intelblocks/cpulib.h @@ -112,6 +112,15 @@ void cpu_set_eist(bool eist_status);

/* + * SoC specific implementation: + * + * Check CPU security level using ENABLE_IA_UNTRUSTED_MODE of CPU MSR. + * If bit is set, meaning CPU has dropped its security level by entering + * into `untrusted mode`. Otherwise, it's in `trusted mode`. + */ +bool cpu_soc_is_in_untrusted_mode(void); + +/* * This function fills in the number of Cores(physical) and Threads(virtual) * of the CPU in the function arguments. It also returns if the number of cores * and number of threads are equal. diff --git a/src/soc/intel/denverton_ns/cpu.c b/src/soc/intel/denverton_ns/cpu.c index fb4923f..3747a48 100644 --- a/src/soc/intel/denverton_ns/cpu.c +++ b/src/soc/intel/denverton_ns/cpu.c @@ -23,6 +23,14 @@ #include <soc/soc_util.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_POWER_MISC); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static struct smm_relocation_attrs relo_attrs;

static void dnv_configure_mca(void) diff --git a/src/soc/intel/denverton_ns/include/soc/msr.h b/src/soc/intel/denverton_ns/include/soc/msr.h index 21f3e7b..7eb9fdc 100644 --- a/src/soc/intel/denverton_ns/include/soc/msr.h +++ b/src/soc/intel/denverton_ns/include/soc/msr.h @@ -10,6 +10,8 @@ #define MSR_FEATURE_CONFIG 0x13c #define FEATURE_CONFIG_RESERVED_MASK 0x3ULL #define FEATURE_CONFIG_LOCK (1 << 0) +#define MSR_POWER_MISC 0x120 +#define ENABLE_IA_UNTRUSTED (1 << 6) #define IA32_MCG_CAP 0x179 #define IA32_MCG_CAP_COUNT_MASK 0xff #define IA32_MCG_CAP_CTL_P_BIT 8 diff --git a/src/soc/intel/elkhartlake/cpu.c b/src/soc/intel/elkhartlake/cpu.c index d480604..0cc3935 100644 --- a/src/soc/intel/elkhartlake/cpu.c +++ b/src/soc/intel/elkhartlake/cpu.c @@ -17,6 +17,14 @@ #include <soc/soc_chip.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/elkhartlake/include/soc/msr.h b/src/soc/intel/elkhartlake/include/soc/msr.h index 954fce0..5bdbf92 100644 --- a/src/soc/intel/elkhartlake/include/soc/msr.h +++ b/src/soc/intel/elkhartlake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

-#define MSR_VR_MISC_CONFIG2 0x636 +#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) +#define MSR_VR_MISC_CONFIG2 0x636

#endif diff --git a/src/soc/intel/icelake/cpu.c b/src/soc/intel/icelake/cpu.c index ab32c0d..37978ea 100644 --- a/src/soc/intel/icelake/cpu.c +++ b/src/soc/intel/icelake/cpu.c @@ -17,6 +17,14 @@ #include <soc/soc_chip.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/icelake/include/soc/msr.h b/src/soc/intel/icelake/include/soc/msr.h index 954fce0..d716bdb 100644 --- a/src/soc/intel/icelake/include/soc/msr.h +++ b/src/soc/intel/icelake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

+#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) #define MSR_VR_MISC_CONFIG2 0x636

#endif diff --git a/src/soc/intel/jasperlake/cpu.c b/src/soc/intel/jasperlake/cpu.c index b063c28..af39c94 100644 --- a/src/soc/intel/jasperlake/cpu.c +++ b/src/soc/intel/jasperlake/cpu.c @@ -17,6 +17,14 @@ #include <soc/soc_chip.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/jasperlake/include/soc/msr.h b/src/soc/intel/jasperlake/include/soc/msr.h index 954fce0..5bdbf92 100644 --- a/src/soc/intel/jasperlake/include/soc/msr.h +++ b/src/soc/intel/jasperlake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

-#define MSR_VR_MISC_CONFIG2 0x636 +#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) +#define MSR_VR_MISC_CONFIG2 0x636

#endif diff --git a/src/soc/intel/skylake/cpu.c b/src/soc/intel/skylake/cpu.c index 91db06b..63a0466 100644 --- a/src/soc/intel/skylake/cpu.c +++ b/src/soc/intel/skylake/cpu.c @@ -26,6 +26,16 @@

#include "chip.h"

+bool cpu_soc_is_in_untrusted_mode(void) +{ + if (!CONFIG(MAINBOARD_SUPPORTS_COFFEELAKE_CPU)) + return false; + + /* IA_UNTRUSTED_MODE is not supported in Sky Lake */ + msr_t msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void configure_misc(void) { config_t *conf = config_of_soc(); diff --git a/src/soc/intel/skylake/include/soc/msr.h b/src/soc/intel/skylake/include/soc/msr.h index 92e8215..a495799 100644 --- a/src/soc/intel/skylake/include/soc/msr.h +++ b/src/soc/intel/skylake/include/soc/msr.h @@ -5,6 +5,9 @@

#include <intelblocks/msr.h>

+/* IA_UNTRUSTED_MODE is not supported in Sky Lake */ +#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) #define MSR_LT_LOCK_MEMORY 0x2e7 #define MSR_UNCORE_PRMRR_PHYS_BASE 0x2f4 #define MSR_UNCORE_PRMRR_PHYS_MASK 0x2f5 diff --git a/src/soc/intel/tigerlake/cpu.c b/src/soc/intel/tigerlake/cpu.c index a9aa8ff..d225c50 100644 --- a/src/soc/intel/tigerlake/cpu.c +++ b/src/soc/intel/tigerlake/cpu.c @@ -23,6 +23,14 @@ #include <soc/soc_chip.h> #include <types.h>

+bool cpu_soc_is_in_untrusted_mode(void) +{ + msr_t msr; + + msr = rdmsr(MSR_BIOS_DONE); + return !!(msr.lo & ENABLE_IA_UNTRUSTED); +} + static void soc_fsp_load(void) { fsps_load(); diff --git a/src/soc/intel/tigerlake/include/soc/msr.h b/src/soc/intel/tigerlake/include/soc/msr.h index 954fce0..5bdbf92 100644 --- a/src/soc/intel/tigerlake/include/soc/msr.h +++ b/src/soc/intel/tigerlake/include/soc/msr.h @@ -5,6 +5,8 @@

#include <intelblocks/msr.h>

-#define MSR_VR_MISC_CONFIG2 0x636 +#define MSR_BIOS_DONE 0x151 +#define ENABLE_IA_UNTRUSTED (1 << 0) +#define MSR_VR_MISC_CONFIG2 0x636

#endif diff --git a/src/soc/intel/xeon_sp/cpx/cpu.c b/src/soc/intel/xeon_sp/cpx/cpu.c index ba417a7..07c2db7 100644 --- a/src/soc/intel/xeon_sp/cpx/cpu.c +++ b/src/soc/intel/xeon_sp/cpx/cpu.c @@ -32,6 +32,12 @@

static const config_t *chip_config = NULL;

+bool cpu_soc_is_in_untrusted_mode(void) +{ + /* IA_UNTRUSTED_MODE is not supported in Cooper Lake */ + return false; +} + static void xeon_configure_mca(void) { msr_t msr; diff --git a/src/soc/intel/xeon_sp/skx/cpu.c b/src/soc/intel/xeon_sp/skx/cpu.c index fcdb2d7..c299529 100644 --- a/src/soc/intel/xeon_sp/skx/cpu.c +++ b/src/soc/intel/xeon_sp/skx/cpu.c @@ -20,6 +20,12 @@

static const config_t *chip_config = NULL;

+bool cpu_soc_is_in_untrusted_mode(void) +{ + /* IA_UNTRUSTED_MODE is not supported in Skylake */ + return false; +} + static void xeon_configure_mca(void) { msr_t msr;