Furquan Shaikh has submitted this change. ( https://review.coreboot.org/c/coreboot/+/40683 )
Change subject: soc/amd/picasso: Enable secure debug unlock conditionally ......................................................................
soc/amd/picasso: Enable secure debug unlock conditionally
This change adds a Kconfig option PSP_UNLOCK_SECURE_DEBUG which when enabled includes secure debug unlock blobs and sets the required softfuses and options for amdfwtool. By default this is set to 'N'.
BUG=b:154880818
Signed-off-by: Furquan Shaikh furquan@google.com Change-Id: I47d8af67989b06242d662c77b7d9db97f624edd5 Reviewed-on: https://review.coreboot.org/c/coreboot/+/40683 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Marshall Dawson marshalldawson3rd@gmail.com --- M src/soc/amd/picasso/Kconfig M src/soc/amd/picasso/Makefile.inc 2 files changed, 13 insertions(+), 4 deletions(-)
Approvals: build bot (Jenkins): Verified Marshall Dawson: Looks good to me, approved
diff --git a/src/soc/amd/picasso/Kconfig b/src/soc/amd/picasso/Kconfig index a37f543..fa053f9 100644 --- a/src/soc/amd/picasso/Kconfig +++ b/src/soc/amd/picasso/Kconfig @@ -357,6 +357,12 @@ depends on HAVE_PSP_WHITELIST_FILE default "3rdparty/blobs/soc/amd/picasso/PSP/wtl-rvn.sbin"
+config PSP_UNLOCK_SECURE_DEBUG + bool "Unlock secure debug" + default n + help + Select this item to enable secure debug options in PSP. + endmenu
endif # SOC_AMD_PICASSO diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index d7cf9c0..4790ecb 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -109,19 +109,21 @@ PSP_SMUFW2_SUB1_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2RV2.csbin PSP_SMUFW2_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2PCO.csbin
+ifeq ($(CONFIG_PSP_UNLOCK_SECURE_DEBUG),y) # type = 0x9 PSP_SEC_DBG_KEY_FILE=$(top)/$(FIRMWARE_LOCATE)/RavenSecureDebug_PublicKey.bin +# type = 0x13 +PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin # Enable secure debug unlock PSP_SOFTFUSE_BITS += 0 +PSP_TOKEN_UNLOCK="--token-unlock" +endif
ifeq ($(CONFIG_USE_PSPSCUREOS),y) # types = 0x2 PSPSCUREOS_FILE=$(top)/$(FIRMWARE_LOCATE)/psp_os_combined_prod_RV.sbin endif
-# type = 0x13 -PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin - # type = 0x21 PSP_IKEK_FILE=$(top)/$(FIRMWARE_LOCATE)/PspIkekRV.bin
@@ -228,6 +230,7 @@ OPT_SMUFW2_SUB1_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB1_FILE), --subprogram 1 --smufirmware2) OPT_SMUFW2_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB2_FILE), --subprogram 2 --smufirmware2) OPT_PSP_SEC_DBG_KEY_FILE=$(call add_opt_prefix, $(PSP_SEC_DBG_KEY_FILE), --securedebug) +OPT_TOKEN_UNLOCK=$(call add_opt_prefix, $(PSP_TOKEN_UNLOCK), "") OPT_PSP_SOFTFUSE=$(call add_opt_prefix, $(PSP_SOFTFUSE), --soft-fuse) OPT_PSPSCUREOS_FILE=$(call add_opt_prefix, $(PSPSCUREOS_FILE), --secureos) OPT_SEC_DEBUG_FILE=$(call add_opt_prefix, $(PSP_SEC_DEBUG_FILE), --secdebug) @@ -367,7 +370,7 @@ $(OPT_IKEK_FILE) \ $(OPT_SEC_DEBUG_FILE) \ --combo-capable \ - --token-unlock \ + $(OPT_TOKEN_UNLOCK) \ --flashsize $(CONFIG_ROM_SIZE) \ --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ --output $@