Subrata Banik has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/34541 )
Change subject: soc/intel/cannonlake: Allow coreboot to handle required chipset lockdown ......................................................................
soc/intel/cannonlake: Allow coreboot to handle required chipset lockdown
This patch disables FSP-S chipset lockdown UPDs and let coreboot perform chipset lockdown in ramstage.
Change-Id: I7e53c4e4987a7b0e7f475c92b0f797d94fdd60f4 Signed-off-by: Subrata Banik subrata.banik@intel.com --- M src/soc/intel/cannonlake/fsp_params.c 1 file changed, 20 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/34541/1
diff --git a/src/soc/intel/cannonlake/fsp_params.c b/src/soc/intel/cannonlake/fsp_params.c index 6a2c038..5e030b8 100644 --- a/src/soc/intel/cannonlake/fsp_params.c +++ b/src/soc/intel/cannonlake/fsp_params.c @@ -19,6 +19,7 @@ #include <fsp/api.h> #include <fsp/util.h> #include <intelblocks/xdci.h> +#include <intelpch/lockdown.h> #include <soc/intel/common/vbt.h> #include <soc/pci_devs.h> #include <soc/ramstage.h> @@ -405,6 +406,25 @@ configure_gspi_cs(i, config, ¶ms->SerialIoSpiCsPolarity[0], NULL, NULL); #endif + + /* Chipset Lockdown */ + if (get_lockdown_config() == CHIPSET_LOCKDOWN_COREBOOT) { + tconfig->PchLockDownGlobalSmi = 0; + tconfig->PchLockDownBiosInterface = 0; + params->PchLockDownBiosLock = 0; + params->PchLockDownRtcMemoryLock = 0; + /* + * TODO: Disable SpiFlashCfgLockDown config after FSP provides + * dedicated UPD + * + * Skip Spi Flash Lockdown from inside FSP. + * Making this config "0" means FSP won't set the FLOCKDN bit + * of SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL). + * So, it becomes coreboot's responsibility to set this bit + * before end of POST for security concerns. + */ + // params->SpiFlashCfgLockDown = 0; + } }
/* Mainboard GPIO Configuration */