Marc Jones submitted this change.

View Change

Approvals: build bot (Jenkins): Verified Arthur Heymans: Looks good to me, approved Angel Pons: Looks good to me, approved Jay Talbott: Looks good to me, but someone else must approve 
mainboard/: Register chipset_lockdown on xeon_sp mainboards

Set chipset_lockdown in devicetree for recommended security settings.

Change-Id: Ie27450dd32463243b1456932a1d39d40afa81da1
Signed-off-by: Marc Jones <marcjones@sysproconsulting.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51388
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Jay Talbott <JayTalbott@sysproconsulting.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
M src/mainboard/intel/cedarisland_crb/devicetree.cb
M src/mainboard/ocp/deltalake/devicetree.cb
M src/mainboard/ocp/tiogapass/devicetree.cb
3 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/src/mainboard/intel/cedarisland_crb/devicetree.cb b/src/mainboard/intel/cedarisland_crb/devicetree.cb
index a82f022..4691c05 100644
--- a/src/mainboard/intel/cedarisland_crb/devicetree.cb
+++ b/src/mainboard/intel/cedarisland_crb/devicetree.cb
@@ -1,4 +1,9 @@
 chip soc/intel/xeon_sp/cpx
+
+	register "common_soc_config" = "{
+		.chipset_lockdown = CHIPSET_LOCKDOWN_COREBOOT,
+	}"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/ocp/deltalake/devicetree.cb b/src/mainboard/ocp/deltalake/devicetree.cb
index 70dd6d6..08ac3e3 100644
--- a/src/mainboard/ocp/deltalake/devicetree.cb
+++ b/src/mainboard/ocp/deltalake/devicetree.cb
@@ -48,6 +48,10 @@
 
 	register "cstate_states" = "CSTATES_C1C6"
 
+	register "common_soc_config" = "{
+		.chipset_lockdown = CHIPSET_LOCKDOWN_COREBOOT,
+	}"
+
 	device cpu_cluster 0 on
 	  device lapic 0 on end
 	end
diff --git a/src/mainboard/ocp/tiogapass/devicetree.cb b/src/mainboard/ocp/tiogapass/devicetree.cb
index 833bb20..8504438 100644
--- a/src/mainboard/ocp/tiogapass/devicetree.cb
+++ b/src/mainboard/ocp/tiogapass/devicetree.cb
@@ -40,6 +40,10 @@
 
 	register "gen2_dec" = "0x000c0ca1" # IPMI KCS
 
+	register "common_soc_config" = "{
+		.chipset_lockdown = CHIPSET_LOCKDOWN_COREBOOT,
+	}"
+
 	device cpu_cluster 0 on
 	  device lapic 0 on end
 	end

To view, visit change 51388. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ie27450dd32463243b1456932a1d39d40afa81da1
Gerrit-Change-Number: 51388
Gerrit-PatchSet: 6
Gerrit-Owner: Marc Jones <marc@marcjonesconsulting.com>
Gerrit-Reviewer: Angel Pons <th3fanbus@gmail.com>
Gerrit-Reviewer: Anjaneya "Reddy" Chagam <anjaneya.chagam@intel.com>
Gerrit-Reviewer: Arthur Heymans <arthur@aheymans.xyz>
Gerrit-Reviewer: Jay Talbott <JayTalbott@sysproconsulting.com>
Gerrit-Reviewer: Johnny Lin <Johnny_Lin@wiwynn.com>
Gerrit-Reviewer: Jonathan Zhang <jonzhang@fb.com>
Gerrit-Reviewer: Marc Jones <marc@marcjonesconsulting.com>
Gerrit-Reviewer: Morgan Jang <Morgan_Jang@wiwynn.com>
Gerrit-Reviewer: Stefan Reinauer <stefan.reinauer@coreboot.org>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-MessageType: merged