[M] Change in coreboot[main]: soc/amd: rework SPL file override and SPL fusing handling - coreboot-gerrit

28 Sep 2023

Felix Held has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/78178?usp=email )
Change subject: soc/amd: rework SPL file override and SPL fusing handling
......................................................................
soc/amd: rework SPL file override and SPL fusing handling
The SPL_TABLE_FILE and SPL_RW_AB_TABLE_FILE Kconfig options provide a
way to override the default SPL file configured in the SoC's fw.cfg file
by passing the '--spl-table' parameter to amdfwtool which will then use
the override instead of the SPL file from the fw.cfg file. When
SPL*_TABLE_FILE is an empty string, the corresponding add_opt_prefix
call in the makefile will result in no '--spl-table' parameter being
passed to amdfwtool, so it'll use the default SPL file from fw.cfg. In
order to not pass an SPL override by default, remove the default from
the SPL_TABLE_FILE in the SoC's Kconfig. The SoC default pointed to the
same SPL file as in fw.cfg file anyway. Now only when a mainboard sets
this option to point to a file, that file will be used as an override.
This override is used to include a special SPL file needed for the
verstage on PSP case on the Chromebooks. Since SPL_TABLE_FILE is an
empty string by default, neither the SPL_TABLE_FILE Kconfig option nor
it being evaluated in the Makefile need to be guarded by HAVE_SPL_FILE,
so remove the dependency in the Kconfig and the ifeq in the Makefile.
Before this patch, the HAVE_SPL_FILE option controlled two things that
shouldn't be controlled by the same Kconfig option: Only when
HAVE_SPL_FILE was set to y, the SPL_TABLE_FILE override was taken into
account, and it also controls if spl_fuse.c got added to the build which
when added will send the SPL fusing command to the PSP. So the case of
needing an SPL file override, but not updating the SPL fuses wasn't
supported before.
The SPL file in the amdfw part will be used by the PSP bootloader for
the anti-rollback feature which makes sure that the SPL file version
isn't lower than what is in the SPL fuses. This happens way before we're
running code on the x86 cores. The SPL fusing PSP command that can be
sent by coreboot will tell the PSP to update the SPL fuses so that the
fused minimal SPL version will be updated to the current SPL version.
Since the former HAVE_SPL_FILE option now only controls if the SPL
fusing command will be sent to the PSP mailbox, rename it to
PERFORM_SPL_FUSING to clarify what this will do and update the help text
correctly describe what this does.
TEST=With INCLUDE_CONFIG_FILE set to n, timeless builds for both Birman
with Phoenix APU and Skyrim result in identical binaries.
Signed-off-by: Felix Held felix-coreboot@felixheld.de
Change-Id: I6cec1f1b285fe48e81a961414fbc9978fa1003cc
---
M src/mainboard/google/guybrush/Kconfig
M src/mainboard/google/skyrim/Kconfig
M src/soc/amd/cezanne/Kconfig
M src/soc/amd/cezanne/Makefile.inc
M src/soc/amd/common/block/psp/Makefile.inc
M src/soc/amd/genoa/Kconfig
M src/soc/amd/genoa/Makefile.inc
M src/soc/amd/glinda/Kconfig
M src/soc/amd/glinda/Makefile.inc
M src/soc/amd/mendocino/Kconfig
M src/soc/amd/mendocino/Makefile.inc
M src/soc/amd/phoenix/Kconfig
M src/soc/amd/phoenix/Makefile.inc
13 files changed, 88 insertions(+), 76 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/78/78178/1

diff --git a/src/mainboard/google/guybrush/Kconfig b/src/mainboard/google/guybrush/Kconfig
index 7f233be..30d9277 100644
--- a/src/mainboard/google/guybrush/Kconfig
+++ b/src/mainboard/google/guybrush/Kconfig
@@ -106,13 +106,12 @@
    string
    default "src/mainboard/google/guybrush/variants/baseboard/amdfw.cfg"
-config HAVE_SPL_FILE
+config PERFORM_SPL_FUSING
    bool
    default y
config SPL_TABLE_FILE
    string
-	depends on HAVE_SPL_FILE
    default "3rdparty/blobs/mainboard/google/guybrush/TypeId0x55_SplTable_Prod_CZN_Chrome.sbin"
if !EM100	# EM100 defaults in soc/amd/common/blocks/spi/Kconfig
diff --git a/src/mainboard/google/skyrim/Kconfig b/src/mainboard/google/skyrim/Kconfig
index 4e9ae98..3adbda4 100644
--- a/src/mainboard/google/skyrim/Kconfig
+++ b/src/mainboard/google/skyrim/Kconfig
@@ -96,13 +96,12 @@
    depends on CHROMEOS
    default y
-config HAVE_SPL_FILE
+config PERFORM_SPL_FUSING
    bool
    default y
config SPL_TABLE_FILE
    string
-	depends on HAVE_SPL_FILE
    default "3rdparty/blobs/mainboard/google/skyrim/TypeId0x55_SplTableBl_MDN_CHROME_RO.sbin"
config HAVE_SPL_RW_AB_FILE
@@ -111,7 +110,6 @@
config SPL_RW_AB_TABLE_FILE
    string
-	depends on HAVE_SPL_RW_AB_FILE
    default "3rdparty/blobs/mainboard/google/skyrim/TypeId0x55_SplTableBl_MDN_CHROME.sbin"
config SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL
diff --git a/src/soc/amd/cezanne/Kconfig b/src/soc/amd/cezanne/Kconfig
index 160bc65..ba90633 100644
--- a/src/soc/amd/cezanne/Kconfig
+++ b/src/soc/amd/cezanne/Kconfig
@@ -376,19 +376,27 @@
    depends on HAVE_PSP_WHITELIST_FILE
    default "3rdparty/amd_blobs/cezanne/PSP/wtl-czn.sbin"
-config HAVE_SPL_FILE
-	bool "Have a mainboard specific SPL table file"
+config PERFORM_SPL_FUSING
+	bool "Send SPL fuse command to PSP"
    default n
    help
-	  Have a mainboard specific SPL table file, which is created by AMD
-	  and put to 3rdparty/blobs.
+	  Send the Security Patch Level (SPL) fusing command to the PSP so that
+	  it is made sure that the minimal SPL version is written to the SoC's
+	  fuse bits so that the embedded firmwares can't be rolled back to a
+	  version with lower SPL.
If unsure, answer 'n'
config SPL_TABLE_FILE
-	string "SPL table file"
-	depends on HAVE_SPL_FILE
-	default "3rdparty/amd_blobs/cezanne/PSP/TypeId0x55_SplTableBl_CZN.sbin"
+	string "SPL table file override"
+	help
+	  Provide a mainboard-specific Security Patch Level (SPL) table file
+	  override. The SPL file is required to support PSP FW anti-rollback
+	  and needs to be created by AMD. The default SPL file specified in the
+	  SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule
+	  and applies to all boards that use the SoC without verstage on PSP.
+	  In the verstage on PSP case, a different SPL file is specific as an
+	  override via this Kconfig option.
config PSP_SOFTFUSE_BITS
    string "PSP Soft Fuse bits to enable"
diff --git a/src/soc/amd/cezanne/Makefile.inc b/src/soc/amd/cezanne/Makefile.inc
index 76cb9e8..c92bb0d 100644
--- a/src/soc/amd/cezanne/Makefile.inc
+++ b/src/soc/amd/cezanne/Makefile.inc
@@ -91,9 +91,7 @@
 endif
# type = 0x55
-ifeq ($(CONFIG_HAVE_SPL_FILE),y)
 SPL_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
-endif
#
 # BIOS Directory Table items - proper ordering is managed by amdfwtool
diff --git a/src/soc/amd/common/block/psp/Makefile.inc b/src/soc/amd/common/block/psp/Makefile.inc
index 0f15963..a89d4e9 100644
--- a/src/soc/amd/common/block/psp/Makefile.inc
+++ b/src/soc/amd/common/block/psp/Makefile.inc
@@ -29,6 +29,6 @@
 smm-y += psp_gen2.c
 smm-y += psp_smm_gen2.c
-ramstage-$(CONFIG_HAVE_SPL_FILE) += spl_fuse.c
+ramstage-$(CONFIG_PERFORM_SPL_FUSING) += spl_fuse.c
endif # CONFIG_SOC_AMD_COMMON_BLOCK_PSP_GEN2
diff --git a/src/soc/amd/genoa/Kconfig b/src/soc/amd/genoa/Kconfig
index c4f8a9d..417912e 100644
--- a/src/soc/amd/genoa/Kconfig
+++ b/src/soc/amd/genoa/Kconfig
@@ -117,13 +117,27 @@
    string "Debug whitelist file path"
    depends on HAVE_PSP_WHITELIST_FILE
-config	HAVE_SPL_FILE
-	bool
+config PERFORM_SPL_FUSING
+	bool "Send SPL fuse command to PSP"
+	default n
+	help
+	  Send the Security Patch Level (SPL) fusing command to the PSP so that
+	  it is made sure that the minimal SPL version is written to the SoC's
+	  fuse bits so that the embedded firmwares can't be rolled back to a
+	  version with lower SPL.
+
+	  If unsure, answer 'n'
config SPL_TABLE_FILE
-	string "SPL table file"
-	depends on HAVE_SPL_FILE
-	default "3rdparty/amd_blobs_internal/genoa/PSP/Typex55_0_0_0_BLAntiRB.bin"
+	string "SPL table file override"
+	help
+	  Provide a mainboard-specific Security Patch Level (SPL) table file
+	  override. The SPL file is required to support PSP FW anti-rollback
+	  and needs to be created by AMD. The default SPL file specified in the
+	  SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule
+	  and applies to all boards that use the SoC without verstage on PSP.
+	  In the verstage on PSP case, a different SPL file is specific as an
+	  override via this Kconfig option.
config PSP_SOFTFUSE_BITS
    string "PSP Soft Fuse bits to enable"
diff --git a/src/soc/amd/genoa/Makefile.inc b/src/soc/amd/genoa/Makefile.inc
index efbd3b1..6b936b6 100644
--- a/src/soc/amd/genoa/Makefile.inc
+++ b/src/soc/amd/genoa/Makefile.inc
@@ -46,9 +46,7 @@
 endif
# type = 0x55
-ifeq ($(CONFIG_HAVE_SPL_FILE),y)
 SPL_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
-endif
#
 # BIOS Directory Table items - proper ordering is managed by amdfwtool
diff --git a/src/soc/amd/glinda/Kconfig b/src/soc/amd/glinda/Kconfig
index ae4b190..0807909 100644
--- a/src/soc/amd/glinda/Kconfig
+++ b/src/soc/amd/glinda/Kconfig
@@ -349,37 +349,38 @@
    depends on HAVE_PSP_WHITELIST_FILE
    default "site-local/3rdparty/amd_blobs/glinda/PSP/wtl-mrg.sbin"
-config HAVE_SPL_FILE
-	bool "Have a mainboard specific SPL table file"
+config PERFORM_SPL_FUSING
+	bool "Send SPL fuse command to PSP"
    default n
    help
-	  Have a mainboard specific Security Patch Level (SPL) table file. SPL file
-	  is required to support PSP FW anti-rollback and needs to be created by AMD.
-	  The default SPL file applies to all boards that use the concerned SoC and
-	  is dropped under 3rdparty/blobs. The mainboard specific SPL file override
-	  can be applied through SPL_TABLE_FILE config.
+	  Send the Security Patch Level (SPL) fusing command to the PSP so that
+	  it is made sure that the minimal SPL version is written to the SoC's
+	  fuse bits so that the embedded firmwares can't be rolled back to a
+	  version with lower SPL.
If unsure, answer 'n'
config SPL_TABLE_FILE
-	string "SPL table file"
-	depends on HAVE_SPL_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_MRG.sbin"
+	string "SPL table file override"
+	help
+	  Provide a mainboard-specific Security Patch Level (SPL) table file
+	  override. The SPL file is required to support PSP FW anti-rollback
+	  and needs to be created by AMD. The default SPL file specified in the
+	  SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule
+	  and applies to all boards that use the SoC without verstage on PSP.
+	  In the verstage on PSP case, a different SPL file is specific as an
+	  override via this Kconfig option.
config HAVE_SPL_RW_AB_FILE
    bool "Have a separate mainboard-specific SPL file in RW A/B partitions"
    default n
-	depends on HAVE_SPL_FILE
    depends on VBOOT_SLOTS_RW_AB
    help
      Have separate mainboard-specific Security Patch Level (SPL) table
-	  file for the RW A/B FMAP partitions. See the help text of
-	  HAVE_SPL_FILE for a more detailed description.
+	  file for the RW A/B FMAP partitions.
config SPL_RW_AB_TABLE_FILE
-	string "Separate SPL table file for RW A/B partitions"
-	depends on HAVE_SPL_RW_AB_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_MRG.sbin"
+	string "Separate SPL table file override for RW A/B partitions"
config PSP_SOFTFUSE_BITS
    string "PSP Soft Fuse bits to enable"
diff --git a/src/soc/amd/glinda/Makefile.inc b/src/soc/amd/glinda/Makefile.inc
index 25b2fe4..ea2a48b 100644
--- a/src/soc/amd/glinda/Makefile.inc
+++ b/src/soc/amd/glinda/Makefile.inc
@@ -86,14 +86,12 @@
 endif
# type = 0x55
-ifeq ($(CONFIG_HAVE_SPL_FILE),y)
 SPL_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 ifeq ($(CONFIG_HAVE_SPL_RW_AB_FILE),y)
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_RW_AB_TABLE_FILE)
 else
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 endif
-endif
#
 # BIOS Directory Table items - proper ordering is managed by amdfwtool
diff --git a/src/soc/amd/mendocino/Kconfig b/src/soc/amd/mendocino/Kconfig
index d179f35..abfe52a 100644
--- a/src/soc/amd/mendocino/Kconfig
+++ b/src/soc/amd/mendocino/Kconfig
@@ -406,37 +406,38 @@
    depends on HAVE_PSP_WHITELIST_FILE
    default "site-local/3rdparty/amd_blobs/mendocino/PSP/wtl-mdn.sbin"
-config HAVE_SPL_FILE
-	bool "Have a mainboard specific SPL table file"
+config PERFORM_SPL_FUSING
+	bool "Send SPL fuse command to PSP"
    default n
    help
-	  Have a mainboard specific Security Patch Level (SPL) table file. SPL file
-	  is required to support PSP FW anti-rollback and needs to be created by AMD.
-	  The default SPL file applies to all boards that use the concerned SoC and
-	  is dropped under 3rdparty/blobs. The mainboard specific SPL file override
-	  can be applied through SPL_TABLE_FILE config.
+	  Send the Security Patch Level (SPL) fusing command to the PSP so that
+	  it is made sure that the minimal SPL version is written to the SoC's
+	  fuse bits so that the embedded firmwares can't be rolled back to a
+	  version with lower SPL.
If unsure, answer 'n'
config SPL_TABLE_FILE
-	string "SPL table file"
-	depends on HAVE_SPL_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_MDN.sbin"
+	string "SPL table file override"
+	help
+	  Provide a mainboard-specific Security Patch Level (SPL) table file
+	  override. The SPL file is required to support PSP FW anti-rollback
+	  and needs to be created by AMD. The default SPL file specified in the
+	  SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule
+	  and applies to all boards that use the SoC without verstage on PSP.
+	  In the verstage on PSP case, a different SPL file is specific as an
+	  override via this Kconfig option.
config HAVE_SPL_RW_AB_FILE
    bool "Have a separate mainboard-specific SPL file in RW A/B partitions"
    default n
-	depends on HAVE_SPL_FILE
    depends on VBOOT_SLOTS_RW_AB
    help
      Have separate mainboard-specific Security Patch Level (SPL) table
-	  file for the RW A/B FMAP partitions. See the help text of
-	  HAVE_SPL_FILE for a more detailed description.
+	  file for the RW A/B FMAP partitions.
config SPL_RW_AB_TABLE_FILE
-	string "Separate SPL table file for RW A/B partitions"
-	depends on HAVE_SPL_RW_AB_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_MDN.sbin"
+	string "Separate SPL table file override for RW A/B partitions"
config PSP_SOFTFUSE_BITS
    string "PSP Soft Fuse bits to enable"
diff --git a/src/soc/amd/mendocino/Makefile.inc b/src/soc/amd/mendocino/Makefile.inc
index 14eb363..9442083 100644
--- a/src/soc/amd/mendocino/Makefile.inc
+++ b/src/soc/amd/mendocino/Makefile.inc
@@ -89,14 +89,12 @@
 endif
# type = 0x55
-ifeq ($(CONFIG_HAVE_SPL_FILE),y)
 SPL_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 ifeq ($(CONFIG_HAVE_SPL_RW_AB_FILE),y)
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_RW_AB_TABLE_FILE)
 else
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 endif
-endif
#
 # BIOS Directory Table items - proper ordering is managed by amdfwtool
diff --git a/src/soc/amd/phoenix/Kconfig b/src/soc/amd/phoenix/Kconfig
index 18ed58f..365fd1f 100644
--- a/src/soc/amd/phoenix/Kconfig
+++ b/src/soc/amd/phoenix/Kconfig
@@ -361,37 +361,38 @@
    depends on HAVE_PSP_WHITELIST_FILE
    default "site-local/3rdparty/amd_blobs/phoenix/PSP/wtl-phx.sbin"
-config HAVE_SPL_FILE
-	bool "Have a mainboard specific SPL table file"
+config PERFORM_SPL_FUSING
+	bool "Send SPL fuse command to PSP"
    default n
    help
-	  Have a mainboard specific Security Patch Level (SPL) table file. SPL file
-	  is required to support PSP FW anti-rollback and needs to be created by AMD.
-	  The default SPL file applies to all boards that use the concerned SoC and
-	  is dropped under 3rdparty/blobs. The mainboard specific SPL file override
-	  can be applied through SPL_TABLE_FILE config.
+	  Send the Security Patch Level (SPL) fusing command to the PSP so that
+	  it is made sure that the minimal SPL version is written to the SoC's
+	  fuse bits so that the embedded firmwares can't be rolled back to a
+	  version with lower SPL.
If unsure, answer 'n'
config SPL_TABLE_FILE
-	string "SPL table file"
-	depends on HAVE_SPL_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_PHX.sbin"
+	string "SPL table file override"
+	help
+	  Provide a mainboard-specific Security Patch Level (SPL) table file
+	  override. The SPL file is required to support PSP FW anti-rollback
+	  and needs to be created by AMD. The default SPL file specified in the
+	  SoC's fw.cfg is in the corresponding folder of the amd_blobs submodule
+	  and applies to all boards that use the SoC without verstage on PSP.
+	  In the verstage on PSP case, a different SPL file is specific as an
+	  override via this Kconfig option.
config HAVE_SPL_RW_AB_FILE
    bool "Have a separate mainboard-specific SPL file in RW A/B partitions"
    default n
-	depends on HAVE_SPL_FILE
    depends on VBOOT_SLOTS_RW_AB
    help
      Have separate mainboard-specific Security Patch Level (SPL) table
-	  file for the RW A/B FMAP partitions. See the help text of
-	  HAVE_SPL_FILE for a more detailed description.
+	  file for the RW A/B FMAP partitions.
config SPL_RW_AB_TABLE_FILE
-	string "Separate SPL table file for RW A/B partitions"
-	depends on HAVE_SPL_RW_AB_FILE
-	default "3rdparty/blobs/mainboard/$(CONFIG_MAINBOARD_DIR)/TypeId0x55_SplTableBl_PHX.sbin"
+	string "Separate SPL table file override for RW A/B partitions"
config PSP_SOFTFUSE_BITS
    string "PSP Soft Fuse bits to enable"
diff --git a/src/soc/amd/phoenix/Makefile.inc b/src/soc/amd/phoenix/Makefile.inc
index b2f566d..d589bf1 100644
--- a/src/soc/amd/phoenix/Makefile.inc
+++ b/src/soc/amd/phoenix/Makefile.inc
@@ -92,14 +92,12 @@
 endif
# type = 0x55
-ifeq ($(CONFIG_HAVE_SPL_FILE),y)
 SPL_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 ifeq ($(CONFIG_HAVE_SPL_RW_AB_FILE),y)
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_RW_AB_TABLE_FILE)
 else
 SPL_RW_AB_TABLE_FILE=$(CONFIG_SPL_TABLE_FILE)
 endif
-endif
#
 # BIOS Directory Table items - proper ordering is managed by amdfwtool
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/78178?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I6cec1f1b285fe48e81a961414fbc9978fa1003cc
Gerrit-Change-Number: 78178
Gerrit-PatchSet: 1
Gerrit-Owner: Felix Held felix-coreboot@felixheld.de
Gerrit-MessageType: newchange



    