Change in coreboot[master]: Factor TI50/CR50 config - coreboot-gerrit

31 Mar 2022

Attention is currently required from: Christian Walter, Julius Werner, Yu-Ping Wu.
Jes Klinke has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/63285 )
Change subject: Factor TI50/CR50 config
......................................................................
Factor TI50/CR50 config
For every _CR50 config, create a corresponding _TI50 config, as well as
a _GSC config, which will be set if either of the former are set.
Also, audit uses of _CR50, and replace most with _GSC.
TEST=Boot Brya board
Signed-off-by: Jes B. Klinke jbk@chromium.org
Change-Id: I037b1b717a16c468e2f97a912da99f125b61e1ce
---
M src/drivers/i2c/tpm/Kconfig
M src/drivers/i2c/tpm/Makefile.inc
M src/drivers/spi/tpm/Kconfig
M src/drivers/spi/tpm/tpm.c
M src/drivers/tpm/Makefile.inc
M src/security/tpm/Kconfig
M src/security/tpm/Makefile.inc
M src/security/tpm/tss/vendor/cr50/Kconfig
M src/security/vboot/secdata_mock.c
M src/security/vboot/secdata_tpm.c
M src/security/vboot/vboot_logic.c
M src/soc/intel/common/Makefile.inc
M src/soc/intel/skylake/acpi/systemagent.asl
M src/vendorcode/google/chromeos/Kconfig
M src/vendorcode/google/chromeos/Makefile.inc
M src/vendorcode/google/chromeos/cse_board_reset.c
16 files changed, 94 insertions(+), 40 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/85/63285/1

diff --git a/src/drivers/i2c/tpm/Kconfig b/src/drivers/i2c/tpm/Kconfig
index 0d5f06b..07829c5 100644
--- a/src/drivers/i2c/tpm/Kconfig
+++ b/src/drivers/i2c/tpm/Kconfig
@@ -10,13 +10,30 @@
    help
      Board has an Atmel I2C TPM support
+config MAINBOARD_HAS_I2C_TPM_GSC
+	bool
+	default n
+	help
+	  Board has a GSC I2C TPM support
+
 config MAINBOARD_HAS_I2C_TPM_CR50
    bool
    default n
    select I2C_TPM
+	select MAINBOARD_HAS_TPM_CR50
+	select MAINBOARD_HAS_I2C_TPM_GSC
    help
      Board has a Cr50 I2C TPM support
+config MAINBOARD_HAS_I2C_TPM_TI50
+	bool
+	default n
+	select I2C_TPM
+	select MAINBOARD_HAS_TPM_TI50
+	select MAINBOARD_HAS_I2C_TPM_GSC
+	help
+	  Board has a Ti50 I2C TPM support
+
 config MAINBOARD_HAS_I2C_TPM_GENERIC
    bool
    default n
@@ -24,15 +41,6 @@
    help
      Board has a generic I2C TPM support
-config MAINBOARD_NEEDS_I2C_TI50_WORKAROUND
-	bool
-	default n
-	help
-	  Ti50 FW versions below 0.15 don't support the firmware_version or board_cfg registers,
-	  and trying to access them causes I2C errors. This config will skip accesses to these
-	  registers, and should be selected for boards using Ti50 chips with FW < 0.15. The config
-	  will be removed once all Ti50 stocks are updated to 0.15 or higher.
-
 config DRIVER_TIS_DEFAULT
    bool
    depends on I2C_TPM
diff --git a/src/drivers/i2c/tpm/Makefile.inc b/src/drivers/i2c/tpm/Makefile.inc
index 51856fa..1135d5a 100644
--- a/src/drivers/i2c/tpm/Makefile.inc
+++ b/src/drivers/i2c/tpm/Makefile.inc
@@ -16,10 +16,10 @@
 bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
 postcar-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
-ramstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
-romstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
-verstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
-bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
-postcar-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
+ramstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GSC) += cr50.c
+romstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GSC) += cr50.c
+verstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GSC) += cr50.c
+bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GSC) += cr50.c
+postcar-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GSC) += cr50.c
ramstage-$(CONFIG_DRIVER_I2C_TPM_ACPI) += chip.c
diff --git a/src/drivers/spi/tpm/Kconfig b/src/drivers/spi/tpm/Kconfig
index 8c39a4a..260cf60 100644
--- a/src/drivers/spi/tpm/Kconfig
+++ b/src/drivers/spi/tpm/Kconfig
@@ -17,9 +17,18 @@
    bool
    default n
    select MAINBOARD_HAS_SPI_TPM
+	select MAINBOARD_HAS_TPM_CR50
    help
      Board has a CR50 SPI TPM
+config MAINBOARD_HAS_SPI_TPM_TI50
+	bool
+	default n
+	select MAINBOARD_HAS_SPI_TPM
+	select MAINBOARD_HAS_TPM_TI50
+	help
+	  Board has a TI50 SPI TPM
+
 config MAINBOARD_HAS_SPI_TPM
    bool
    default n
diff --git a/src/drivers/spi/tpm/tpm.c b/src/drivers/spi/tpm/tpm.c
index 43fd933..936f9e5 100644
--- a/src/drivers/spi/tpm/tpm.c
+++ b/src/drivers/spi/tpm/tpm.c
@@ -104,9 +104,9 @@
    static int tpm_sync_needed;
    static struct stopwatch wake_up_sw;
-	if (CONFIG(TPM_CR50)) {
+	if (CONFIG(TPM_GSC)) {
    	/*
-		 * First Cr50 access in each coreboot stage where TPM is used will be
+		 * First GSC access in each coreboot stage where TPM is used will be
    	 * prepended by a wake up pulse on the CS line.
    	 */
    	int wakeup_needed = 1;
@@ -178,7 +178,7 @@
     * mind...) we transmit the 4 byte header without checking the byte
     * transmitted by the TPM during the transaction's last byte.
     *
-	 * We know that cr50 is guaranteed to set the flow control bit to 0
+	 * We know that GSC is guaranteed to set the flow control bit to 0
     * during the header transfer. Real TPM2 are fast enough to not require
     * to stall the master. They might still use this feature, so test the
     * last bit after shifting in the address bytes.
@@ -186,7 +186,7 @@
     */
header_resp.body[3] = 0;
-	if (CONFIG(TPM_CR50))
+	if (CONFIG(TPM_GSC))
    	ret = spi_xfer(&spi_slave, header.body, sizeof(header.body), NULL, 0);
    else
    	ret = spi_xfer(&spi_slave, header.body, sizeof(header.body),
@@ -633,7 +633,7 @@
     *
     * The specification description of the state machine is a bit vague,
     * but from experience it looks like there is no need to wait for the
-	 * sts.expect bit to be set, at least with the 9670 and cr50 devices.
+	 * sts.expect bit to be set, at least with the 9670 and GSC devices.
     * Just write the command into FIFO, making sure not to exceed the
     * burst count or the maximum PDU size, whatever is smaller.
     */
diff --git a/src/drivers/tpm/Makefile.inc b/src/drivers/tpm/Makefile.inc
index a56c02b..e4a577c 100644
--- a/src/drivers/tpm/Makefile.inc
+++ b/src/drivers/tpm/Makefile.inc
@@ -6,8 +6,8 @@
 ramstage-$(CONFIG_HAVE_ACPI_TABLES) += ppi_stub.c
 endif
-bootblock-$(CONFIG_TPM_CR50) += cr50.c
-verstage-$(CONFIG_TPM_CR50) += cr50.c
-romstage-$(CONFIG_TPM_CR50) += cr50.c
-ramstage-$(CONFIG_TPM_CR50) += cr50.c
-postcar-$(CONFIG_TPM_CR50) += cr50.c
+bootblock-$(CONFIG_TPM_GSC) += cr50.c
+verstage-$(CONFIG_TPM_GSC) += cr50.c
+romstage-$(CONFIG_TPM_GSC) += cr50.c
+ramstage-$(CONFIG_TPM_GSC) += cr50.c
+postcar-$(CONFIG_TPM_GSC) += cr50.c
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 4864f12..2b3ed7d 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -32,7 +32,7 @@
    depends on MAINBOARD_HAS_I2C_TPM_GENERIC || \
    	   MAINBOARD_HAS_LPC_TPM || \
    	   MAINBOARD_HAS_I2C_TPM_ATMEL || \
-		   MAINBOARD_HAS_I2C_TPM_CR50 || \
+		   MAINBOARD_HAS_I2C_TPM_GSC || \
    	   MAINBOARD_HAS_SPI_TPM || \
    	   MAINBOARD_HAS_CRB_TPM
    depends on !MAINBOARD_HAS_TPM1
@@ -58,6 +58,26 @@
      This option can be selected by a mainboard to represent that its TPM
      always uses the 2.0 protocol, and that it should be on by default.
+config MAINBOARD_HAS_TPM_GSC
+	bool
+	default n
+	help
+	  This option indicates that the mainboard has a Google Security Chip.
+
+config MAINBOARD_HAS_TPM_CR50
+	bool
+	default n
+	select MAINBOARD_HAS_TPM_GSC
+	help
+	  This option indicates that the mainboard has a Google Cr50 TPM chip.
+
+config MAINBOARD_HAS_TPM_TI50
+	bool
+	default n
+	select MAINBOARD_HAS_TPM_GSC
+	help
+	  This option indicates that the mainboard has a Google Ti50 TPM chip.
+
 config TPM_DEACTIVATE
    bool "Deactivate TPM"
    default n
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
index c36183d..636d19a 100644
--- a/src/security/tpm/Makefile.inc
+++ b/src/security/tpm/Makefile.inc
@@ -1,4 +1,4 @@
-subdirs-$(CONFIG_TPM_CR50) += tss/vendor/cr50
+subdirs-$(CONFIG_TPM_GSC) += tss/vendor/cr50
## TSS
diff --git a/src/security/tpm/tss/vendor/cr50/Kconfig b/src/security/tpm/tss/vendor/cr50/Kconfig
index c4ecdef..9e6da28 100644
--- a/src/security/tpm/tss/vendor/cr50/Kconfig
+++ b/src/security/tpm/tss/vendor/cr50/Kconfig
@@ -1,11 +1,21 @@
 # SPDX-License-Identifier: GPL-2.0-only
+config TPM_GSC
+	bool
+
 config TPM_CR50
    bool
    depends on TPM2
-	default y if MAINBOARD_HAS_I2C_TPM_CR50 || MAINBOARD_HAS_SPI_TPM_CR50
+	select TPM_GSC
+	default y if MAINBOARD_HAS_TPM_CR50
-if TPM_CR50
+config TPM_TI50
+	bool
+	depends on TPM2
+	select TPM_GSC
+	default y if MAINBOARD_HAS_TPM_TI50
+
+if TPM_GSC
config POWER_OFF_ON_CR50_UPDATE
    bool
diff --git a/src/security/vboot/secdata_mock.c b/src/security/vboot/secdata_mock.c
index 5792b41..2eb2bf4 100644
--- a/src/security/vboot/secdata_mock.c
+++ b/src/security/vboot/secdata_mock.c
@@ -31,7 +31,7 @@
    /*
     * The new kernel secdata v1 stores the last read EC hash, and reboots the
     * device during EC software sync when that hash didn't match the currently
-	 * active hash on the EC (this is used with TPM_CR50 to support EC-EFS2 and
+	 * active hash on the EC (this is used with TPM_GSC to support EC-EFS2 and
     * pretty much a no-op for other devices). Generally, of course the whole
     * point of secdata is always that it persists across reboots, but with
     * MOCK_SECDATA we can't do that. Previously we always happened to somewhat
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 847a959..13fa5b0 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -384,8 +384,7 @@
     * Define and write zero-touch enrollment (ZTE) spaces.  For Cr50 devices,
     * these are set up elsewhere via TPM vendor commands.
     */
-	if (CONFIG(CHROMEOS) && (!(CONFIG(MAINBOARD_HAS_SPI_TPM_CR50) ||
-				   CONFIG(MAINBOARD_HAS_I2C_TPM_CR50))))
+	if (CONFIG(CHROMEOS) && (!CONFIG(MAINBOARD_HAS_TPM_GSC)))
    	RETURN_ON_FAILURE(setup_zte_spaces());
/* Define widevine counter space. No need to increment/write to the secure counters
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index 509169f..888530c 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -303,7 +303,7 @@
     * If there is an communication error, a recovery reason will be set and
     * vb2api_fw_phase1 will route us to recovery mode.
     */
-	if (CONFIG(TPM_CR50))
+	if (CONFIG(TPM_GSC))
    	check_boot_mode(ctx);
if (get_ec_is_trusted())
diff --git a/src/soc/intel/common/Makefile.inc b/src/soc/intel/common/Makefile.inc
index ad987dd..160e868 100644
--- a/src/soc/intel/common/Makefile.inc
+++ b/src/soc/intel/common/Makefile.inc
@@ -20,11 +20,11 @@
 ramstage-y += vbt.c
 ramstage-$(CONFIG_SOC_INTEL_COMMON_NHLT) += nhlt.c
-bootblock-$(CONFIG_TPM_CR50) += tpm_tis.c
-verstage-$(CONFIG_TPM_CR50) += tpm_tis.c
-romstage-$(CONFIG_TPM_CR50) += tpm_tis.c
-ramstage-$(CONFIG_TPM_CR50) += tpm_tis.c
-postcar-$(CONFIG_TPM_CR50) += tpm_tis.c
+bootblock-$(CONFIG_TPM_GSC) += tpm_tis.c
+verstage-$(CONFIG_TPM_GSC) += tpm_tis.c
+romstage-$(CONFIG_TPM_GSC) += tpm_tis.c
+ramstage-$(CONFIG_TPM_GSC) += tpm_tis.c
+postcar-$(CONFIG_TPM_GSC) += tpm_tis.c
romstage-$(CONFIG_SOC_INTEL_COMMON_FSP_RESET) += fsp_reset.c
 ramstage-$(CONFIG_SOC_INTEL_COMMON_FSP_RESET) += fsp_reset.c
diff --git a/src/soc/intel/skylake/acpi/systemagent.asl b/src/soc/intel/skylake/acpi/systemagent.asl
index 36d4932..b50a29b 100644
--- a/src/soc/intel/skylake/acpi/systemagent.asl
+++ b/src/soc/intel/skylake/acpi/systemagent.asl
@@ -171,7 +171,7 @@
    			0x00000000, PCH_PRESERVED_BASE_ADDRESS, 0xfe7fffff,
    			0x00000000, PCH_PRESERVED_BASE_SIZE)
-#if !CONFIG(TPM_CR50)
+#if !CONFIG(TPM_GSC)
    	/* TPM Area (0xfed40000-0xfed44fff) */
    	DWordMemory (ResourceProducer, PosDecode, MinFixed, MaxFixed,
    			Cacheable, ReadWrite,
diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig
index 780344c..3f0eac6 100644
--- a/src/vendorcode/google/chromeos/Kconfig
+++ b/src/vendorcode/google/chromeos/Kconfig
@@ -24,7 +24,7 @@
config CR50_IMMEDIATELY_COMMIT_FW_SECDATA
    bool
-	default y if TPM_CR50
+	default y if TPM_GSC
config CHROMEOS_RAMOOPS
    bool "Reserve space for Chrome OS ramoops"
diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc
index c05d8e7..ae72173 100644
--- a/src/vendorcode/google/chromeos/Makefile.inc
+++ b/src/vendorcode/google/chromeos/Makefile.inc
@@ -9,7 +9,7 @@
 ramstage-$(CONFIG_HAVE_REGULATORY_DOMAIN) += wrdd.c
 ramstage-$(CONFIG_USE_SAR) += sar.c
 ramstage-$(CONFIG_CHROMEOS_DSM_CALIB) += dsm_calib.c
-ramstage-$(CONFIG_TPM_CR50) += cr50_enable_update.c
+ramstage-$(CONFIG_TPM_GSC) += cr50_enable_update.c
romstage-$(CONFIG_CHROMEOS_CSE_BOARD_RESET_OVERRIDE) += cse_board_reset.c
 ramstage-$(CONFIG_CHROMEOS_CSE_BOARD_RESET_OVERRIDE) += cse_board_reset.c
diff --git a/src/vendorcode/google/chromeos/cse_board_reset.c b/src/vendorcode/google/chromeos/cse_board_reset.c
index 0b213a6..9ba4bc2 100644
--- a/src/vendorcode/google/chromeos/cse_board_reset.c
+++ b/src/vendorcode/google/chromeos/cse_board_reset.c
@@ -37,6 +37,14 @@
    		return;
    }
+	if (CONFIG(TPM_TI50)) {
+		/*
+		 * Ti50 firmware of all versions support the above PLTRST wiring.
+		 */
+		return;
+	}
+
+
    printk(BIOS_INFO, "Initiating request to EC to trigger cold reset\n");
    /*
     * Clean the data cache and set the full reset bit, so that when EC toggles
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/63285
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I037b1b717a16c468e2f97a912da99f125b61e1ce
Gerrit-Change-Number: 63285
Gerrit-PatchSet: 1
Gerrit-Owner: Jes Klinke jbk@chromium.org
Gerrit-Reviewer: Christian Walter christian.walter@9elements.com
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Attention: Christian Walter christian.walter@9elements.com
Gerrit-Attention: Julius Werner jwerner@chromium.org
Gerrit-Attention: Yu-Ping Wu yupingso@google.com
Gerrit-MessageType: newchange



    