Furquan Shaikh has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/40683 )

Change subject: soc/amd/picasso: Disable secure debug unlock ......................................................................

soc/amd/picasso: Disable secure debug unlock

This change updates PSP_SOFTFUSE to disable secure debug unlock by default and also removes the addition of debug key and debug file to PSP directory. This is not something that we would want to be enabled on shipping devices. If debug capability is required, there should be a separate Kconfig to enable it.

BUG=b:154880818 TEST=Verified that trembyle boots to OS.

Signed-off-by: Furquan Shaikh furquan@google.com Change-Id: I47d8af67989b06242d662c77b7d9db97f624edd5 --- M src/soc/amd/picasso/Makefile.inc 1 file changed, 2 insertions(+), 15 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/83/40683/1

diff --git a/src/soc/amd/picasso/Makefile.inc b/src/soc/amd/picasso/Makefile.inc index e686ab8..577db50 100644 --- a/src/soc/amd/picasso/Makefile.inc +++ b/src/soc/amd/picasso/Makefile.inc @@ -106,11 +106,8 @@ PSP_SMUFW2_SUB1_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2RV2.csbin PSP_SMUFW2_SUB2_FILE=$(top)/$(FIRMWARE_LOCATE)/SmuFirmware2PCO.csbin

-# type = 0x9 -PSP_SEC_DBG_KEY_FILE=$(top)/$(FIRMWARE_LOCATE)/RavenSecureDebug_PublicKey.bin - # type = 0xb - See #55758 (NDA) for bit definitions. -PSP_SOFTFUSE="0x0000000010000001" +PSP_SOFTFUSE="0x0000000010000000"

ifeq ($(CONFIG_USE_PSPSCUREOS),y) # types = 0x2, 0xc @@ -118,9 +115,6 @@ PSPTRUSTLETS_FILE=$(top)/$(FIRMWARE_LOCATE)/dr_ftpm_prod_RV.csbin endif

-# type = 0x13 -PSP_SEC_DEBUG_FILE=$(top)/$(FIRMWARE_LOCATE)/secure_unlock_prod_RV.sbin - # type = 0x21 PSP_IKEK_FILE=$(top)/$(FIRMWARE_LOCATE)/PspIkekRV.bin

@@ -135,7 +129,7 @@ # BIOS type = 0x6a PSP_MP2CFG_FILE=$(top)/$(FIRMWARE_LOCATE)/MP2FWConfig.sbin else -PSP_SOFTFUSE="0x0000000030000001" +PSP_SOFTFUSE="0x0000000030000000" endif

# type = 0x28 @@ -214,11 +208,9 @@ OPT_SMUFW1_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW1_SUB2_FILE), --subprogram 2 --smufirmware) OPT_SMUFW2_SUB1_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB1_FILE), --subprogram 1 --smufirmware2) OPT_SMUFW2_SUB2_FILE=$(call add_opt_prefix, $(PSP_SMUFW2_SUB2_FILE), --subprogram 2 --smufirmware2) -OPT_PSP_SEC_DBG_KEY_FILE=$(call add_opt_prefix, $(PSP_SEC_DBG_KEY_FILE), --securedebug) OPT_PSP_SOFTFUSE=$(call add_opt_prefix, $(PSP_SOFTFUSE), --soft-fuse) OPT_PSPSCUREOS_FILE=$(call add_opt_prefix, $(PSPSCUREOS_FILE), --secureos) OPT_PSPTRUSTLETS_FILE=$(call add_opt_prefix, $(PSPTRUSTLETS_FILE), --trustlets) -OPT_SEC_DEBUG_FILE=$(call add_opt_prefix, $(PSP_SEC_DEBUG_FILE), --secdebug) OPT_IKEK_FILE=$(call add_opt_prefix, $(PSP_IKEK_FILE), --ikek) OPT_SECG1_FILE=$(call add_opt_prefix, $(PSP_SECG1_FILE), --subprog 1 --sec-gasket) OPT_SECG2_FILE=$(call add_opt_prefix, $(PSP_SECG2_FILE), --subprog 2 --sec-gasket) @@ -263,7 +255,6 @@ $(obj)/amdfw.rom: $(call strip_quotes, $(CONFIG_AMD_PUBKEY_FILE)) \ $(call strip_quotes, $(PSPBTLDR_FILE)) \ $(call strip_quotes, $(PSPSCUREOS_FILE)) \ - $(call strip_quotes, $(PSP_SEC_DBG_KEY_FILE)) \ $(call strip_quotes, $(PSPTRUSTLETS_FILE)) \ $(call strip_quotes, $(PSP_APCB0_FILE)) \ $(call strip_quotes, $(PSP_APCB1_FILE)) \ @@ -301,7 +292,6 @@ $(call_strip_quotes, $(PSP_DRIVERS_FILE)) \ $(call_strip_quotes, $(PSP_S0I3_FILE)) \ $(call_strip_quotes, $(PSP_IKEK_FILE)) \ - $(call_strip_quotes, $(PSP_SEC_DEBUG_FILE)) \ $(AMDFWTOOL) rm -f $@ @printf " AMDFWTOOL $(subst $(obj)/,,$(@))\n" @@ -309,7 +299,6 @@ $(OPT_AMD_PUBKEY_FILE) \ $(OPT_PSPBTLDR_FILE) \ $(OPT_PSPSCUREOS_FILE) \ - $(OPT_PSP_SEC_DBG_KEY_FILE) \ $(OPT_PSPTRUSTLETS_FILE) \ $(OPT_SMUFW1_SUB2_FILE) \ $(OPT_SMUFW2_SUB2_FILE) \ @@ -355,9 +344,7 @@ $(OPT_DRIVERS_FILE) \ $(OPT_PSP_S0I3_FILE) \ $(OPT_IKEK_FILE) \ - $(OPT_SEC_DEBUG_FILE) \ --combo-capable \ - --token-unlock \ --flashsize $(CONFIG_ROM_SIZE) \ --location $(shell printf "0x%x" $(PICASSO_FWM_POSITION)) \ --output $@