Andrey Petrov (andrey.petrov@intel.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/17769

-gerrit

commit bd1f0c7dc6ce3acb3e98da7d65453f4a350db463 Author: Andrey Petrov andrey.petrov@intel.com Date: Wed Dec 7 10:47:46 2016 -0800

soc/intel/apollolake: Drop CPU privilege mode later on

Drop CPU privilege mode later, after all the FSP stages are complete.

BRANCH=reef BUG=chrome-os-partner:60657 TEST=iotools rdmsr X 0x121, make sure they can't be read

Change-Id: Ia3a774aee5fbf92805a5c69093bfbd3d7682c3a7 Signed-off-by: Andrey Petrov andrey.petrov@intel.com --- src/soc/intel/apollolake/cpu.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)

diff --git a/src/soc/intel/apollolake/cpu.c b/src/soc/intel/apollolake/cpu.c index 8b8f963..d46bcbe 100644 --- a/src/soc/intel/apollolake/cpu.c +++ b/src/soc/intel/apollolake/cpu.c @@ -211,3 +211,20 @@ void apollolake_init_cpus(device_t dev) mtrr_use_temp_range(-CONFIG_ROM_SIZE, CONFIG_ROM_SIZE, MTRR_TYPE_WRPROT); } + +void soc_coreboot_exit(void) +{ + /* Drop privilege level on BSP first */ + enable_untrusted_mode(); + /* .. then all APs */ + if (mp_run_on_aps(&enable_untrusted_mode, 1000) < 0) + printk(BIOS_ERR, "failed to enable untrusted mode\n"); + + /* Since we use PARALLEL_MP_AP_WORK, park APs */ + mp_park_aps(); +} + +void arch_bootstate_coreboot_exit(void) +{ + soc_coreboot_exit(); +}