Michael Niewöhner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36356 )

Change subject: soc/intel/cannonlake: set LT_LOCK_MEMORY at end of POST ......................................................................

Patch Set 2:

(1 comment)

https://review.coreboot.org/c/coreboot/+/36356/2/src/soc/intel/cannonlake/fi... File src/soc/intel/cannonlake/finalize.c:

https://review.coreboot.org/c/coreboot/+/36356/2/src/soc/intel/cannonlake/fi... PS2, Line 116: mp_run_on_all_cpus

There is no official/public documentation on this. […]

Current testing results:

SGX itself doesn't matter, but what matters is when the msr gets set.

MSR scope | when set | result --------------------------------------------------------------------------------------------- package | end of post / soc_finalize | regions locked, according to chipsec thread | end of post / soc_finalize | regions locked, according to chipsec package | before mc reload in sgx code | PAVPC=0 and unlocked, TSEGMB filled but unlocked * thread | before mc reload in sgx code | PAVPC=0 and unlocked, TSEGMB filled but unlocked *

* For unknown reasons the sgx test results differ from that at the time of the initial patches. Setting per-package vs. per-thread does not matter anymore. Maybe FSP changed something... sgx results at that time were:

MSR scope | when set | result --------------------------------------------------------------------------------------------- package | before mc reload in sgx code | PAVPC=0 and unlocked, TSEGMB filled but unlocked * thread | before mc reload in sgx code | regions lock ok, according to chipsec

Conclusions: 1. yes, the msr seems to be package-scoped 2. FSP locks TSEGMB and PAVPC at end of pei in fsp-s (in fact) a) ... so it's right to set the msr after that. b) ... This conflicts with the requirement to lock before mc reload with SGX enabled.