Attention is currently required from: Arthur Heymans, Christian Walter, Johnny Lin, Morgan Jang, Tim Chu.
Patrick Rudolph has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/80247?usp=email )
Change subject: soc/intel/xeon_sp/smihandler: Lock SMM_FEATURE_CONTROL on all sockets ......................................................................
soc/intel/xeon_sp/smihandler: Lock SMM_FEATURE_CONTROL on all sockets
Remove hardcoded B:D:F numbers for the first socket and pass the PCI addresses to be locked within SMM by using the smm_pci_resource_store.
This allows to lock down SMM on all sockets without knowing the actual bus topology or PCI segment group at compile time where the UBOX devices reside on.
Tested: SMM is locked on all 4 sockets instead of just one.
Change-Id: Ica694911384005681662d3d7bed354a60bf08911 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M src/mainboard/bytedance/bd_egs/ramstage.c M src/mainboard/ibm/sbp1/ramstage.c M src/mainboard/intel/archercity_crb/ramstage.c M src/mainboard/intel/cedarisland_crb/ramstage.c M src/mainboard/inventec/transformers/ramstage.c M src/mainboard/ocp/deltalake/ramstage.c M src/mainboard/ocp/tiogapass/ramstage.c M src/soc/intel/xeon_sp/Kconfig M src/soc/intel/xeon_sp/cpx/Makefile.mk M src/soc/intel/xeon_sp/cpx/include/soc/pci_devs.h D src/soc/intel/xeon_sp/cpx/soc_smihandler_util.c M src/soc/intel/xeon_sp/include/soc/smmrelocate.h M src/soc/intel/xeon_sp/skx/Makefile.mk M src/soc/intel/xeon_sp/skx/include/soc/pci_devs.h D src/soc/intel/xeon_sp/skx/soc_smihandler_util.c M src/soc/intel/xeon_sp/smihandler.c M src/soc/intel/xeon_sp/smmrelocate.c M src/soc/intel/xeon_sp/spr/Makefile.mk M src/soc/intel/xeon_sp/spr/include/soc/pci_devs.h D src/soc/intel/xeon_sp/spr/soc_smihandler_util.c 20 files changed, 101 insertions(+), 67 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/80247/1
diff --git a/src/mainboard/bytedance/bd_egs/ramstage.c b/src/mainboard/bytedance/bd_egs/ramstage.c index dd19fc6..1e20bac 100644 --- a/src/mainboard/bytedance/bd_egs/ramstage.c +++ b/src/mainboard/bytedance/bd_egs/ramstage.c @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <cpu/x86/smm.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h> #include <soc/gpio.h>
#include "gpio.h" @@ -23,6 +25,11 @@ gpio_configure_pads(pads, pads_num); }
+void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} + struct chip_operations mainboard_ops = { .init = mainboard_chip_init, }; diff --git a/src/mainboard/ibm/sbp1/ramstage.c b/src/mainboard/ibm/sbp1/ramstage.c index 78db8c9..d748b1b 100644 --- a/src/mainboard/ibm/sbp1/ramstage.c +++ b/src/mainboard/ibm/sbp1/ramstage.c @@ -1,6 +1,7 @@ /* SPDX-License-Identifier: GPL-2.0-only */ - +#include <cpu/x86/smm.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h>
#include "include/spr_sbp1_gpio.h" #include <bootstate.h> @@ -33,4 +34,9 @@ gpio_output(GPPC_C17, 0); }
+void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} + BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_BOOT, BS_ON_ENTRY, finalize_boot, NULL); diff --git a/src/mainboard/intel/archercity_crb/ramstage.c b/src/mainboard/intel/archercity_crb/ramstage.c index 38bf576..be3cc90 100644 --- a/src/mainboard/intel/archercity_crb/ramstage.c +++ b/src/mainboard/intel/archercity_crb/ramstage.c @@ -1,3 +1,10 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <cpu/x86/smm.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h> + +void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} diff --git a/src/mainboard/intel/cedarisland_crb/ramstage.c b/src/mainboard/intel/cedarisland_crb/ramstage.c index d2ab2a7..ba8807b 100644 --- a/src/mainboard/intel/cedarisland_crb/ramstage.c +++ b/src/mainboard/intel/cedarisland_crb/ramstage.c @@ -1,6 +1,9 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <cpu/x86/smm.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h> + #include "include/gpio.h"
void mainboard_silicon_init_params(FSPS_UPD *params) @@ -8,3 +11,8 @@ /* configure Lewisburg PCH GPIO controller after FSP-M */ gpio_configure_pads(gpio_table, ARRAY_SIZE(gpio_table)); } + +void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} diff --git a/src/mainboard/inventec/transformers/ramstage.c b/src/mainboard/inventec/transformers/ramstage.c index 4453964..bc61a90 100644 --- a/src/mainboard/inventec/transformers/ramstage.c +++ b/src/mainboard/inventec/transformers/ramstage.c @@ -1,6 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0-only */
+#include <cpu/x86/smm.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h> #include <sprsp_gpio.h> #include <intelblocks/cse.h> #include <memory_info.h> @@ -35,3 +37,8 @@ /* configure Emmitsburg PCH GPIO controller after FSP-M */ gpio_configure_pads(gpio_table, ARRAY_SIZE(gpio_table)); } + +void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} diff --git a/src/mainboard/ocp/deltalake/ramstage.c b/src/mainboard/ocp/deltalake/ramstage.c index c24d004..f846055 100644 --- a/src/mainboard/ocp/deltalake/ramstage.c +++ b/src/mainboard/ocp/deltalake/ramstage.c @@ -4,6 +4,7 @@ #include <commonlib/bsd/helpers.h> #include <console/console.h> #include <cpu/cpu.h> +#include <cpu/x86/smm.h> #include <cpxsp_dl_gpio.h> #include <device/device.h> #include <device/pci_def.h> @@ -16,6 +17,7 @@ #include <security/intel/txt/txt.h> #include <smbios.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h> #include <soc/soc_util.h> #include <soc/util.h> #include <stdio.h> @@ -335,6 +337,11 @@ .final = mainboard_final, };
+void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} + bool skip_intel_txt_lockdown(void) { static bool fetched_vpd = 0; diff --git a/src/mainboard/ocp/tiogapass/ramstage.c b/src/mainboard/ocp/tiogapass/ramstage.c index c69322b..a07edb8 100644 --- a/src/mainboard/ocp/tiogapass/ramstage.c +++ b/src/mainboard/ocp/tiogapass/ramstage.c @@ -1,8 +1,10 @@ /* SPDX-License-Identifier: GPL-2.0-or-later */
+#include <cpu/x86/smm.h> #include <drivers/ipmi/ipmi_ops.h> #include <drivers/ocp/dmi/ocp_dmi.h> #include <soc/ramstage.h> +#include <soc/smmrelocate.h>
extern struct fru_info_str fru_strings;
@@ -176,6 +178,11 @@ { }
+void smm_mainboard_pci_resource_store_init(struct smm_pci_resource_info *slots, size_t size) +{ + soc_ubox_store_resources(slots, size); +} + struct chip_operations mainboard_ops = { .enable_dev = mainboard_enable, .final = mainboard_final, diff --git a/src/soc/intel/xeon_sp/Kconfig b/src/soc/intel/xeon_sp/Kconfig index db3e5ad..18474ec 100644 --- a/src/soc/intel/xeon_sp/Kconfig +++ b/src/soc/intel/xeon_sp/Kconfig @@ -33,6 +33,7 @@ select SOC_INTEL_COMMON_BLOCK_TCO select SOC_INTEL_COMMON_PCH_SERVER select SUPPORT_CPU_UCODE_IN_CBFS + select SMM_PCI_RESOURCE_STORE select TSC_MONOTONIC_TIMER select TPM_STARTUP_IGNORE_POSTINIT if INTEL_TXT select UDELAY_TSC diff --git a/src/soc/intel/xeon_sp/cpx/Makefile.mk b/src/soc/intel/xeon_sp/cpx/Makefile.mk index 745e032..911cf66 100644 --- a/src/soc/intel/xeon_sp/cpx/Makefile.mk +++ b/src/soc/intel/xeon_sp/cpx/Makefile.mk @@ -12,7 +12,6 @@ ramstage-y += chip.c cpu.c soc_util.c soc_acpi.c ramstage-$(CONFIG_DISPLAY_HOBS) += hob_display.c ramstage-$(CONFIG_DISPLAY_UPD_DATA) += upd_display.c -smm-$(CONFIG_HAVE_SMI_HANDLER) += soc_smihandler_util.c
CPPFLAGS_common += -I$(src)/soc/intel/xeon_sp/cpx/include -I$(src)/soc/intel/xeon_sp/cpx CPPFLAGS_common += -I$(src)/vendorcode/intel/fsp/fsp2_0/cooperlake_sp diff --git a/src/soc/intel/xeon_sp/cpx/include/soc/pci_devs.h b/src/soc/intel/xeon_sp/cpx/include/soc/pci_devs.h index 55268a7..d64a0d7 100644 --- a/src/soc/intel/xeon_sp/cpx/include/soc/pci_devs.h +++ b/src/soc/intel/xeon_sp/cpx/include/soc/pci_devs.h @@ -86,13 +86,11 @@
#define UBOX_DEV 8
-#define UBOX_PMON_BUS 0 -#define UBOX_PMON_DEV 8 -#define UBOX_PMON_FUNC 1 -#define UBOX_DEV_PMON _UBOX_DEV(UBOX_PMON_FUNC) +/* Bus: B0, Device: 8, Function: 1 */ #define SMM_FEATURE_CONTROL 0x7c #define SMM_CODE_CHK_EN BIT(2) #define SMM_FEATURE_CONTROL_LOCK BIT(0) +#define UBOX_DFX_DEVID 0x2015
#define UBOX_DECS_BUS 0 @@ -183,6 +181,4 @@ #define IIO_DFX_TSWCTL0 0x30c #define IIO_DFX_LCK_CTL 0x504
-pci_devfn_t soc_get_ubox_pmon_dev(void); - #endif /* _SOC_PCI_DEVS_H_ */ diff --git a/src/soc/intel/xeon_sp/cpx/soc_smihandler_util.c b/src/soc/intel/xeon_sp/cpx/soc_smihandler_util.c deleted file mode 100644 index 6f772cc..0000000 --- a/src/soc/intel/xeon_sp/cpx/soc_smihandler_util.c +++ /dev/null @@ -1,8 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ - -#include <soc/pci_devs.h> - -pci_devfn_t soc_get_ubox_pmon_dev(void) -{ - return UBOX_DEV_PMON; -} diff --git a/src/soc/intel/xeon_sp/include/soc/smmrelocate.h b/src/soc/intel/xeon_sp/include/soc/smmrelocate.h index 314ebd4..b18d057 100644 --- a/src/soc/intel/xeon_sp/include/soc/smmrelocate.h +++ b/src/soc/intel/xeon_sp/include/soc/smmrelocate.h @@ -3,7 +3,11 @@ #ifndef _SOC_SMMRELOCATE_H_ #define _SOC_SMMRELOCATE_H_
+#include <cpu/x86/smm.h> + void get_smm_info(uintptr_t *perm_smbase, size_t *perm_smsize, size_t *smm_save_state_size);
+void soc_ubox_store_resources(struct smm_pci_resource_info *slots, size_t size); + #endif diff --git a/src/soc/intel/xeon_sp/skx/Makefile.mk b/src/soc/intel/xeon_sp/skx/Makefile.mk index 0f75eec..f7599a3 100644 --- a/src/soc/intel/xeon_sp/skx/Makefile.mk +++ b/src/soc/intel/xeon_sp/skx/Makefile.mk @@ -21,7 +21,6 @@ ramstage-$(CONFIG_DISPLAY_UPD_DATA) += upd_display.c ramstage-$(CONFIG_DISPLAY_HOBS) += hob_display.c ramstage-y += hob_display.c -smm-$(CONFIG_HAVE_SMI_HANDLER) += soc_smihandler_util.c
CPPFLAGS_common += -I$(src)/soc/intel/xeon_sp/skx/include -I$(src)/soc/intel/xeon_sp/skx
diff --git a/src/soc/intel/xeon_sp/skx/include/soc/pci_devs.h b/src/soc/intel/xeon_sp/skx/include/soc/pci_devs.h index 3d518fa..a5f2f8e 100644 --- a/src/soc/intel/xeon_sp/skx/include/soc/pci_devs.h +++ b/src/soc/intel/xeon_sp/skx/include/soc/pci_devs.h @@ -81,13 +81,11 @@
#define UBOX_DEV 8
-#define UBOX_PMON_BUS 0 -#define UBOX_PMON_DEV 8 -#define UBOX_PMON_FUNC 1 -#define UBOX_DEV_PMON _UBOX_DEV(UBOX_PMON_FUNC) +/* Bus: B0, Device: 8, Function: 1 */ #define SMM_FEATURE_CONTROL 0x7c #define SMM_CODE_CHK_EN BIT(2) #define SMM_FEATURE_CONTROL_LOCK BIT(0) +#define UBOX_DFX_DEVID 0x2015
#define UBOX_DECS_BUS 0 #define UBOX_DECS_DEV 8 @@ -164,6 +162,4 @@ #define IIO_DFX_TSWCTL0 0x30c #define IIO_DFX_LCK_CTL 0x504
-pci_devfn_t soc_get_ubox_pmon_dev(void); - #endif /* _SOC_PCI_DEVS_H_ */ diff --git a/src/soc/intel/xeon_sp/skx/soc_smihandler_util.c b/src/soc/intel/xeon_sp/skx/soc_smihandler_util.c deleted file mode 100644 index 6f772cc..0000000 --- a/src/soc/intel/xeon_sp/skx/soc_smihandler_util.c +++ /dev/null @@ -1,8 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ - -#include <soc/pci_devs.h> - -pci_devfn_t soc_get_ubox_pmon_dev(void) -{ - return UBOX_DEV_PMON; -} diff --git a/src/soc/intel/xeon_sp/smihandler.c b/src/soc/intel/xeon_sp/smihandler.c index cb8658f..4362c6a 100644 --- a/src/soc/intel/xeon_sp/smihandler.c +++ b/src/soc/intel/xeon_sp/smihandler.c @@ -5,6 +5,7 @@ #include <console/uart.h> #include <cpu/x86/smm.h> #include <device/pci.h> +#include <device/pci_ids.h> #include <drivers/uart/uart8250reg.h> #include <intelblocks/smihandler.h> #include <soc/pci_devs.h> @@ -55,18 +56,26 @@ */ void smihandler_soc_at_finalize(void) { - /* SMM_FEATURE_CONTROL can only be written within SMM. */ - printk(BIOS_DEBUG, "Lock SMM_FEATURE_CONTROL\n"); - pci_devfn_t pcie_offset = soc_get_ubox_pmon_dev(); - if (!pcie_offset) { - printk(BIOS_ERR, "UBOX PMON is not found, cannot lock SMM_FEATURE_CONTROL!\n"); - return; - } - + const volatile struct smm_pci_resource_info *res_store; + size_t res_count, found = 0; u32 val; - val = pci_s_read_config32(pcie_offset, SMM_FEATURE_CONTROL); - val |= (SMM_CODE_CHK_EN | SMM_FEATURE_CONTROL_LOCK); - pci_s_write_config32(pcie_offset, SMM_FEATURE_CONTROL, val); + + /* SMM_FEATURE_CONTROL can only be written within SMM. */ + smm_pci_get_stored_resources(&res_store, &res_count); + for (size_t i_slot = 0; i_slot < res_count; i_slot++) { + if (res_store[i_slot].vendor_id != PCI_VID_INTEL || + res_store[i_slot].device_id != UBOX_DFX_DEVID) { + continue; + } + + val = pci_s_read_config32(res_store[i_slot].pci_addr, SMM_FEATURE_CONTROL); + val |= (SMM_CODE_CHK_EN | SMM_FEATURE_CONTROL_LOCK); + pci_s_write_config32(res_store[i_slot].pci_addr, SMM_FEATURE_CONTROL, val); + found ++; + } + printk(BIOS_DEBUG, "Locked SMM_FEATURE_CONTROL on %zd sockets\n", found); + if (!found) + printk(BIOS_ERR, "Failed to lock SMM_FEATURE_CONTROL\n"); }
/* diff --git a/src/soc/intel/xeon_sp/smmrelocate.c b/src/soc/intel/xeon_sp/smmrelocate.c index f9d100a..89f35c2 100644 --- a/src/soc/intel/xeon_sp/smmrelocate.c +++ b/src/soc/intel/xeon_sp/smmrelocate.c @@ -7,9 +7,11 @@ #include <cpu/intel/em64t101_save_state.h> #include <cpu/intel/smm_reloc.h> #include <console/console.h> +#include <device/pci_ids.h> #include <smp/node.h> #include <soc/msr.h> #include <soc/smmrelocate.h> +#include <soc/pci_devs.h>
static void fill_in_relocation_params(struct smm_relocation_params *params) { @@ -137,3 +139,21 @@ if (mtrr_cap.lo & SMRR_SUPPORTED) write_smrr(relo_params); } + +void soc_ubox_store_resources(struct smm_pci_resource_info *slots, size_t size) +{ + struct device *devices[CONFIG_MAX_SOCKET] = {0}; + size_t devices_count = 0; + struct device *dev = NULL; + + /* + * Collect all UBOX DFX devices. Depending on the actual socket count + * the bus numbers changed and the PCI segment group might be different. + * Pass all devices to SMM for platform lockdown. + */ + while ((dev = dev_find_device(PCI_VID_INTEL, UBOX_DFX_DEVID, dev))) { + devices[devices_count++] = dev; + } + + smm_pci_resource_store_fill_resources(slots, size, (const struct device **)devices, devices_count); +} diff --git a/src/soc/intel/xeon_sp/spr/Makefile.mk b/src/soc/intel/xeon_sp/spr/Makefile.mk index 7a0d958..659e366 100644 --- a/src/soc/intel/xeon_sp/spr/Makefile.mk +++ b/src/soc/intel/xeon_sp/spr/Makefile.mk @@ -16,7 +16,6 @@ ramstage-y += crashlog.c ioat.c ramstage-$(CONFIG_DISPLAY_HOBS) += hob_display.c ramstage-$(CONFIG_DISPLAY_UPD_DATA) += upd_display.c -smm-$(CONFIG_HAVE_SMI_HANDLER) += soc_smihandler_util.c CPPFLAGS_common += -I$(src)/soc/intel/xeon_sp/spr/include -I$(src)/soc/intel/xeon_sp/spr
endif ## CONFIG_SOC_INTEL_SAPPHIRERAPIDS_SP diff --git a/src/soc/intel/xeon_sp/spr/include/soc/pci_devs.h b/src/soc/intel/xeon_sp/spr/include/soc/pci_devs.h index 06ec16c..9bbe540 100644 --- a/src/soc/intel/xeon_sp/spr/include/soc/pci_devs.h +++ b/src/soc/intel/xeon_sp/spr/include/soc/pci_devs.h @@ -20,12 +20,11 @@ #define UNCORE_BUS_0 0 #define UNCORE_BUS_1 1
-/* UBOX Registers [B:30, D:0, F:1] */ -#define UBOX_DECS_DEV 0 -#define UBOX_URACU_FUNC 1 +/* UBOX Registers [U(1), D:0, F:1] */ #define SMM_FEATURE_CONTROL 0x8c #define SMM_CODE_CHK_EN BIT(2) #define SMM_FEATURE_CONTROL_LOCK BIT(0) +#define UBOX_DFX_DEVID 0x3251
/* CHA registers [B:31, D:29, F:0/F:1] * SAD is the previous xeon_sp register name. Keep defines for shared code. @@ -188,6 +187,4 @@ #define BIOS_CRASHLOG_CTL 0x158 #define CRASHLOG_CTL_DIS BIT(2)
-pci_devfn_t soc_get_ubox_pmon_dev(void); - #endif /* _SOC_PCI_DEVS_H_ */ diff --git a/src/soc/intel/xeon_sp/spr/soc_smihandler_util.c b/src/soc/intel/xeon_sp/spr/soc_smihandler_util.c deleted file mode 100644 index b2700d5..0000000 --- a/src/soc/intel/xeon_sp/spr/soc_smihandler_util.c +++ /dev/null @@ -1,19 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ - -#include <cpu/x86/msr.h> -#include <device/pci.h> -#include <soc/msr.h> -#include <soc/pci_devs.h> - -pci_devfn_t soc_get_ubox_pmon_dev(void) -{ - msr_t msr = rdmsr(MSR_CPU_BUSNO); - u16 bus; - - if (msr.hi & BUSNO_VALID) - bus = msr.lo & 0xff; - else - return 0; - - return PCI_DEV(bus, UBOX_DECS_DEV, UBOX_URACU_FUNC); -}