Change in coreboot[master]: soc/intel/common/cse: Add function to perform CSE lock configuration - coreboot-gerrit

31 Jan 2022

Attention is currently required from: Patrick Rudolph.
Subrata Banik has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/61520 )
Change subject: soc/intel/common/cse: Add function to perform CSE lock configuration
......................................................................
soc/intel/common/cse: Add function to perform CSE lock configuration
This patch implements `cse_lock_config()` to perform the required CSE
lock configuration as per ME BWG (doc: 627331).
BUG=b:211954778
TEST=Able to build and boot Brya.
Signed-off-by: Subrata Banik subratabanik@google.com
Change-Id: I3894b2cd8b90dc033f475384486815ab2fadf381
---
M src/soc/intel/common/block/cse/cse.c
M src/soc/intel/common/block/include/intelblocks/cse.h
2 files changed, 23 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/20/61520/1

diff --git a/src/soc/intel/common/block/cse/cse.c b/src/soc/intel/common/block/cse/cse.c
index dd9c7c1..612cd90 100644
--- a/src/soc/intel/common/block/cse/cse.c
+++ b/src/soc/intel/common/block/cse/cse.c
@@ -11,6 +11,7 @@
 #include <device/pci_ids.h>
 #include <device/pci_ops.h>
 #include <intelblocks/cse.h>
+#include <intelblocks/pmclib.h>
 #include <option.h>
 #include <security/vboot/misc.h>
 #include <security/vboot/vboot_common.h>
@@ -1002,6 +1003,25 @@
    set_cse_device_state(PCH_DEVFN_CSE, DEV_IDLE);
 }
+void cse_lock_config(void)
+{
+	/*
+	 * As per ME BWG recommendation the BIOS should not lock down CF9GR bit during
+	 * manufacturing and re-manufacturing environment if HFSTS1 [4] is set.
+	 */
+	if ((cse_is_hfs1_com_normal() || cse_is_hfs1_com_soft_temp_disable()) &&
+			cse_is_hfs1_spi_protected()) {
+		/*
+		 * Make sure payload/OS can't trigger global reset.
+		 * BIOS must also ensure that CF9GR is cleared and locked (Bit31 of ETR3)
+		 * prior to transferring control to the OS.
+		 */
+		pmc_global_reset_disable_and_lock();
+	} else {
+		pmc_global_reset_enable(false);
+	}
+}
+
 #if ENV_RAMSTAGE
/*
diff --git a/src/soc/intel/common/block/include/intelblocks/cse.h b/src/soc/intel/common/block/include/intelblocks/cse.h
index d73bf38..eebdaed 100644
--- a/src/soc/intel/common/block/include/intelblocks/cse.h
+++ b/src/soc/intel/common/block/include/intelblocks/cse.h
@@ -495,6 +495,9 @@
 /* Send End of Post (EOP) command to CSE device */
 void send_end_of_post_to_cse(void);
+/* Function performs the lock configuration for CSE device */
+void cse_lock_config(void);
+
 /*
  * SoC override API to make heci1 disable using PCR.
  *
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/61520
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I3894b2cd8b90dc033f475384486815ab2fadf381
Gerrit-Change-Number: 61520
Gerrit-PatchSet: 1
Gerrit-Owner: Subrata Banik subratabanik@google.com
Gerrit-Reviewer: Patrick Rudolph siro@das-labor.org
Gerrit-Attention: Patrick Rudolph siro@das-labor.org
Gerrit-MessageType: newchange



    