[coreboot-gerrit] Change in coreboot[master]: soc/intel: Limit xDCI feature when VBOOT is enabled

Duncan Laurie (Code Review) gerrit at coreboot.org
Sun Mar 25 06:14:56 CEST 2018 

Duncan Laurie has uploaded this change for review. ( https://review.coreboot.org/25347


Change subject: soc/intel: Limit xDCI feature when VBOOT is enabled
......................................................................

soc/intel: Limit xDCI feature when VBOOT is enabled

When CONFIG_VBOOT is enabled then the xDCI controller should only be
enabled if the system is in developer mode.  This prevents a system
in normal/verified mode from being used as a USB peripheral device
which could potentially be used to access user data.

Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b
Signed-off-by: Duncan Laurie <dlaurie at chromium.org>
---
M src/soc/intel/apollolake/chip.c
M src/soc/intel/apollolake/xdci.c
M src/soc/intel/cannonlake/Kconfig
M src/soc/intel/cannonlake/chip.c
M src/soc/intel/common/block/include/intelblocks/xdci.h
M src/soc/intel/common/block/xdci/xdci.c
M src/soc/intel/skylake/Kconfig
M src/soc/intel/skylake/chip_fsp20.c
8 files changed, 23 insertions(+), 3 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/25347/1

diff --git a/src/soc/intel/apollolake/chip.c b/src/soc/intel/apollolake/chip.c
index cac2f11..d93985e 100644
--- a/src/soc/intel/apollolake/chip.c
+++ b/src/soc/intel/apollolake/chip.c
@@ -30,6 +30,7 @@
 #include <intelblocks/fast_spi.h>
 #include <intelblocks/p2sb.h>
 #include <intelblocks/msr.h>
+#include <intelblocks/xdci.h>
 #include <fsp/api.h>
 #include <fsp/util.h>
 #include <intelblocks/cpulib.h>
@@ -585,6 +586,10 @@
 		glk_fsp_silicon_init_params_cb(cfg, silconfig);
 	else
 		apl_fsp_silicon_init_params_cb(cfg, silconfig);
+
+	/* Disable xDCI device if it should not be enabled */
+	dev = dev_find_slot(0, PCH_DEVFN_XDCI);
+	silconfig->UsbOtg = xdci_can_enable() ? dev->enabled : 0;
 }
 
 struct chip_operations soc_intel_apollolake_ops = {
diff --git a/src/soc/intel/apollolake/xdci.c b/src/soc/intel/apollolake/xdci.c
index 4c3047c..07207b3 100644
--- a/src/soc/intel/apollolake/xdci.c
+++ b/src/soc/intel/apollolake/xdci.c
@@ -54,7 +54,7 @@
 	 * enabled. If it's disabled assume the switch was already done
 	 * in FSP.
 	 */
-	if (!dev->enabled || !xdci_dev->enabled)
+	if (!dev->enabled || !xdci_dev->enabled || !xdci_can_enable())
 		return;
 
 	printk(BIOS_INFO, "Putting port 0 into host mode.\n");
diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig
index dab6622..fc73210 100644
--- a/src/soc/intel/cannonlake/Kconfig
+++ b/src/soc/intel/cannonlake/Kconfig
@@ -70,6 +70,7 @@
 	select SOC_INTEL_COMMON_BLOCK_SPI
 	select SOC_INTEL_COMMON_BLOCK_TIMER
 	select SOC_INTEL_COMMON_BLOCK_UART
+	select SOC_INTEL_COMMON_BLOCK_XDCI
 	select SOC_INTEL_COMMON_NHLT
 	select SOC_INTEL_COMMON_RESET
 	select SSE2
diff --git a/src/soc/intel/cannonlake/chip.c b/src/soc/intel/cannonlake/chip.c
index b2689b0..c64de71 100644
--- a/src/soc/intel/cannonlake/chip.c
+++ b/src/soc/intel/cannonlake/chip.c
@@ -19,6 +19,7 @@
 #include <device/pci.h>
 #include <fsp/api.h>
 #include <fsp/util.h>
+#include <intelblocks/xdci.h>
 #include <romstage_handoff.h>
 #include <soc/intel/common/vbt.h>
 #include <soc/pci_devs.h>
@@ -262,7 +263,7 @@
 		}
 	}
 
-	params->XdciEnable = config->XdciEnable;
+	params->XdciEnable = xdci_can_enable() ? config->XdciEnable : 0;
 
 	/* PCI Express */
 	for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {
diff --git a/src/soc/intel/common/block/include/intelblocks/xdci.h b/src/soc/intel/common/block/include/intelblocks/xdci.h
index fa25513..1158056 100644
--- a/src/soc/intel/common/block/include/intelblocks/xdci.h
+++ b/src/soc/intel/common/block/include/intelblocks/xdci.h
@@ -17,5 +17,6 @@
 #define SOC_INTEL_COMMON_BLOCK_XDCI_H
 
 void soc_xdci_init(struct device *dev);
+int xdci_can_enable(void);
 
 #endif	/* SOC_INTEL_COMMON_BLOCK_XDCI_H */
diff --git a/src/soc/intel/common/block/xdci/xdci.c b/src/soc/intel/common/block/xdci/xdci.c
index 10e6f0d..07093df 100644
--- a/src/soc/intel/common/block/xdci/xdci.c
+++ b/src/soc/intel/common/block/xdci/xdci.c
@@ -19,9 +19,19 @@
 #include <device/pci.h>
 #include <device/pci_ids.h>
 #include <intelblocks/xdci.h>
+#include <security/vboot/vboot_common.h>
 
 __attribute__((weak)) void soc_xdci_init(struct device *dev) { /* no-op */ }
 
+/* Only allow xDCI controller in developer mode if VBOOT is enabled */
+int xdci_can_enable(void)
+{
+	if (IS_ENABLED(CONFIG_VBOOT))
+		return vboot_developer_mode_enabled() ?  1 : 0;
+	else
+		return 1;
+}
+
 static struct device_operations usb_xdci_ops = {
 	.read_resources		= &pci_dev_read_resources,
 	.set_resources		= &pci_dev_set_resources,
diff --git a/src/soc/intel/skylake/Kconfig b/src/soc/intel/skylake/Kconfig
index aac4a8f..f3719a5 100644
--- a/src/soc/intel/skylake/Kconfig
+++ b/src/soc/intel/skylake/Kconfig
@@ -84,6 +84,7 @@
 	select SOC_INTEL_COMMON_BLOCK_SPI
 	select SOC_INTEL_COMMON_BLOCK_TIMER
 	select SOC_INTEL_COMMON_BLOCK_UART
+	select SOC_INTEL_COMMON_BLOCK_XDCI
 	select SOC_INTEL_COMMON_BLOCK_XHCI
 	select SOC_INTEL_COMMON_GFX_OPREGION
 	select SOC_INTEL_COMMON_NHLT
diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c
index 3bc66b2..3b1407b 100644
--- a/src/soc/intel/skylake/chip_fsp20.c
+++ b/src/soc/intel/skylake/chip_fsp20.c
@@ -26,6 +26,7 @@
 #include <device/pci.h>
 #include <fsp/api.h>
 #include <fsp/util.h>
+#include <intelblocks/xdci.h>
 #include <romstage_handoff.h>
 #include <soc/acpi.h>
 #include <soc/intel/common/vbt.h>
@@ -221,7 +222,7 @@
 	params->PchHdaEnable = config->EnableAzalia;
 	params->PchHdaIoBufferOwnership = config->IoBufferOwnership;
 	params->PchHdaDspEnable = config->DspEnable;
-	params->XdciEnable = config->XdciEnable;
+	params->XdciEnable = xdci_can_enable() ? config->XdciEnable : 0;
 	params->Device4Enable = config->Device4Enable;
 	params->SataEnable = config->EnableSata;
 	params->SataMode = config->SataMode;

-- 
To view, visit https://review.coreboot.org/25347
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie3ee9dd7077c094a01fd857a2e4033a12ce8979b
Gerrit-Change-Number: 25347
Gerrit-PatchSet: 1
Gerrit-Owner: Duncan Laurie <dlaurie at chromium.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180325/98ac5121/attachment.html>

More information about the coreboot-gerrit mailing list