diff --git a/configs/config.protectli_vp46xx b/configs/config.protectli_vp46xx index 226013e600a..f762525fc3a 100644 --- a/configs/config.protectli_vp46xx +++ b/configs/config.protectli_vp46xx @@ -8,6 +8,7 @@ CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/$(MAINBOARDDIR)/me.bin" CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x100000 CONFIG_EDK2_BOOT_TIMEOUT=6 CONFIG_USE_LEGACY_8254_TIMER=y +CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_ENABLE=y CONFIG_HAVE_IFD_BIN=y CONFIG_BOARD_PROTECTLI_VP46XX=y CONFIG_EDK2_BOOTSPLASH_FILE="$(top)/3rdparty/dasharo-blobs/protectli/bootsplash.bmp" @@ -43,6 +44,7 @@ CONFIG_EDK2_FOLLOW_BGRT_SPEC=y CONFIG_EDK2_SERIAL_SUPPORT=y CONFIG_EDK2_CUSTOM_BUILD_PARAMS="" CONFIG_BUILD_IPXE=y +# CONFIG_IPXE_SERIAL_CONSOLE is not set CONFIG_IPXE_ADD_SCRIPT=y CONFIG_IPXE_SCRIPT="3rdparty/dasharo-blobs/dasharo/protectli.ipxe" CONFIG_IPXE_CUSTOM_BUILD_ID="0123456789" diff --git a/src/soc/intel/cannonlake/Kconfig b/src/soc/intel/cannonlake/Kconfig index 398dd3ffd00..953eeb0ea71 100644 --- a/src/soc/intel/cannonlake/Kconfig +++ b/src/soc/intel/cannonlake/Kconfig @@ -56,6 +56,8 @@ config SOC_INTEL_CANNONLAKE_BASE select SOC_INTEL_COMMON_BLOCK_POWER_LIMIT select SOC_INTEL_COMMON_BLOCK_SA select SOC_INTEL_COMMON_BLOCK_SCS + select SOC_INTEL_COMMON_BLOCK_SGX + select SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY select SOC_INTEL_COMMON_BLOCK_SMM select SOC_INTEL_COMMON_BLOCK_SMM_IO_TRAP select SOC_INTEL_COMMON_BLOCK_THERMAL_PCI_DEV diff --git a/src/soc/intel/cannonlake/acpi/southbridge.asl b/src/soc/intel/cannonlake/acpi/southbridge.asl index 20d4bfd897c..b8f9e34957f 100644 --- a/src/soc/intel/cannonlake/acpi/southbridge.asl +++ b/src/soc/intel/cannonlake/acpi/southbridge.asl @@ -39,3 +39,6 @@ /* GbE 0:1f.6 */ #include + +/* SGX */ +#include diff --git a/src/soc/intel/cannonlake/cpu.c b/src/soc/intel/cannonlake/cpu.c index f054a9fdf9a..d0f9e66f9da 100644 --- a/src/soc/intel/cannonlake/cpu.c +++ b/src/soc/intel/cannonlake/cpu.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -120,6 +121,10 @@ void soc_core_init(struct device *cpu) { config_t *cfg = config_of_soc(); + /* Configure Core PRMRR for SGX. */ + if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_ENABLE)) + prmrr_core_configure(); + /* Clear out pending MCEs */ /* TODO(adurbin): This should only be done on a cold boot. Also, some * of these banks are core vs package scope. For now every CPU clears @@ -148,10 +153,6 @@ void soc_core_init(struct device *cpu) disable_turbo(); else enable_turbo(); - - /* Enable Vmx */ - set_feature_ctrl_vmx_arg(CONFIG(ENABLE_VMX) && !cfg->disable_vmx); - set_feature_ctrl_lock(); } static void per_cpu_smm_trigger(void) @@ -160,6 +161,18 @@ static void per_cpu_smm_trigger(void) smm_relocate(); } +static void vmx_configure(void *unused) +{ + config_t *cfg = config_of_soc(); + /* Enable Vmx */ + set_feature_ctrl_vmx_arg(CONFIG(ENABLE_VMX) && !cfg->disable_vmx); +} + +static void fc_lock_configure(void *unused) +{ + set_feature_ctrl_lock(); +} + void smm_lock(void) { /* @@ -174,6 +187,8 @@ void smm_lock(void) static void post_mp_init(void) { + bool failure = false; + /* Set Max Ratio */ cpu_set_max_ratio(); @@ -185,6 +200,19 @@ static void post_mp_init(void) /* Lock down the SMRAM space. */ smm_lock(); + + if (mp_run_on_all_cpus(vmx_configure, NULL) != CB_SUCCESS) + failure = true; + + if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_ENABLE)) + if (mp_run_on_all_cpus(sgx_configure, NULL) != CB_SUCCESS) + failure = true; + + if (mp_run_on_all_cpus(fc_lock_configure, NULL) != CB_SUCCESS) + failure = true; + + if (failure) + printk(BIOS_CRIT, "CRITICAL ERROR: MP post init failed\n"); } static const struct mp_ops mp_ops = { diff --git a/src/soc/intel/cannonlake/fsp_params.c b/src/soc/intel/cannonlake/fsp_params.c index 9e142bbc025..3a1d289d1ce 100644 --- a/src/soc/intel/cannonlake/fsp_params.c +++ b/src/soc/intel/cannonlake/fsp_params.c @@ -3,6 +3,7 @@ #include #include #include +#include #include #include #include @@ -334,6 +335,8 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd) FSP_S_CONFIG *params = &supd->FspsConfig; FSP_S_TEST_CONFIG *tconfig = &supd->FspsTestConfig; struct device *dev; + const struct microcode *microcode_file; + size_t microcode_len; config_t *config = config_of_soc(); @@ -695,6 +698,23 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd) params->PavpEnable = CONFIG(PAVP); + if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_ENABLE)) { + /* Locate microcode and pass to FSP-S for 2nd microcode loading to properly enable SGX */ + microcode_file = intel_microcode_find(); + + if (microcode_file != NULL) { + microcode_len = get_microcode_size(microcode_file); + if (microcode_len != 0) { + /* Update CPU Microcode patch base address/size */ + params->MicrocodeRegionBase = (uint32_t)(uintptr_t)microcode_file; + params->MicrocodeRegionSize = (uint32_t)microcode_len; + } + } + + params->SgxEpoch0 = 0x636f7265626f6f74UL; /* 'coreboot' in hex */ + params->SgxEpoch1 = 0x636f7265626f6f74UL; /* 'coreboot' in hex */ + } + /* * Prevent FSP from programming write-once subsystem IDs by providing * a custom SSID table. Must have at least one entry for the FSP to diff --git a/src/soc/intel/cannonlake/romstage/fsp_params.c b/src/soc/intel/cannonlake/romstage/fsp_params.c index 737e7c399d1..c44d86903db 100644 --- a/src/soc/intel/cannonlake/romstage/fsp_params.c +++ b/src/soc/intel/cannonlake/romstage/fsp_params.c @@ -58,6 +58,7 @@ void platform_fsp_memory_init_params_cb(FSPM_UPD *mupd, uint32_t version) } m_cfg->PcieRpEnableMask = mask; m_cfg->PrmrrSize = get_valid_prmrr_size(); + m_cfg->EnableSgx = CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_ENABLE); m_cfg->EnableC6Dram = config->enable_c6dram; #if CONFIG(SOC_INTEL_COMETLAKE) m_cfg->SerialIoUartDebugControllerNumber = CONFIG_UART_FOR_CONSOLE;