summaryrefslogtreecommitdiff
path: root/src/soc/intel/common
diff options
context:
space:
mode:
authorMichael Niewöhner <foss@mniewoehner.de>2019-10-22 23:05:06 +0200
committerNico Huber <nico.h@gmx.de>2019-11-04 19:25:02 +0000
commit7736bfc443a913a9cde46406bcfc38015ec71f47 (patch)
tree5b107551301bbaadc538b0c2ac7c52125462beb3 /src/soc/intel/common
parente75a64f822931a5fbdd80f20c4d168a5c346e01a (diff)
downloadcoreboot-7736bfc443a913a9cde46406bcfc38015ec71f47.tar.xz
soc/intel/sgx: convert SGX and PRMRR devicetree options to Kconfig
The devicetree is not made for user-choosable options, thus introduce Kconfig options for both SGX and the corresponding PRMRR size. The PRMRR size Kconfig has been implemented as a maximum value. At runtime the final PRMRR size gets selected by checking the supported values in MSR_PRMRR_VALID_CONFIG and trying to select the value nearest to the chosen one. When "Maximum" is chosen, the highest possibly value from the MSR gets used. When a too strict limit is set, coreboot will die, printing an error message. Tested successfully on X11SSM-F Change-Id: I5f08e85898304bba6680075ca5d6bce26aef9a4d Signed-off-by: Michael Niewöhner <foss@mniewoehner.de> Reviewed-on: https://review.coreboot.org/c/coreboot/+/35799 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Nico Huber <nico.h@gmx.de>
Diffstat (limited to 'src/soc/intel/common')
-rw-r--r--src/soc/intel/common/block/cpu/Makefile.inc1
-rw-r--r--src/soc/intel/common/block/cpu/cpulib.c41
-rw-r--r--src/soc/intel/common/block/include/intelblocks/cpulib.h4
-rw-r--r--src/soc/intel/common/block/include/intelblocks/msr.h1
-rw-r--r--src/soc/intel/common/block/sgx/Kconfig62
-rw-r--r--src/soc/intel/common/block/sgx/sgx.c2
6 files changed, 107 insertions, 4 deletions
diff --git a/src/soc/intel/common/block/cpu/Makefile.inc b/src/soc/intel/common/block/cpu/Makefile.inc
index a6c4f37cc4..f263053430 100644
--- a/src/soc/intel/common/block/cpu/Makefile.inc
+++ b/src/soc/intel/common/block/cpu/Makefile.inc
@@ -7,6 +7,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CAR) += car/exit_car.S
romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c
postcar-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CAR) += car/exit_car.S
+postcar-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c
postcar-$(CONFIG_FSP_CAR) += car/exit_car_fsp.S
ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_CPU) += cpulib.c
diff --git a/src/soc/intel/common/block/cpu/cpulib.c b/src/soc/intel/common/block/cpu/cpulib.c
index 71e4dbf01b..89732f145a 100644
--- a/src/soc/intel/common/block/cpu/cpulib.c
+++ b/src/soc/intel/common/block/cpu/cpulib.c
@@ -325,3 +325,44 @@ void cpu_lt_lock_memory(void *unused)
{
msr_set_bit(MSR_LT_CONTROL, LT_CONTROL_LOCK_BIT);
}
+
+int get_prmrr_size(void)
+{
+ msr_t msr;
+ int i;
+ int valid_size;
+
+ if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED)) {
+ printk(BIOS_DEBUG, "PRMRR disabled by config.\n");
+ return 0;
+ }
+
+ msr = rdmsr(MSR_PRMRR_VALID_CONFIG);
+ if (!msr.lo) {
+ printk(BIOS_WARNING, "PRMRR not supported.\n");
+ return 0;
+ }
+
+ printk(BIOS_DEBUG, "MSR_PRMRR_VALID_CONFIG = 0x%08x\n", msr.lo);
+
+ /* find the first (greatest) value that is lower than or equal to the selected size */
+ for (i = 8; i >= 0; i--) {
+ valid_size = msr.lo & (1 << i);
+
+ if (valid_size && valid_size <= CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE)
+ break;
+ else if (i == 0)
+ valid_size = 0;
+ }
+
+ /* die if we could not find a valid size within the limit */
+ if (!valid_size)
+ die("Unsupported PRMRR size limit %i MiB, check your config!\n",
+ CONFIG_SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE);
+
+ printk(BIOS_DEBUG, "PRMRR size set to %i MiB\n", valid_size);
+
+ valid_size *= MiB;
+
+ return valid_size;
+}
diff --git a/src/soc/intel/common/block/include/intelblocks/cpulib.h b/src/soc/intel/common/block/include/intelblocks/cpulib.h
index 1aa88e156d..a422094b26 100644
--- a/src/soc/intel/common/block/include/intelblocks/cpulib.h
+++ b/src/soc/intel/common/block/include/intelblocks/cpulib.h
@@ -18,6 +18,7 @@
#define SOC_INTEL_COMMON_BLOCK_CPULIB_H
#include <stdint.h>
+#include <stddef.h>
/*
* Set PERF_CTL MSR (0x199) P_Req with
@@ -164,4 +165,7 @@ void mca_configure(void);
/* Lock chipset memory registers to protect SMM */
void cpu_lt_lock_memory(void *unused);
+/* Get the a supported PRMRR size in bytes with respect users choice */
+int get_prmrr_size(void);
+
#endif /* SOC_INTEL_COMMON_BLOCK_CPULIB_H */
diff --git a/src/soc/intel/common/block/include/intelblocks/msr.h b/src/soc/intel/common/block/include/intelblocks/msr.h
index 3e67fd779d..8902d0992f 100644
--- a/src/soc/intel/common/block/include/intelblocks/msr.h
+++ b/src/soc/intel/common/block/include/intelblocks/msr.h
@@ -64,6 +64,7 @@
#define MSR_PRMRR_PHYS_MASK 0x1f5
#define PRMRR_PHYS_MASK_LOCK (1 << 10)
#define PRMRR_PHYS_MASK_VALID (1 << 11)
+#define MSR_PRMRR_VALID_CONFIG 0x1fb
#define MSR_POWER_CTL 0x1fc
#define POWER_CTL_C1E_MASK (1 << 1)
#define MSR_EVICT_CTL 0x2e0
diff --git a/src/soc/intel/common/block/sgx/Kconfig b/src/soc/intel/common/block/sgx/Kconfig
index 026c6afb0d..6e8323f333 100644
--- a/src/soc/intel/common/block/sgx/Kconfig
+++ b/src/soc/intel/common/block/sgx/Kconfig
@@ -4,9 +4,7 @@ config SOC_INTEL_COMMON_BLOCK_SGX
select CPU_INTEL_COMMON_HYPERTHREADING
default n
help
- Software Guard eXtension(SGX) Feature. Intel SGX is a set of new CPU
- instructions that can be used by applications to set aside private
- regions of code and data.
+ Intel Processor common SGX support
config SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY
bool
@@ -14,3 +12,61 @@ config SOC_INTEL_COMMON_BLOCK_SGX_LOCK_MEMORY
default n
help
Lock memory before SGX activation. This is only needed if MCHECK does not do it.
+
+config SOC_INTEL_COMMON_BLOCK_SGX_ENABLE
+ bool "Enable Software Guard Extensions (SGX) if available"
+ depends on SOC_INTEL_COMMON_BLOCK_SGX
+ default n
+ help
+ Intel Software Guard Extensions (SGX) is a set of new CPU instructions that can be
+ used by applications to set aside private regions (so-called Secure Enclaves) of
+ code and data.
+
+ SGX will only be enabled when supported by the CPU!
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE
+ int
+ default 256 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX
+ default 256 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_256MB
+ default 128 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_128MB
+ default 64 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_64MB
+ default 32 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_32MB
+ default 1 if SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_1MB
+
+choice
+ prompt "PRMRR size"
+ default SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX if SOC_INTEL_COMMON_BLOCK_SGX_ENABLE
+ default SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED if !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE
+ help
+ PRMRR (Protected Memory Range) is the space in RAM that is used to provide a protected
+ memory area (e.g. for the Intel SGX Secure Enclaves). The memory region is accessible
+ only by the processor itself to protect the data from unauthorized access.
+
+ This option selects the maximum size that gets reserved. Depending on the SoC a lower,
+ compatible value may be chosen at runtime as not all values are supported on all
+ families.
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_MAX
+ bool "Maximum"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_256MB
+ bool "256 MiB"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_128MB
+ bool "128 MiB"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_64MB
+ bool "64 MiB"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_32MB
+ bool "32 MiB"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_SIZE_1MB
+ depends on !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE # SGX depends on PRMRR >= 32 MiB
+ bool "1 MiB"
+
+config SOC_INTEL_COMMON_BLOCK_SGX_PRMRR_DISABLED
+ depends on !SOC_INTEL_COMMON_BLOCK_SGX_ENABLE # SGX depends on PRMRR >= 32 MiB
+ bool "Disabled"
+
+endchoice
diff --git a/src/soc/intel/common/block/sgx/sgx.c b/src/soc/intel/common/block/sgx/sgx.c
index 842eb43994..6f0cfd8f0e 100644
--- a/src/soc/intel/common/block/sgx/sgx.c
+++ b/src/soc/intel/common/block/sgx/sgx.c
@@ -206,7 +206,7 @@ void sgx_configure(void *unused)
{
if (!is_sgx_supported() || !is_prmrr_set()) {
- printk(BIOS_ERR, "SGX: pre-conditions not met\n");
+ printk(BIOS_ERR, "SGX: not supported or pre-conditions not met\n");
return;
}