soc/amd/mendocino: Add svc_set_fw_hash_table

Add new PSP svc call to pass psp firmware hash table to the PSP.
psp_verstage will verify hash table and then pass them to the PSP.
The PSP will check if signed firmware contents match these hashes.
This will prevent anyone replacing signed firmware in the RW region.

BUG=b:203597980
TEST=Build and boot to OS in Skyrim.

Change-Id: I512d359967eae925098973e90250111d6f59dd39
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/67259
Reviewed-by: Robert Zieba <robertzieba@google.com>
Reviewed-by: Matt DeVillier <matt.devillier@amd.corp-partner.google.com>
Reviewed-by: Raul Rangel <rrangel@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

2 files changed, 14 insertions, 0 deletions

diff --git a/src/soc/amd/mendocino/psp_verstage/svc.c b/src/soc/amd/mendocino/psp_verstage/svc.c
index ad52b6f39473..99fcc5769e29 100644
--- a/src/soc/amd/mendocino/psp_verstage/svc.c
+++ b/src/soc/amd/mendocino/psp_verstage/svc.c
@@ -204,3 +204,13 @@ uint32_t svc_set_platform_boot_mode(enum chrome_platform_boot_mode boot_mode)
 	SVC_CALL2(SVC_VERSTAGE_CMD, CMD_SET_PLATFORM_BOOT_MODE, (void *)&param, retval);
 	return retval;
 }
+
+uint32_t svc_set_fw_hash_table(struct psp_fw_hash_table *hash_table)
+{
+	uint32_t retval = 0;
+	struct cmd_param_set_fw_hash_table param = {
+		.ptr_psp_fw_hash_table = hash_table,
+	};
+	SVC_CALL2(SVC_VERSTAGE_CMD, CMD_SET_FW_HASH_TABLE, (void *)&param, retval);
+	return retval;
+}
diff --git a/src/soc/amd/mendocino/psp_verstage/svc.h b/src/soc/amd/mendocino/psp_verstage/svc.h
index 941fa763a88e..354d89a2aa7b 100644
--- a/src/soc/amd/mendocino/psp_verstage/svc.h
+++ b/src/soc/amd/mendocino/psp_verstage/svc.h
@@ -141,4 +141,8 @@ struct cmd_param_set_platform_boot_mode {
 	uint32_t boot_mode;
 };
 
+struct cmd_param_set_fw_hash_table {
+	struct psp_fw_hash_table *ptr_psp_fw_hash_table;
+};
+
 #endif /* PSP_VERSTAGE_SVC_H */