soc/intel/skylake: Add LPC and SPI lock down config option

This patch to provide new config options to perform LPC and SPI
lock down either by FSP or coreboot.

Remove EISS bit programming as well.

TEST=Build and boot Eve and Poppy.

Change-Id: If174915b4d0c581f36b54b2b8cd970a93c6454bc
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-on: https://review.coreboot.org/21068
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>

15 files changed, 63 insertions, 60 deletions

diff --git a/src/mainboard/google/chell/devicetree.cb b/src/mainboard/google/chell/devicetree.cb
index 4d4d0aff1d95..f8c305401283 100644
--- a/src/mainboard/google/chell/devicetree.cb
+++ b/src/mainboard/google/chell/devicetree.cb
@@ -190,6 +190,9 @@ chip soc/intel/skylake
 	# Send an extra VR mailbox command for the supported MPS IMVP8 model
 	register "SendVrMbxCmd" = "1"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/eve/devicetree.cb b/src/mainboard/google/eve/devicetree.cb
index b6cb848b4043..2e017f8dcdd3 100644
--- a/src/mainboard/google/eve/devicetree.cb
+++ b/src/mainboard/google/eve/devicetree.cb
@@ -218,6 +218,9 @@ chip soc/intel/skylake
 	register "tdp_pl2_override" = "15"
 	register "tcc_offset" = "10"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/fizz/devicetree.cb b/src/mainboard/google/fizz/devicetree.cb
index bf9f0c9ef939..a77138023887 100644
--- a/src/mainboard/google/fizz/devicetree.cb
+++ b/src/mainboard/google/fizz/devicetree.cb
@@ -216,6 +216,9 @@ chip soc/intel/skylake
 	# Use default SD card detect GPIO configuration
 	register "sdcard_cd_gpio_default" = "GPP_A7"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/glados/devicetree.cb b/src/mainboard/google/glados/devicetree.cb
index d4155ea6b80d..0dff3d95dd63 100644
--- a/src/mainboard/google/glados/devicetree.cb
+++ b/src/mainboard/google/glados/devicetree.cb
@@ -188,6 +188,9 @@ chip soc/intel/skylake
 	# Send an extra VR mailbox command for the supported MPS IMVP8 model
 	register "SendVrMbxCmd" = "1"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/lars/devicetree.cb b/src/mainboard/google/lars/devicetree.cb
index ed1de93258e8..99522cbe3e10 100644
--- a/src/mainboard/google/lars/devicetree.cb
+++ b/src/mainboard/google/lars/devicetree.cb
@@ -184,6 +184,9 @@ chip soc/intel/skylake
 	# Send an extra VR mailbox command for the PS4 exit issue
 	register "SendVrMbxCmd" = "2"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/poppy/variants/baseboard/devicetree.cb b/src/mainboard/google/poppy/variants/baseboard/devicetree.cb
index d67c9c0ae4fb..2324557320bc 100644
--- a/src/mainboard/google/poppy/variants/baseboard/devicetree.cb
+++ b/src/mainboard/google/poppy/variants/baseboard/devicetree.cb
@@ -208,6 +208,9 @@ chip soc/intel/skylake
 	# Use default SD card detect GPIO configuration
 	register "sdcard_cd_gpio_default" = "GPP_E15"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/google/poppy/variants/soraka/devicetree.cb b/src/mainboard/google/poppy/variants/soraka/devicetree.cb
index b874093b2636..88c7c7dbeb98 100644
--- a/src/mainboard/google/poppy/variants/soraka/devicetree.cb
+++ b/src/mainboard/google/poppy/variants/soraka/devicetree.cb
@@ -208,6 +208,9 @@ chip soc/intel/skylake
 	# Use default SD card detect GPIO configuration
 	register "sdcard_cd_gpio_default" = "GPP_E15"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb b/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb
index c1974ad7184d..0d2bd0f39765 100644
--- a/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb
+++ b/src/mainboard/intel/kblrvp/variants/rvp3/devicetree.cb
@@ -205,6 +205,9 @@ chip soc/intel/skylake
 	# Enable/Disable VMX feature
 	register "VmxEnable" = "0"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb b/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb
index a56345c00d60..6f45a46a7d99 100644
--- a/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb
+++ b/src/mainboard/intel/kblrvp/variants/rvp7/devicetree.cb
@@ -200,6 +200,9 @@ chip soc/intel/skylake
 	# Use default SD card detect GPIO configuration
 	register "sdcard_cd_gpio_default" = "GPP_G5"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/intel/kunimitsu/devicetree.cb b/src/mainboard/intel/kunimitsu/devicetree.cb
index 17e8e2760682..aec57b1ffa97 100644
--- a/src/mainboard/intel/kunimitsu/devicetree.cb
+++ b/src/mainboard/intel/kunimitsu/devicetree.cb
@@ -194,6 +194,9 @@ chip soc/intel/skylake
 	# Use default SD card detect GPIO configuration
 	register "sdcard_cd_gpio_default" = "GPP_A7"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/mainboard/purism/librem13v2/devicetree.cb b/src/mainboard/purism/librem13v2/devicetree.cb
index e113b3ffa48e..29d35afd23d8 100644
--- a/src/mainboard/purism/librem13v2/devicetree.cb
+++ b/src/mainboard/purism/librem13v2/devicetree.cb
@@ -171,6 +171,9 @@ chip soc/intel/skylake
 	# Send an extra VR mailbox command for the PS4 exit issue
 	register "SendVrMbxCmd" = "2"
 
+	# Lock Down
+	register "chipset_lockdown" = "CHIPSET_LOCKDOWN_COREBOOT"
+
 	device cpu_cluster 0 on
 		device lapic 0 on end
 	end
diff --git a/src/soc/intel/skylake/chip.c b/src/soc/intel/skylake/chip.c
index ab069488a019..7014c24d9ebb 100644
--- a/src/soc/intel/skylake/chip.c
+++ b/src/soc/intel/skylake/chip.c
@@ -147,11 +147,12 @@ void soc_silicon_init_params(SILICON_INIT_UPD *params)
 	params->EnableSata = config->EnableSata;
 	params->SataMode = config->SataMode;
 	params->LockDownConfigGlobalSmi = config->LockDownConfigGlobalSmi;
-	params->LockDownConfigBiosInterface =
-		config->LockDownConfigBiosInterface;
 	params->LockDownConfigRtcLock = config->LockDownConfigRtcLock;
-	params->LockDownConfigBiosLock = config->LockDownConfigBiosLock;
-	params->LockDownConfigSpiEiss = config->LockDownConfigSpiEiss;
+	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+		params->LockDownConfigBiosInterface = 0;
+		params->LockDownConfigBiosLock = 0;
+		params->LockDownConfigSpiEiss = 0;
+	}
 	params->PchConfigSubSystemVendorId = config->PchConfigSubSystemVendorId;
 	params->PchConfigSubSystemId = config->PchConfigSubSystemId;
 	params->WakeConfigWolEnableOverride =
diff --git a/src/soc/intel/skylake/chip.h b/src/soc/intel/skylake/chip.h
index ea985db11a90..beb5a7aa0b86 100644
--- a/src/soc/intel/skylake/chip.h
+++ b/src/soc/intel/skylake/chip.h
@@ -262,29 +262,10 @@ struct soc_intel_skylake_config {
 	/* Enable SMI_LOCK bit to prevent writes to the Global SMI Enable bit.*/
 	u8 LockDownConfigGlobalSmi;
 	/*
-	 * Enable BIOS Interface Lock Down bit to prevent writes to the Backup
-	 * Control Register. Top Swap bit and the General Control and Status
-	 * Registers Boot BIOS Straps.
-	 */
-	u8 LockDownConfigBiosInterface;
-	/*
 	 * Enable RTC lower and upper 128 byte Lock bits to lock Bytes 38h-3Fh
 	 * in the upper and and lower 128-byte bank of RTC RAM.
 	 */
 	u8 LockDownConfigRtcLock;
-	/*
-	 * When enabled, the BIOS Region can only be modified from SMM after
-	 * EndOfDxe protocol is installed
-	 */
-	u8 LockDownConfigBiosLock;
-	/*
-	 * Enable InSMM.STS (EISS) in SPI If this bit is set, then WPD must be a
-	 * '1' and InSMM.STS must be '1' also in order to write to BIOS regions
-	 * of SPI Flash. If this bit is clear, then the InSMM.STS is a don't
-	 * care. The BIOS must set the EISS bit while BIOS Guard support is
-	 * enabled.
-	 */
-	u8 LockDownConfigSpiEiss;
 	/* Subsystem Vendor ID of the PCH devices*/
 	u16 PchConfigSubSystemVendorId;
 	/* Subsystem ID of the PCH devices*/
@@ -493,14 +474,16 @@ struct soc_intel_skylake_config {
 	 * 0b - Disabled
 	 */
 	u8 eist_enable;
-	/*
-	 * Skip Spi Flash Lockdown from inside FSP.
-	 * Making this config "0" means FSP won't set the FLOCKDN bit of
-	 * SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL).
-	 * So, it becomes coreboot's responsibility to set this bit before
-	 * end of POST for security concerns.
+	/* Chipset (LPC and SPI)  Lock Down
+	 * 1b - coreboot to handle lockdown
+	 * 0b - FSP to handle lockdown
 	 */
-	u8 SpiFlashCfgLockDown;
+	enum {
+		/* lock according to binary UPD settings */
+		CHIPSET_LOCKDOWN_FSP,
+		/* coreboot handles locking */
+		CHIPSET_LOCKDOWN_COREBOOT,
+	} chipset_lockdown;
 };
 
 typedef struct soc_intel_skylake_config config_t;
diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c
index c5ecc97b015a..aa612ede0a91 100644
--- a/src/soc/intel/skylake/chip_fsp20.c
+++ b/src/soc/intel/skylake/chip_fsp20.c
@@ -201,7 +201,6 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd)
 	params->SataEnable = config->EnableSata;
 	params->SataMode = config->SataMode;
 	tconfig->PchLockDownGlobalSmi = config->LockDownConfigGlobalSmi;
-	tconfig->PchLockDownBiosInterface = config->LockDownConfigBiosInterface;
 	tconfig->PchLockDownRtcLock = config->LockDownConfigRtcLock;
 	/*
 	 * To disable HECI, the Psf needs to be left unlocked
@@ -210,9 +209,19 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd)
 	 * do the changes and then lock it back in coreboot during finalize.
 	 */
 	tconfig->PchSbAccessUnlock = (config->HeciEnabled == 0) ? 1 : 0;
-
-	params->PchLockDownBiosLock = config->LockDownConfigBiosLock;
-	params->PchLockDownSpiEiss = config->LockDownConfigSpiEiss;
+	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+		tconfig->PchLockDownBiosInterface = 0;
+		params->PchLockDownBiosLock = 0;
+		params->PchLockDownSpiEiss = 0;
+		/*
+		 * Skip Spi Flash Lockdown from inside FSP.
+		 * Making this config "0" means FSP won't set the FLOCKDN bit
+		 * of SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL).
+		 * So, it becomes coreboot's responsibility to set this bit
+		 * before end of POST for security concerns.
+		 */
+		params->SpiFlashCfgLockDown = 0;
+	}
 	params->PchSubSystemVendorId = config->PchConfigSubSystemVendorId;
 	params->PchSubSystemId = config->PchConfigSubSystemId;
 	params->PchPmWolEnableOverride = config->WakeConfigWolEnableOverride;
@@ -248,15 +257,6 @@ void platform_fsp_silicon_init_params_cb(FSPS_UPD *supd)
 	params->ShowSpiController = dev->enabled;
 
 	/*
-	 * Skip Spi Flash Lockdown from inside FSP.
-	 * Making this config "0" means FSP won't set the FLOCKDN bit of
-	 * SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL).
-	 * So, it becomes coreboot's responsibility to set this bit before
-	 * end of POST for security concerns.
-	 */
-	params->SpiFlashCfgLockDown = config->SpiFlashCfgLockDown;
-
-	/*
 	 * Send VR specific mailbox commands:
 	 * 000b - no VR specific command sent
 	 * 001b - VR mailbox command specifically for the MPS IMPV8 VR
diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c
index 975938214995..404d217a87a8 100644
--- a/src/soc/intel/skylake/finalize.c
+++ b/src/soc/intel/skylake/finalize.c
@@ -184,8 +184,8 @@ static void soc_lockdown(void)
 		pci_write_config8(dev, GEN_PMCON_A, reg8);
 	}
 
-	/* Bios Interface Lock */
-	if (config->LockDownConfigBiosInterface == 0) {
+	if (config->chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) {
+		 /* Bios Interface Lock */
 		pci_write_config8(PCH_DEV_LPC, BIOS_CNTL,
 				  pci_read_config8(PCH_DEV_LPC,
 						   BIOS_CNTL) | LPC_BC_BILD);
@@ -196,10 +196,8 @@ static void soc_lockdown(void)
 
 		/* GCS reg of DMI */
 		pcr_or8(PID_DMI, PCR_DMI_GCS, PCR_DMI_GCS_BILD);
-	}
 
-	/* Bios Lock */
-	if (config->LockDownConfigBiosLock == 0) {
+		/* Bios Lock */
 		pci_write_config8(PCH_DEV_LPC, BIOS_CNTL,
 				  pci_read_config8(PCH_DEV_LPC,
 						   BIOS_CNTL) | LPC_BC_LE);
@@ -209,18 +207,6 @@ static void soc_lockdown(void)
 
 		fast_spi_set_lock_enable();
 	}
-
-	/* SPIEiss */
-	if (config->LockDownConfigSpiEiss == 0) {
-		pci_write_config8(PCH_DEV_LPC, BIOS_CNTL,
-				  pci_read_config8(PCH_DEV_LPC,
-						   BIOS_CNTL) | LPC_BC_EISS);
-
-		/* Ensure an additional read back after performing lock down */
-		pci_read_config8(PCH_DEV_LPC, BIOS_CNTL);
-
-		fast_spi_set_eiss();
-	}
 }
 
 static void soc_finalize(void *unused)