soc/intel/pantherlake: Add TME configuration

This commit moves the TME configuration into its own static function, `fill_tme_params`, which is then called from `fill_fspm_security_params`. The `TME_KEY_REGENERATION_ON_WARM_BOOT` option is now supported, allowing a new TME key to be generated on warm reboots. This feature leverages the `SOC_INTEL_COMMON_BASECODE_RAMTOP` configuration to determine a memory exclusion range for the new key. Additionally, disable the `BIOS Guard` UPD as part of security FSP UPD configuration. TEST=Able to build and boot google/fatcat. S0ix also works with this patch. Change-Id: I1030a25262f1c3c24cf9f4886718689ee2c8155e Signed-off-by: Subrata Banik <subratabanik@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/87808 Reviewed-by: Kapil Porwal <kapilporwal@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2025-05-23 08:32:18 +05:30 · 2025-05-23 08:32:18 +05:30 · 8408bd4863
commit 8408bd4863
parent dc36a725d6
1 changed files with 23 additions and 2 deletions
--- a/src/soc/intel/pantherlake/romstage/fsp_params.c
+++ b/src/soc/intel/pantherlake/romstage/fsp_params.c
@ -2,10 +2,12 @@

 #include <cpu/intel/common/common.h>
 #include <cpu/x86/msr.h>
+#include <cpu/x86/mtrr.h>
 #include <elog.h>
 #include <fsp/debug.h>
 #include <fsp/fsp_debug_event.h>
 #include <fsp/util.h>
+#include <intelbasecode/ramtop.h>
 #include <intelblocks/cpulib.h>
 #include <soc/iomap.h>
 #include <soc/msr.h>
@ -106,10 +108,29 @@ static void fill_fspm_cpu_params(FSP_M_CONFIG *m_cfg,
 	m_cfg->SmmRelocationEnable = 0;
 }

-static void fill_fspm_security_params(FSP_M_CONFIG *m_cfg,
-				      const struct soc_intel_pantherlake_config *config)
+static void fill_tme_params(FSP_M_CONFIG *m_cfg)
 {
 	m_cfg->TmeEnable = CONFIG(INTEL_TME) && is_tme_supported();
+	if (!m_cfg->TmeEnable || acpi_is_wakeup_s3())
+		return;
+	m_cfg->GenerateNewTmeKey = CONFIG(TME_KEY_REGENERATION_ON_WARM_BOOT);
+	if (m_cfg->GenerateNewTmeKey) {
+		uint32_t ram_top = get_ramtop_addr();
+		if (!ram_top) {
+			printk(BIOS_WARNING, "Invalid exclusion range start address. "
+						"Full memory encryption is enabled.\n");
+			return;
+		}
+		m_cfg->TmeExcludeBase = (ram_top - CACHE_TMP_RAMTOP);
+		m_cfg->TmeExcludeSize = CACHE_TMP_RAMTOP;
+	}
+}
+
+static void fill_fspm_security_params(FSP_M_CONFIG *m_cfg,
+				  const struct soc_intel_pantherlake_config *config)
+{
+	m_cfg->BiosGuard = 0;
+	fill_tme_params(m_cfg);
 }

 static void fill_fspm_uart_params(FSP_M_CONFIG *m_cfg,