From 8408bd4863044019644f645dedc326bfab5f43bb Mon Sep 17 00:00:00 2001
From: Subrata Banik <subratabanik@google.com>
Date: Fri, 23 May 2025 08:32:18 +0530
Subject: [PATCH] soc/intel/pantherlake: Add TME configuration

This commit moves the TME configuration into its own static function,
`fill_tme_params`, which is then called from
`fill_fspm_security_params`.

The `TME_KEY_REGENERATION_ON_WARM_BOOT` option is now supported,
allowing a new TME key to be generated on warm reboots.

This feature leverages the `SOC_INTEL_COMMON_BASECODE_RAMTOP`
configuration to determine a memory exclusion range for the new key.

Additionally, disable the `BIOS Guard` UPD as part of security FSP
UPD configuration.

TEST=Able to build and boot google/fatcat. S0ix also works with this
patch.

Change-Id: I1030a25262f1c3c24cf9f4886718689ee2c8155e
Signed-off-by: Subrata Banik <subratabanik@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/87808
Reviewed-by: Kapil Porwal <kapilporwal@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 .../intel/pantherlake/romstage/fsp_params.c   | 25 +++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/soc/intel/pantherlake/romstage/fsp_params.c b/src/soc/intel/pantherlake/romstage/fsp_params.c
index 3f13be2735..44875679ca 100644
--- a/src/soc/intel/pantherlake/romstage/fsp_params.c
+++ b/src/soc/intel/pantherlake/romstage/fsp_params.c
@@ -2,10 +2,12 @@
 
 #include <cpu/intel/common/common.h>
 #include <cpu/x86/msr.h>
+#include <cpu/x86/mtrr.h>
 #include <elog.h>
 #include <fsp/debug.h>
 #include <fsp/fsp_debug_event.h>
 #include <fsp/util.h>
+#include <intelbasecode/ramtop.h>
 #include <intelblocks/cpulib.h>
 #include <soc/iomap.h>
 #include <soc/msr.h>
@@ -106,10 +108,29 @@ static void fill_fspm_cpu_params(FSP_M_CONFIG *m_cfg,
 	m_cfg->SmmRelocationEnable = 0;
 }
 
-static void fill_fspm_security_params(FSP_M_CONFIG *m_cfg,
-				      const struct soc_intel_pantherlake_config *config)
+static void fill_tme_params(FSP_M_CONFIG *m_cfg)
 {
 	m_cfg->TmeEnable = CONFIG(INTEL_TME) && is_tme_supported();
+	if (!m_cfg->TmeEnable || acpi_is_wakeup_s3())
+		return;
+	m_cfg->GenerateNewTmeKey = CONFIG(TME_KEY_REGENERATION_ON_WARM_BOOT);
+	if (m_cfg->GenerateNewTmeKey) {
+		uint32_t ram_top = get_ramtop_addr();
+		if (!ram_top) {
+			printk(BIOS_WARNING, "Invalid exclusion range start address. "
+						"Full memory encryption is enabled.\n");
+			return;
+		}
+		m_cfg->TmeExcludeBase = (ram_top - CACHE_TMP_RAMTOP);
+		m_cfg->TmeExcludeSize = CACHE_TMP_RAMTOP;
+	}
+}
+
+static void fill_fspm_security_params(FSP_M_CONFIG *m_cfg,
+				  const struct soc_intel_pantherlake_config *config)
+{
+	m_cfg->BiosGuard = 0;
+	fill_tme_params(m_cfg);
 }
 
 static void fill_fspm_uart_params(FSP_M_CONFIG *m_cfg,