xref: /aosp_15_r20/external/coreboot/src/soc/intel/common/block/cse/Kconfig (revision b9411a12aaaa7e1e6a6fb7c5e057f44ee179a49c) 
1## SPDX-License-Identifier: GPL-2.0-only
2
3config DISABLE_HECI1_AT_PRE_BOOT
4	bool "Disable HECI1 at the end of boot"
5	depends on SOC_INTEL_COMMON_BLOCK_CSE
6	default n
7	help
8	  This config decides the state of HECI1(CSE) device at the end of boot.
9	  Mainboard users to select this config to make HECI1 `function disable`
10	  prior to handing off to payload.
11
12config MAX_HECI_DEVICES
13	int
14	default 6
15
16config SOC_INTEL_COMMON_BLOCK_CSE
17	bool
18	default n
19	help
20	  Driver for communication with Converged Security Engine (CSE)
21	  over Host Embedded Controller Interface (HECI)
22
23config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_SBI
24	bool
25	default y if HECI_DISABLE_USING_SMM
26	select SOC_INTEL_COMMON_BLOCK_P2SB
27	help
28	  Use this config to allow common CSE block to make HECI1 function disable
29	  in the SMM mode. From CNL PCH onwards,`HECI1` disabling can only be done
30	  using the non-posted sideband write after FSP-S sets the postboot_sai
31	  attribute.
32
33config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC
34	bool
35	default n
36	select SOC_INTEL_COMMON_BLOCK_PMC
37	help
38	  Use this config to allow common CSE block to make HECI1 function disable
39	  using PMC IPC command `0xA9`. From TGL PCH onwards, disabling heci1
40	  device using PMC IPC doesn't required to run the operation in SMM.
41
42config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PCR
43	bool
44	default n
45	select SOC_INTEL_COMMON_BLOCK_PCR
46	help
47	  Use this config for SoC platform prior to CNL PCH (with postboot_sai implemented)
48	  to make `HECI1` device disable using private configuration register (PCR) write.
49
50config SOC_INTEL_STORE_CSE_FW_VERSION
51	bool
52	default y
53	depends on SOC_INTEL_CSE_LITE_SKU
54	help
55	  This configuration option stores CSE RW FW version in CBMEM area.
56	  This information can be used to identify if the CSE firmware update is successful
57	  by comparing the currently running CSE RW firmware version against CSE version
58	  belongs to the CONFIG_SOC_INTEL_CSE_RW_VERSION (decided statically while
59	  building the AP FW image).
60
61	  The way to retrieve the CSE firmware version is by sending the HECI command to
62	  read the CSE Boot Partition (BP) info. The cost of sending HECI command to read
63	  the CSE FW version is between 7ms-20ms (depending on the SoC architecture) hence,
64	  ensure this feature is platform specific and only enabled for the platform
65	  that would like to store the CSE version into the CBMEM.
66
67config SOC_INTEL_CSE_FW_PARTITION_CMOS_OFFSET
68	int
69	default 68
70	depends on SOC_INTEL_CSE_LITE_SKU
71	help
72	  This configuration option stores the starting offset of cse fw partition versions in
73	  CMOS memory. The offset should be byte aligned and must leave enough memory to store
74	  required firmware partition versions.
75
76config SOC_INTEL_STORE_ISH_FW_VERSION
77	bool
78	default n
79	depends on DRIVERS_INTEL_ISH
80	help
81	  This configuration option stores ISH version in CBMEM area.
82	  This information can be used to identify the currently running ISH firmware
83	  version.
84
85	  ISH BUP is sitting inside the CSE firmware partition. The way to retrieve the
86	  ISH version is by sending the HECI command to read the CSE FPT. The cost of sending
87	  HECI command to read the CSE FPT is significant (~200ms) hence, the idea is to
88	  read the CSE RW version on every cold reset (to cover the CSE update scenarios)
89	  and store into CBMEM to avoid the cost of resending the HECI command in all
90	  consecutive warm boots.
91
92	  Later boot stages can just read the CBMEM ID to retrieve the ISH version.
93
94	  Additionally, ensure this feature is platform specific hence, only enabled
95	  for the platform that would like to store the ISH version into the CBMEM and
96	  parse to perform some additional work.
97
98config SOC_INTEL_CSE_SEND_EOP_EARLY
99	bool "CSE send EOP early"
100	depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
101	help
102	  Use this config to send End Of Post (EOP) earlier through SoC code in order to
103	  reduce time required to send EOP and getting CSE response.
104	  In later stages, CSE might be busy and might require more time to process EOP command.
105	  SoC can use this Kconfig to send EOP earlier by itself.
106
107config SOC_INTEL_CSE_SEND_EOP_LATE
108	bool
109	depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
110	help
111	  Use this config to send End Of Post (EOP) late (even after CSE `final` operation)
112	  using boot state either `BS_PAYLOAD_BOOT` or `BS_PAYLOAD_LOAD` from common code
113	  in order to reduce time required to send EOP and getting CSE response.
114	  It has been observed that CSE might be busy and might require more time to
115	  process the EOP command.
116	  SoC can use this Kconfig to send EOP later by itself.
117	  Starting with Jasper Lake, coreboot sends EOP before loading payload hence, this
118	  config is applicable for those platforms.
119
120config SOC_INTEL_CSE_SEND_EOP_ASYNC
121	bool
122	depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
123	depends on !SOC_INTEL_CSE_SEND_EOP_LATE
124	depends on !SOC_INTEL_CSE_SEND_EOP_EARLY
125	help
126	  Use this config to handle End Of Post (EOP) completion
127	  asynchronously. The EOP command is sent first and the result
128	  is checked later leaving time to CSE to complete the
129	  operation while coreboot perform other activities.
130	  Performing EOP asynchronously reduces the time spent
131	  actively waiting for command completion which can have a
132	  significant impact on boot time.
133
134	  Using this asynchronous approach comes with the limitation
135	  that no HECI command should be sent between the time the EOP
136	  request is posted (at CSE .final device operation) and the
137	  time coreboot check for its completion (BS_PAYLOAD_LOAD).
138
139config SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
140	bool
141	depends on SOC_INTEL_COMMON_BLOCK_CSE
142	help
143	  Use this config to specify that the payload will send the End Of Post (EOP) instead
144	  of coreboot.
145
146	  In this case, the HECI interface needs to stay visible and the payload must support
147	  sending commands to CSE.
148
149config SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
150	bool
151	depends on SOC_INTEL_COMMON_BLOCK_CSE
152	help
153	  Use this config to specify that the payload will update the CSE RW partition instead
154	  of coreboot.
155
156	  In this case, CSE shall not switch to RW partition and the payload must support
157	  CSE RW update.
158
159config SOC_INTEL_CSE_LITE_SKU
160	bool
161	default n
162	help
163	 Enables CSE Lite SKU
164
165config SOC_INTEL_CSE_LITE_PSR
166	bool
167	default n
168	depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
169	select SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
170	help
171	 Select this config if Platform Service Record(PSR) is supported by the platform. This
172	 config is applicable only for Lite SKU, where PSR data backup is required prior to a
173	 CSE firmware downgrade during which CSE data is cleared. PSR services in CSE FW is
174	 enabled only post DRAM init and the command to backup PSR data is also supported only
175	 post DRAM init. Hence platform that selects PSR would need to perform CSE firmware sync
176	 in ramstage.
177
178config SOC_INTEL_CSE_SERVER_SKU
179	bool
180	default n
181	help
182	  Enables CSE Server SKU
183
184config SOC_INTEL_CSE_RW_UPDATE
185	bool "Enable the CSE RW Update Feature"
186	default n
187	depends on SOC_INTEL_CSE_LITE_SKU || SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
188	help
189	 This config will enable CSE RW firmware update feature and also will be used ensure
190	 all the required configs are provided by mainboard.
191
192config SOC_INTEL_CSE_FMAP_NAME
193	string "Name of CSE Region in FMAP" if SOC_INTEL_CSE_RW_UPDATE
194	default "SI_ME"
195	help
196	 Name of CSE region in FMAP
197
198config SOC_INTEL_CSE_RW_A_FMAP_NAME
199	string "Location of CSE RW A in FMAP" if SOC_INTEL_CSE_RW_UPDATE
200	default "ME_RW_A"
201	help
202	 Name of CSE RW A region in FMAP
203
204config SOC_INTEL_CSE_RW_B_FMAP_NAME
205	string "Location of CSE RW B in FMAP" if SOC_INTEL_CSE_RW_UPDATE
206	default "ME_RW_B"
207	help
208	 Name of CSE RW B region in FMAP
209
210config SOC_INTEL_CSE_RW_CBFS_NAME
211	string "CBFS entry name for CSE RW blob" if SOC_INTEL_CSE_RW_UPDATE
212	default "me_rw"
213	help
214	 CBFS entry name for Intel CSE CBFS RW blob
215
216config SOC_INTEL_CSE_RW_HASH_CBFS_NAME
217	string "CBFS name for CSE RW hash file" if SOC_INTEL_CSE_RW_UPDATE
218	default "me_rw.hash"
219	help
220	 CBFS name for Intel CSE CBFS RW hash file
221
222config SOC_INTEL_CSE_RW_VERSION_CBFS_NAME
223	string "CBFS name for CSE RW version file" if SOC_INTEL_CSE_RW_UPDATE
224	default "me_rw.version"
225	help
226	 CBFS name for Intel CSE CBFS RW version file
227
228config SOC_INTEL_CSE_RW_FILE
229	string "Intel CSE CBFS RW path and filename" if SOC_INTEL_CSE_RW_UPDATE && !STITCH_ME_BIN
230	default ""
231	help
232	 Intel CSE CBFS RW blob path and file name
233
234config SOC_INTEL_CSE_RW_VERSION
235	string "Intel CSE RW firmware version (deprecated)" if SOC_INTEL_CSE_RW_UPDATE
236	default ""
237	help
238	 This config contains the Intel CSE RW version of the blob that is provided by
239	 SOC_INTEL_CSE_RW_FILE config and the version must be set in the format
240	 major.minor.hotfix.build (ex: 14.0.40.1209).
241
242	 This config may be deprecated in the future. Consider not providing the CSE RW
243	 firmware version here and let the CSE version be automatically queried from the CSE
244	 binary at build time (available with Meteor Lake and following platforms).
245
246config SOC_INTEL_CSE_SET_EOP
247	bool
248	default n
249	select PMC_IPC_ACPI_INTERFACE
250	help
251	  This config ensures coreboot will send the CSE the End-of-POST message
252	  just prior to loading the payload. This is a security feature so the
253	  CSE will no longer respond to Pre-Boot commands.
254
255config SOC_INTEL_CSE_SUB_PART_UPDATE
256	bool "Enable the CSE sub-partition update Feature"
257	default n
258	depends on SOC_INTEL_CSE_LITE_SKU
259	help
260	 This config will enable CSE sub-partition firmware update feature and also will be used ensure
261	 all the required configs are provided by mainboard.
262
263config SOC_INTEL_CSE_IOM_CBFS_NAME
264	string "CBFS name for CSE sub-partition IOM binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
265	default "cse_iom"
266	help
267	 CBFS entry name for Intel CSE sub-partition IOM binary
268
269config SOC_INTEL_CSE_IOM_CBFS_FILE
270	string "Intel CBFS path and file name for CSE sub-partition IOM binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
271	default ""
272	help
273	 CBFS path and file name for Intel CSE sub-partition IOM binary
274
275config SOC_INTEL_CSE_NPHY_CBFS_NAME
276	string "CBFS name for CSE sub-partition NPHY binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
277	default "cse_nphy"
278	help
279	 CBFS entry name for Intel CSE sub-partition NPHY binary
280
281config SOC_INTEL_CSE_NPHY_CBFS_FILE
282	string "Intel CBFS path and file name for CSE sub-partition NPHY binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
283	default ""
284	help
285	 CBFS path and file name for Intel CSE sub-partition NPHY binary
286
287config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
288	bool
289	default n
290	depends on SOC_INTEL_CSE_LITE_SKU
291	select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
292	help
293	 Enable compression on Intel CSE CBFS RW blob
294
295config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
296	def_bool n
297	depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
298	help
299	  Mainboard user to select this Kconfig in order to capture pre-cpu
300	  reset boot performance telemetry data.
301
302config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY_V1
303	bool
304	select SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
305	help
306	  This config will make mainboard use version 1 of the CSE timestamp
307	  definitions, it can be used for Alder Lake and Raptor Lake (all SKUs).
308
309config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY_V2
310	bool
311	select SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
312	help
313	  This config will make mainboard use version 2 of the CSE timestamp
314	  definitions, it can be used for Meteor Lake M/P.
315
316config SOC_INTEL_CSE_LITE_SYNC_IN_ROMSTAGE
317	bool
318	default !SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
319	depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_COMPRESS_ME_RW && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
320	help
321	 Use default flow of CSE FW Update in romstage when uncompressed ME_RW blobs are used.
322
323config SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
324	bool
325	default n
326	depends on !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
327	help
328	 Use this option if CSE RW update needs to be triggered during RAMSTAGE.
329
330config SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
331	bool
332	depends on SOC_INTEL_COMMON_BLOCK_CSE
333	default n
334	help
335	 This option config will allow SoC platform to use applicable ME specification.
336	 The version based CSE measured ME specification data structures are defined at
337	 common code. Enabling this option will use those CSE defined ME specification
338	 for the SoC. User should select pertinent ME spec version along with this option.
339
340config SOC_INTEL_COMMON_BLOCK_ME_SPEC_12
341	bool
342	select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
343	help
344	  This config will enable 'ME specification version 12'. It will ensure ME specific
345	  declaration and uses of required data structures for Host firmware status registers.
346
347config SOC_INTEL_COMMON_BLOCK_ME_SPEC_13
348	bool
349	select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
350	help
351	  This config will enable 'ME specification version 13'. It will ensure ME specific
352	  declaration and uses of required data structures for Host firmware status registers.
353
354config SOC_INTEL_COMMON_BLOCK_ME_SPEC_15
355	bool
356	select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
357	help
358	  This config will enable 'ME specification version 15'. It will ensure ME specific
359	  declaration and uses of required data structures for Host firmware status registers.
360
361config SOC_INTEL_COMMON_BLOCK_ME_SPEC_16
362	bool
363	select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
364	help
365	  This config will enable 'ME specification version 16'. It will ensure ME specific
366	  declaration and uses of required data structures for Host firmware status registers.
367
368config SOC_INTEL_COMMON_BLOCK_ME_SPEC_18
369	bool
370	select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
371	help
372	  This config will enable 'ME specification version 18'. It will ensure ME specific
373	  declaration and uses of required data structures for Host firmware status registers.
374
375if SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
376
377config ME_SPEC
378	int
379	default 12 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_12
380	default 13 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_13
381	default 15 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_15
382	default 16 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_16
383	default 18 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_18
384	help
385	  This config holds the ME spec version if defined.
386
387endif # SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
388
389if STITCH_ME_BIN
390
391config CSE_COMPONENTS_PATH
392	string "Path to directory containing all CSE input components to stitch"
393	default "3rdparty/blobs/mainboard/\$(CONFIG_MAINBOARD_DIR)/firmware"
394	help
395	  This is the file path containing all the input CSE component files.
396	  These will be used by cse_serger tool to stitch CSE image.
397
398config CSE_FPT_FILE
399	string "Name of CSE FPT file"
400	default "cse_fpt.bin"
401	help
402	  This file is the CSE input binary as released by Intel in a CSE kit.
403
404config CSE_DATA_FILE
405	string "Name of CSE data file"
406	default "cse_data.bin"
407	help
408	  This file is the CSE data binary typically generated by Intel FIT tool.
409
410config CSE_PMCP_FILE
411	string "Name of PMC file"
412	default "pmc.bin"
413	help
414	  This file is the PMC input binary as released by Intel in a CSE kit.
415
416config CSE_IOMP_FILE
417	string "Name of IOM file"
418	default "iom.bin"
419	help
420	  This file is the IOM input binary as released by Intel in a CSE kit.
421
422config CSE_TBTP_FILE
423	string "Name of TBT file"
424	default "tbt.bin"
425	help
426	  This file is the TBT input binary as released by Intel in a CSE kit.
427
428config CSE_NPHY_FILE
429	string "Name of NPHY file"
430	default "nphy.bin"
431	help
432	  This file is the NPHY input binary as released by Intel in a CSE kit.
433
434config CSE_PCHC_FILE
435	string "Name of PCHC file"
436	default "pchc.bin"
437	help
438	  This file is the PCHC input binary as released by Intel in a CSE kit.
439
440config CSE_IUNP_FILE
441	string "Name of IUNIT file"
442	default "iunit.bin"
443	help
444	  This file is the PCHC input binary as released by Intel in a CSE kit.
445
446config CSE_BPDT_VERSION
447	string
448	help
449	  This config indicates the BPDT version used by CSE for a given SoC.
450
451config CSE_OEMP_FILE
452	string "Name of OEM Key Manifest file"
453	default "oem_km.bin"
454	help
455	  OEM Key Manifest lists the public key hashes used for authenticating the
456	  OEM created binaries to be loaded. This binary is generated by signing with
457	  the key owned by trusted owner.
458
459endif
460
461config CSE_RESET_CLEAR_EC_AP_IDLE_FLAG
462	bool
463	default y if !SYSTEM_TYPE_LAPTOP
464	help
465	  Select this if the variant is a Chromebox/base. This allows AP to direct EC
466	  to clear AP_IDLE flag before triggering reset to make sure AP can boot up
467	  after reset.
468