diff --git a/.gitmodules b/.gitmodules index bc4a6eb0532..f4bc2b2c522 100644 --- a/.gitmodules +++ b/.gitmodules @@ -51,3 +51,7 @@ url = ../qc_blobs.git update = none ignore = dirty +[submodule "3rdparty/stm"] + path = 3rdparty/stm + url = ../STM + branch = stmpe diff --git a/3rdparty/stm b/3rdparty/stm new file mode 160000 index 00000000000..1f3258261a4 --- /dev/null +++ b/3rdparty/stm @@ -0,0 +1 @@ +Subproject commit 1f3258261a4f4d6c60ec4447c7a03acf2509b984 diff --git a/configs/config.dell_optiplex_9010_sff_stm b/configs/config.dell_optiplex_9010_sff_stm new file mode 100644 index 00000000000..a935cba11dc --- /dev/null +++ b/configs/config.dell_optiplex_9010_sff_stm @@ -0,0 +1,23 @@ +CONFIG_USE_OPTION_TABLE=y +CONFIG_VENDOR_DELL=y +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_CBFS_SIZE=0x400000 +CONFIG_INCLUDE_SMSC_SCH5545_EC_FW=y +CONFIG_SMSC_SCH5545_EC_FW_FILE="smsc_sch5545_ecfw.bin" +CONFIG_PCIEXP_CLK_PM=y +CONFIG_SEABIOS_PS2_TIMEOUT=3000 +CONFIG_USBDEBUG=y +CONFIG_USBDEBUG_DONGLE_FTDI_FT232H=y +CONFIG_TPM_MEASURED_BOOT=y +CONFIG_STM=y +CONFIG_MSEG_SIZE=0x400000 +CONFIG_STM_STMPE_ENABLED=y +CONFIG_STM_HEAPSIZE=0x280000 +CONFIG_STM_TTYS0_BASE=0x3f8 +CONFIG_STM_CBMEM_CONSOLE=y +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y +CONFIG_POST_DEVICE_LPC=y +CONFIG_SEABIOS_ADD_SERCON_PORT_FILE=y +CONFIG_SEABIOS_DEBUG_LEVEL=0 +CONFIG_DEBUG_SMI=y +CONFIG_HAVE_EM100_SUPPORT=y diff --git a/src/cpu/intel/model_206ax/Kconfig b/src/cpu/intel/model_206ax/Kconfig index 1918428dc86..3617bb94edf 100644 --- a/src/cpu/intel/model_206ax/Kconfig +++ b/src/cpu/intel/model_206ax/Kconfig @@ -22,11 +22,11 @@ config CPU_SPECIFIC_OPTIONS config SMM_TSEG_SIZE hex - default 0x800000 + default 0x1000000 config SMM_RESERVED_SIZE hex - default 0x100000 + default 0x200000 # Intel Enhanced Debug region must be 4MB config IED_REGION_SIZE diff --git a/src/mainboard/dell/optiplex_9010/Kconfig b/src/mainboard/dell/optiplex_9010/Kconfig index 3f5893c81c9..c051f78a6cf 100644 --- a/src/mainboard/dell/optiplex_9010/Kconfig +++ b/src/mainboard/dell/optiplex_9010/Kconfig @@ -19,6 +19,7 @@ config BOARD_SPECIFIC_OPTIONS select HAVE_OPTION_TABLE select HAVE_CMOS_DEFAULT select PCIEXP_L1_SUB_STATE + select IDT_IN_EVERY_STAGE config MAINBOARD_DIR string diff --git a/src/security/intel/stm/Kconfig b/src/security/intel/stm/Kconfig index f7dd363faa8..738dbffe2cb 100644 --- a/src/security/intel/stm/Kconfig +++ b/src/security/intel/stm/Kconfig @@ -27,20 +27,93 @@ menu "SMI Transfer Monitor (STM)" config MSEG_SIZE hex "mseg size" - default 0x400000 + default 0x100000 help - STM only - 0x100000 - STM/PE - 0x300000+ depending on the amount of memory needed - for the protected execution virtual - machine (VM/PE) + The MSEG_SIZE of 0x100000 assumes that: + IED_REGION_SIZE = 0x400000 + SMM_RESERVED_SIZE = 0x200000 + SMM_TSEG_SIZE = 0x800000 + + To use STM/PE, a larger MSEG_SIZE is necessary. This can be + done by either increasing SMM_TSEG_SIZE or reducing the + IED_REGION_SIZE and/or SMM_RESERVED_SIZE or some combination + of the three. + NOTE: The authors experience is that these configuration + parameters have to be changed at the soc Konfig for them to + be applied. + Minimum sizes: + STM only - 0x100000 - Supports up to 38 processor threads + - 0x200000 - Supports up to 102 processor threads + STM/PE - 0x300000+ depending on the amount of memory needed + for the protected execution virtual + machine (VM/PE) + +config STM_STMPE_ENABLED + bool "STM/PE Enabled" + default n + help + STM/PE provides for additional virtual machines in SMRAM + that provides a protected execution environment for + applications such as introspection, which need to be + protected from malicious code. More information can be + found on the stmpe branch of + https://review.coreboot.org/STM + config BIOS_RESOURCE_LIST_SIZE - hex "bios_resource_list_size" + hex "bios resource list size" default 0x1000 + help + The BIOS resource list defines the resources that the + SMI handler needs. This list is created during the + coreboot bootup. Unless there has been a lot of elements + added to this list, this value should not change. config STM_BINARY_FILE string "STM binary file" - default "3rdparty/blobs/cpu/intel/stm/stm.bin" + default "3rdparty/stm/Stm/build/StmPkg/Core/stm.bin" + help + Location of the STM binary file. The default location is + where the file will be located when coreboot builds + the STM. + +config STM_HEAPSIZE + hex "stm heapsize" + default 0x46000 + help + The STM_HEAPSIZE defines the heap space that is available + to the STM. The default size assumes a MSEG_SIZE of 0x100000. + For STM/PE this size should be a minimum of 0x246000. + +config STM_TTYS0_BASE + hex "stm uart" + default TTYS0_BASE if TTYS0_BASE + default 0x000 + help + Defines the serial port for STM console output. 0x000 indicatea + no serial port. + +config STM_CBMEM_CONSOLE + bool "STM cbmem console" + default n + depends on CONSOLE_CBMEM + help + Places the STM console output into the cbmem. + +choice + prompt "Select STM console output" + +config STM_CONSOLE_DEBUG + bool "Debug output" + depends on STM_CBMEM_CONSOLE || STM_TTYS0_BASE + help + "Produces all STM console output" + +config STM_CONSOLE_RELEASE + bool "Deactivate console output" + help + "No console output is produced" +endchoice endmenu #STM diff --git a/src/security/intel/stm/Makefile b/src/security/intel/stm/Makefile new file mode 100644 index 00000000000..f53d4d9d99a --- /dev/null +++ b/src/security/intel/stm/Makefile @@ -0,0 +1,38 @@ +# SPDX-License-Identifier: BSD-2-Clause + +project_name=STM +project_dir=../../../../3rdparty/stm/ +build_dir=$(project_dir)/Stm/build +project_git_branch=$(CONFIG_STM_GIT_BRANCH) + +ifeq ($(CONFIG_STM_CONSOLE_DEBUG),y) +STM_BUILD="debug" +endif + +ifeq ($(CONFIG_STM_CONSOLE_RELEASE),y) +STM_BUILD="release" +endif + + +all: build + +build: + echo "STM - Build" + cd $(project_dir)/Stm; \ + mkdir -p build; \ + cd build; \ + cmake .. -DBIOS=coreboot \ + -DUART=$(CONFIG_STM_TTYS0_BASE) \ + -DHEAPSIZE=$(CONFIG_STM_HEAPSIZE) \ + -DCBMEM_ENABLE=$(CONFIG_STM_CBMEM_CONSOLE) \ + -DSTMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \ + -DBUILD=$(STM_BUILD); \ + $(MAKE); + +clean: + #rm -rf $(build_dir) + +distclean: + #rm -rf $(project_dir) + +.PHONY: build clean distclean diff --git a/src/security/intel/stm/Makefile.inc b/src/security/intel/stm/Makefile.inc index 1a23fe97f2c..26df46f2160 100644 --- a/src/security/intel/stm/Makefile.inc +++ b/src/security/intel/stm/Makefile.inc @@ -8,3 +8,15 @@ stm.bin-type := raw ramstage-$(CONFIG_STM) += SmmStm.c ramstage-$(CONFIG_STM) += StmPlatformSmm.c ramstage-$(CONFIG_STM) += StmPlatformResource.c + +3rdparty/stm/Stm/build/StmPkg/Core/stm.bin: + $(MAKE) -C src/security/intel/stm \ + CONFIG_STM_TTYSO_BASE=$(CONFIG_STM_TTYSO_BASE) \ + CONFIG_STM_HEAPSIZE=$(CONFIG_STM_HEAPSIZE) \ + CONFIG_STM_CONSOLE_DEBUG=$(CONFIG_STM_CONSOLE_DEBUG) \ + CONFIG_STM_CONSOLE_RELEASE=$(CONFIG_STM_CONSOLE_RELEASE) \ + CONFIG_STM_GIT_BRANCH=$(CONFIG_STM_GIT_BRANCH) \ + CONFIG_STM_STMPE_ENABLED=$(CONFIG_STM_STMPE_ENABLED) \ + CONFIG_STM_CBMEM_CONSOLE=$(CONFIG_STM_CBMEM_CONSOLE) + +.PHONY: 3rdparty/stm/Stm/build/StmPkg/Core/stm.bin diff --git a/src/security/intel/stm/SmmStm.c b/src/security/intel/stm/SmmStm.c index 7256401bc90..00490cfa5e5 100644 --- a/src/security/intel/stm/SmmStm.c +++ b/src/security/intel/stm/SmmStm.c @@ -477,7 +477,7 @@ int add_pi_resource(STM_RSC *resource_list, uint32_t num_entries) return -1; // INVALID_PARAMETER; resource_size = get_resource_size(resource_list, num_entries); - printk(BIOS_DEBUG, "STM: ResourceSize - 0x%08lx\n", resource_size); + printk(BIOS_DEBUG, "STM: ResourceSize - 0x%08x\n", (int) resource_size); if (resource_size == 0) return -1; // INVALID_PARAMETER;