1 ## SPDX-License-Identifier: GPL-2.0-only
3 config DISABLE_HECI1_AT_PRE_BOOT
4 bool "Disable HECI1 at the end of boot"
5 depends on SOC_INTEL_COMMON_BLOCK_CSE
8 This config decides the state of HECI1(CSE) device at the end of boot.
9 Mainboard users to select this config to make HECI1 `function disable`
10 prior to handing off to payload.
12 config MAX_HECI_DEVICES
16 config SOC_INTEL_COMMON_BLOCK_CSE
20 Driver for communication with Converged Security Engine (CSE)
21 over Host Embedded Controller Interface (HECI)
23 config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_SBI
25 default y if HECI_DISABLE_USING_SMM
26 select SOC_INTEL_COMMON_BLOCK_P2SB
28 Use this config to allow common CSE block to make HECI1 function disable
29 in the SMM mode. From CNL PCH onwards,`HECI1` disabling can only be done
30 using the non-posted sideband write after FSP-S sets the postboot_sai
33 config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC
36 select SOC_INTEL_COMMON_BLOCK_PMC
38 Use this config to allow common CSE block to make HECI1 function disable
39 using PMC IPC command `0xA9`. From TGL PCH onwards, disabling heci1
40 device using PMC IPC doesn't required to run the operation in SMM.
42 config SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PCR
45 select SOC_INTEL_COMMON_BLOCK_PCR
47 Use this config for SoC platform prior to CNL PCH (with postboot_sai implemented)
48 to make `HECI1` device disable using private configuration register (PCR) write.
50 config SOC_INTEL_STORE_CSE_FW_VERSION
53 depends on SOC_INTEL_CSE_LITE_SKU
55 This configuration option stores CSE RW FW version in CBMEM area.
56 This information can be used to identify if the CSE firmware update is successful
57 by comparing the currently running CSE RW firmware version against CSE version
58 belongs to the CONFIG_SOC_INTEL_CSE_RW_VERSION (decided statically while
59 building the AP FW image).
61 The way to retrieve the CSE firmware version is by sending the HECI command to
62 read the CSE Boot Partition (BP) info. The cost of sending HECI command to read
63 the CSE FW version is between 7ms-20ms (depending on the SoC architecture) hence,
64 ensure this feature is platform specific and only enabled for the platform
65 that would like to store the CSE version into the CBMEM.
67 config SOC_INTEL_CSE_FW_PARTITION_CMOS_OFFSET
70 depends on SOC_INTEL_CSE_LITE_SKU
72 This configuration option stores the starting offset of cse fw partition versions in
73 CMOS memory. The offset should be byte aligned and must leave enough memory to store
74 required firmware partition versions.
76 config SOC_INTEL_STORE_ISH_FW_VERSION
79 depends on DRIVERS_INTEL_ISH
81 This configuration option stores ISH version in CBMEM area.
82 This information can be used to identify the currently running ISH firmware
85 ISH BUP is sitting inside the CSE firmware partition. The way to retrieve the
86 ISH version is by sending the HECI command to read the CSE FPT. The cost of sending
87 HECI command to read the CSE FPT is significant (~200ms) hence, the idea is to
88 read the CSE RW version on every cold reset (to cover the CSE update scenarios)
89 and store into CBMEM to avoid the cost of resending the HECI command in all
90 consecutive warm boots.
92 Later boot stages can just read the CBMEM ID to retrieve the ISH version.
94 Additionally, ensure this feature is platform specific hence, only enabled
95 for the platform that would like to store the ISH version into the CBMEM and
96 parse to perform some additional work.
98 config SOC_INTEL_CSE_SEND_EOP_EARLY
99 bool "CSE send EOP early"
100 depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
102 Use this config to send End Of Post (EOP) earlier through SoC code in order to
103 reduce time required to send EOP and getting CSE response.
104 In later stages, CSE might be busy and might require more time to process EOP command.
105 SoC can use this Kconfig to send EOP earlier by itself.
107 config SOC_INTEL_CSE_SEND_EOP_LATE
109 depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
111 Use this config to send End Of Post (EOP) late (even after CSE `final` operation)
112 using boot state either `BS_PAYLOAD_BOOT` or `BS_PAYLOAD_LOAD` from common code
113 in order to reduce time required to send EOP and getting CSE response.
114 It has been observed that CSE might be busy and might require more time to
115 process the EOP command.
116 SoC can use this Kconfig to send EOP later by itself.
117 Starting with Jasper Lake, coreboot sends EOP before loading payload hence, this
118 config is applicable for those platforms.
120 config SOC_INTEL_CSE_SEND_EOP_ASYNC
122 depends on SOC_INTEL_COMMON_BLOCK_CSE && !SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
123 depends on !SOC_INTEL_CSE_SEND_EOP_LATE
124 depends on !SOC_INTEL_CSE_SEND_EOP_EARLY
126 Use this config to handle End Of Post (EOP) completion
127 asynchronously. The EOP command is sent first and the result
128 is checked later leaving time to CSE to complete the
129 operation while coreboot perform other activities.
130 Performing EOP asynchronously reduces the time spent
131 actively waiting for command completion which can have a
132 significant impact on boot time.
134 Using this asynchronous approach comes with the limitation
135 that no HECI command should be sent between the time the EOP
136 request is posted (at CSE .final device operation) and the
137 time coreboot check for its completion (BS_PAYLOAD_LOAD).
139 config SOC_INTEL_CSE_SEND_EOP_BY_PAYLOAD
141 depends on SOC_INTEL_COMMON_BLOCK_CSE
143 Use this config to specify that the payload will send the End Of Post (EOP) instead
146 In this case, the HECI interface needs to stay visible and the payload must support
147 sending commands to CSE.
149 config SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
151 depends on SOC_INTEL_COMMON_BLOCK_CSE
153 Use this config to specify that the payload will update the CSE RW partition instead
156 In this case, CSE shall not switch to RW partition and the payload must support
159 config SOC_INTEL_CSE_LITE_SKU
165 config SOC_INTEL_CSE_LITE_PSR
168 depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
169 select SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
171 Select this config if Platform Service Record(PSR) is supported by the platform. This
172 config is applicable only for Lite SKU, where PSR data backup is required prior to a
173 CSE firmware downgrade during which CSE data is cleared. PSR services in CSE FW is
174 enabled only post DRAM init and the command to backup PSR data is also supported only
175 post DRAM init. Hence platform that selects PSR would need to perform CSE firmware sync
178 config SOC_INTEL_CSE_SERVER_SKU
182 Enables CSE Server SKU
184 config SOC_INTEL_CSE_RW_UPDATE
185 bool "Enable the CSE RW Update Feature"
187 depends on SOC_INTEL_CSE_LITE_SKU || SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
189 This config will enable CSE RW firmware update feature and also will be used ensure
190 all the required configs are provided by mainboard.
192 config SOC_INTEL_CSE_FMAP_NAME
193 string "Name of CSE Region in FMAP" if SOC_INTEL_CSE_RW_UPDATE
196 Name of CSE region in FMAP
198 config SOC_INTEL_CSE_RW_A_FMAP_NAME
199 string "Location of CSE RW A in FMAP" if SOC_INTEL_CSE_RW_UPDATE
202 Name of CSE RW A region in FMAP
204 config SOC_INTEL_CSE_RW_B_FMAP_NAME
205 string "Location of CSE RW B in FMAP" if SOC_INTEL_CSE_RW_UPDATE
208 Name of CSE RW B region in FMAP
210 config SOC_INTEL_CSE_RW_CBFS_NAME
211 string "CBFS entry name for CSE RW blob" if SOC_INTEL_CSE_RW_UPDATE
214 CBFS entry name for Intel CSE CBFS RW blob
216 config SOC_INTEL_CSE_RW_HASH_CBFS_NAME
217 string "CBFS name for CSE RW hash file" if SOC_INTEL_CSE_RW_UPDATE
220 CBFS name for Intel CSE CBFS RW hash file
222 config SOC_INTEL_CSE_RW_VERSION_CBFS_NAME
223 string "CBFS name for CSE RW version file" if SOC_INTEL_CSE_RW_UPDATE
224 default "me_rw.version"
226 CBFS name for Intel CSE CBFS RW version file
228 config SOC_INTEL_CSE_RW_FILE
229 string "Intel CSE CBFS RW path and filename" if SOC_INTEL_CSE_RW_UPDATE && !STITCH_ME_BIN
232 Intel CSE CBFS RW blob path and file name
234 config SOC_INTEL_CSE_RW_VERSION
235 string "Intel CSE RW firmware version (deprecated)" if SOC_INTEL_CSE_RW_UPDATE
238 This config contains the Intel CSE RW version of the blob that is provided by
239 SOC_INTEL_CSE_RW_FILE config and the version must be set in the format
240 major.minor.hotfix.build (ex: 14.0.40.1209).
242 This config may be deprecated in the future. Consider not providing the CSE RW
243 firmware version here and let the CSE version be automatically queried from the CSE
244 binary at build time (available with Meteor Lake and following platforms).
246 config SOC_INTEL_CSE_SET_EOP
249 select PMC_IPC_ACPI_INTERFACE
251 This config ensures coreboot will send the CSE the End-of-POST message
252 just prior to loading the payload. This is a security feature so the
253 CSE will no longer respond to Pre-Boot commands.
255 config SOC_INTEL_CSE_SUB_PART_UPDATE
256 bool "Enable the CSE sub-partition update Feature"
258 depends on SOC_INTEL_CSE_LITE_SKU
260 This config will enable CSE sub-partition firmware update feature and also will be used ensure
261 all the required configs are provided by mainboard.
263 config SOC_INTEL_CSE_IOM_CBFS_NAME
264 string "CBFS name for CSE sub-partition IOM binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
267 CBFS entry name for Intel CSE sub-partition IOM binary
269 config SOC_INTEL_CSE_IOM_CBFS_FILE
270 string "Intel CBFS path and file name for CSE sub-partition IOM binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
273 CBFS path and file name for Intel CSE sub-partition IOM binary
275 config SOC_INTEL_CSE_NPHY_CBFS_NAME
276 string "CBFS name for CSE sub-partition NPHY binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
279 CBFS entry name for Intel CSE sub-partition NPHY binary
281 config SOC_INTEL_CSE_NPHY_CBFS_FILE
282 string "Intel CBFS path and file name for CSE sub-partition NPHY binary" if SOC_INTEL_CSE_SUB_PART_UPDATE
285 CBFS path and file name for Intel CSE sub-partition NPHY binary
287 config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
290 depends on SOC_INTEL_CSE_LITE_SKU
291 select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
293 Enable compression on Intel CSE CBFS RW blob
295 config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
297 depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
299 Mainboard user to select this Kconfig in order to capture pre-cpu
300 reset boot performance telemetry data.
302 config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY_V1
304 select SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
306 This config will make mainboard use version 1 of the CSE timestamp
307 definitions, it can be used for Alder Lake and Raptor Lake (all SKUs).
309 config SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY_V2
311 select SOC_INTEL_CSE_PRE_CPU_RESET_TELEMETRY
313 This config will make mainboard use version 2 of the CSE timestamp
314 definitions, it can be used for Meteor Lake M/P.
316 config SOC_INTEL_CSE_LITE_SYNC_IN_ROMSTAGE
318 default !SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
319 depends on SOC_INTEL_CSE_LITE_SKU && !SOC_INTEL_CSE_LITE_COMPRESS_ME_RW && !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
321 Use default flow of CSE FW Update in romstage when uncompressed ME_RW blobs are used.
323 config SOC_INTEL_CSE_LITE_SYNC_IN_RAMSTAGE
326 depends on !SOC_INTEL_CSE_LITE_SYNC_BY_PAYLOAD
328 Use this option if CSE RW update needs to be triggered during RAMSTAGE.
330 config SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
332 depends on SOC_INTEL_COMMON_BLOCK_CSE
335 This option config will allow SoC platform to use applicable ME specification.
336 The version based CSE measured ME specification data structures are defined at
337 common code. Enabling this option will use those CSE defined ME specification
338 for the SoC. User should select pertinent ME spec version along with this option.
340 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_12
342 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
344 This config will enable 'ME specification version 12'. It will ensure ME specific
345 declaration and uses of required data structures for Host firmware status registers.
347 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_13
349 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
351 This config will enable 'ME specification version 13'. It will ensure ME specific
352 declaration and uses of required data structures for Host firmware status registers.
354 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_15
356 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
358 This config will enable 'ME specification version 15'. It will ensure ME specific
359 declaration and uses of required data structures for Host firmware status registers.
361 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_16
363 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
365 This config will enable 'ME specification version 16'. It will ensure ME specific
366 declaration and uses of required data structures for Host firmware status registers.
368 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_18
370 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
372 This config will enable 'ME specification version 18'. It will ensure ME specific
373 declaration and uses of required data structures for Host firmware status registers.
375 config SOC_INTEL_COMMON_BLOCK_ME_SPEC_21
377 select SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
379 This config will enable 'ME specification version 21'. It will ensure ME specific
380 declaration and uses of required data structures for Host firmware status registers.
381 This version of ME is compatible with ME version 18 in terms of Host firmware
384 if SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
388 default 12 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_12
389 default 13 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_13
390 default 15 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_15
391 default 16 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_16
392 default 18 if SOC_INTEL_COMMON_BLOCK_ME_SPEC_18 || SOC_INTEL_COMMON_BLOCK_ME_SPEC_21
394 This config holds the ME spec version if defined.
396 endif # SOC_INTEL_CSE_HAVE_SPEC_SUPPORT
400 config CSE_COMPONENTS_PATH
401 string "Path to directory containing all CSE input components to stitch"
402 default "3rdparty/blobs/mainboard/\$(CONFIG_MAINBOARD_DIR)/firmware"
404 This is the file path containing all the input CSE component files.
405 These will be used by cse_serger tool to stitch CSE image.
408 string "Name of CSE FPT file"
409 default "cse_fpt.bin"
411 This file is the CSE input binary as released by Intel in a CSE kit.
414 string "Name of CSE data file"
415 default "cse_data.bin"
417 This file is the CSE data binary typically generated by Intel FIT tool.
420 string "Name of PMC file"
423 This file is the PMC input binary as released by Intel in a CSE kit.
426 string "Name of IOM file"
429 This file is the IOM input binary as released by Intel in a CSE kit.
432 string "Name of TBT file"
435 This file is the TBT input binary as released by Intel in a CSE kit.
438 string "Name of NPHY file"
441 This file is the NPHY input binary as released by Intel in a CSE kit.
444 string "Name of PCHC file"
447 This file is the PCHC input binary as released by Intel in a CSE kit.
450 string "Name of IUNIT file"
453 This file is the PCHC input binary as released by Intel in a CSE kit.
455 config CSE_BPDT_VERSION
458 This config indicates the BPDT version used by CSE for a given SoC.
461 string "Name of OEM Key Manifest file"
464 OEM Key Manifest lists the public key hashes used for authenticating the
465 OEM created binaries to be loaded. This binary is generated by signing with
466 the key owned by trusted owner.
470 config CSE_RESET_CLEAR_EC_AP_IDLE_FLAG
472 default y if !SYSTEM_TYPE_LAPTOP
474 Select this if the variant is a Chromebox/base. This allows AP to direct EC
475 to clear AP_IDLE flag before triggering reset to make sure AP can boot up