security/intel/acm/Makefile.mk: add ACMs to appropriate redundancy re…

build.sh

@@ -359,7 +359,7 @@ case "$CMD" in
         build_msi ddr5 "Z790-P DDR5 "
         ;;
     "vp66xx" | "VP66XX")
-        BOARD="vp66xx"
+        BOARD="vp66xx_cmos_edk2"
         build_protectli_vault
         ;;
     "vp46xx" | "VP46XX")

configs/config.protectli_vp66xx_cmos_edk2

@@ -0,0 +1,62 @@
+CONFIG_LOCALVERSION="v0.9.3-rc1"
+CONFIG_USE_OPTION_TABLE=y
+CONFIG_VENDOR_PROTECTLI=y
+CONFIG_PCIEXP_L1_SUB_STATE=y
+CONFIG_PCIEXP_CLK_PM=y
+CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/$(MAINBOARDDIR)/descriptor.bin"
+CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/$(MAINBOARDDIR)/me.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x100000
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_BOARD_PROTECTLI_VP66XX=y
+CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS=y
+CONFIG_PCIEXP_LANE_ERR_STAT_CLEAR=y
+CONFIG_DRIVERS_EFI_VARIABLE_STORE=y
+CONFIG_DRIVERS_EFI_FW_INFO=y
+CONFIG_DRIVERS_GENERIC_CBFS_SERIAL=y
+CONFIG_DRIVERS_GENERIC_CBFS_UUID=y
+CONFIG_TPM2=y
+# CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
+CONFIG_POST_DEVICE_LPC=y
+CONFIG_PAYLOAD_EDK2=y
+CONFIG_EDK2_SERIAL_SUPPORT=y
+CONFIG_DASHARO=y
+CONFIG_EDK2_DASHARO_SERIAL_REDIRECTION_DEFAULT_ENABLE=y
+# CONFIG_EDK2_SECURE_BOOT_DEFAULT_ENABLE is not set
+CONFIG_EDK2_HAVE_2ND_UART=y
+CONFIG_EDK2_DASHARO_SERIAL_REDIRECTION2_DEFAULT_ENABLE=y
+CONFIG_EDK2_DASHARO_CPU_CONFIG=y
+CONFIG_EDK2_CORE_DISABLE_OPTION=y
+CONFIG_EDK2_HYPERTHREADING_OPTION=y
+CONFIG_EDK2_BOOT_MENU_KEY=0x0015
+CONFIG_EDK2_SETUP_MENU_KEY=0x0008
+CONFIG_EDK2_DISABLE_OPTION_ROMS=y
+CONFIG_EDK2_CREATE_PREINSTALLED_BOOT_OPTIONS=y
+CONFIG_EDK2_SETUP_PASSWORD=y
+CONFIG_EDK2_DASHARO_SYSTEM_FEATURES=y
+CONFIG_EDK2_DASHARO_SECURITY_OPTIONS=y
+CONFIG_EDK2_DASHARO_USB_CONFIG=y
+CONFIG_EDK2_DASHARO_POWER_CONFIG=y
+CONFIG_EDK2_FAN_CURVE_OPTION=y
+CONFIG_EDK2_FAN_OFF_CURVE_OPTION=y
+CONFIG_EDK2_CPU_THROTTLING_THRESHOLD_OPTION=y
+CONFIG_EDK2_DASHARO_NETWORK_BOOT_DEFAULT_ENABLE=y
+CONFIG_EDK2_USE_EDK2_PLATFORMS=y
+CONFIG_EDK2_PLATFORMS_REPOSITORY="https://github.com/Dasharo/edk2-platforms"
+CONFIG_EDK2_PLATFORMS_TAG_OR_REV="1002a59639f111a2f8178b77d1f5fde0ea8d976f"
+CONFIG_EDK2_CBMEM_LOGGING=y
+CONFIG_EDK2_FOLLOW_BGRT_SPEC=y
+# CONFIG_EDK2_PRIORITIZE_INTERNAL is not set
+# CONFIG_EDK2_PS2_SUPPORT is not set
+CONFIG_EDK2_SERIAL_SUPPORT=y
+CONFIG_BUILD_IPXE=y
+CONFIG_IPXE_ADD_SCRIPT=y
+CONFIG_IPXE_SCRIPT="3rdparty/dasharo-blobs/dasharo/protectli.ipxe"
+CONFIG_IPXE_CUSTOM_BUILD_ID="0123456789"
+CONFIG_EDK2_ENABLE_IPXE=y
+CONFIG_EDK2_IPXE_OPTION_NAME="Network Boot and Utilities"
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
+# CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
+# CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
+CONFIG_POST_DEVICE_LPC=y

configs/config.protectli_vp66xx_cmos_seabios

@@ -0,0 +1,24 @@
+CONFIG_LOCALVERSION="v0.9.3-rc1"
+CONFIG_VENDOR_PROTECTLI=y
+CONFIG_BOARD_PROTECTLI_VP66XX=y
+CONFIG_PCIEXP_L1_SUB_STATE=y
+CONFIG_PCIEXP_CLK_PM=y
+CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/$(MAINBOARDDIR)/descriptor.bin"
+CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/$(MAINBOARDDIR)/me.bin"
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x100000
+CONFIG_HAVE_IFD_BIN=y
+CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y
+CONFIG_HAVE_ME_BIN=y
+CONFIG_ME_REGION_ALLOW_CPU_READ_ACCESS=y
+CONFIG_PCIEXP_LANE_ERR_STAT_CLEAR=y
+CONFIG_DRIVERS_GENERIC_CBFS_SERIAL=y
+CONFIG_DRIVERS_GENERIC_CBFS_UUID=y
+CONFIG_TPM2=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
+CONFIG_BOOTMEDIA_SMM_BWP=y
+# CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
+CONFIG_POST_DEVICE_LPC=y
+# CONFIG_OPTION_BACKEND_NONE is not set
+CONFIG_HAVE_OPTION_TABLE=y
+CONFIG_HAVE_CMOS_DEFAULT=y
+CONFIG_USE_OPTION_TABLE=y

src/mainboard/protectli/vault_adl_p/Kconfig

@@ -16,6 +16,13 @@ config BOARD_SPECIFIC_OPTIONS
 	select INTEL_GMA_HAVE_VBT
 	select MEMORY_MAPPED_TPM
 	select USE_DDR5
+	select HAVE_OPTION_TABLE
+	select HAVE_CMOS_DEFAULT
+	select USE_OPTION_TABLE
+	select INTEL_HAS_TOP_SWAP
+	select INTEL_ADD_TOP_SWAP_BOOTBLOCK
+	select INTEL_TOP_SWAP_SEPARATE_REGIONS
+	select INTEL_TOP_SWAP_OPTION_CONTROL
 
 config MAINBOARD_DIR
 	default "protectli/vault_adl_p"
@@ -67,7 +74,8 @@ config SOC_INTEL_CSE_SEND_EOP_EARLY
 	default n
 
 config FMDFILE
-	default "src/mainboard/\$(CONFIG_MAINBOARD_DIR)/vboot-rwa.fmd" if VBOOT && VBOOT_SLOTS_RW_A
+	default "src/mainboard/\$(CONFIG_MAINBOARD_DIR)/vboot-rwa.fmd" if VBOOT
+	default "src/mainboard/\$(CONFIG_MAINBOARD_DIR)/top_swap.fmd" if INTEL_HAS_TOP_SWAP
 
 config BEEP_ON_BOOT
 	bool "Beep on successful boot"

src/mainboard/protectli/vault_adl_p/cmos.default

@@ -0,0 +1,6 @@
+## SPDX-License-Identifier: GPL-2.0-only
+
+boot_option=Fallback
+debug_level=Debug
+me_state=Disable
+attempt_slot_b=Disable

src/mainboard/protectli/vault_adl_p/cmos.layout

@@ -0,0 +1,47 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+entries
+
+0	384	r	0	reserved_memory
+
+# RTC_BOOT_BYTE (coreboot hardcoded)
+384	1	e	4	boot_option
+388	4	h	0	reboot_counter
+
+# RTC_CLK_ALTCENTURY
+400	8	r	0	century
+
+412	4	e	6	debug_level
+416	1	e	2	me_state
+417	3	h	0	me_state_counter
+420	1	e	7	attempt_slot_b
+
+# CMOS_VSTART_ramtop
+800	80	r	0	ramtop
+
+984	16	h	0	check_sum
+
+enumerations
+
+2	0	Enable
+2	1	Disable
+
+4	0	Fallback
+4	1	Normal
+
+6	0	Emergency
+6	1	Alert
+6	2	Critical
+6	3	Error
+6	4	Warning
+6	5	Notice
+6	6	Info
+6	7	Debug
+6	8	Spew
+
+7	0	Disable
+7	1	Enable
+
+checksums
+
+checksum 408 799 984

src/mainboard/protectli/vault_adl_p/top_swap.fmd

@@ -0,0 +1,40 @@
+FLASH 16M {
+	SI_ALL@0x0 {
+		SI_DESC 4K
+		SI_ME 0x4c0000
+		SI_DEVICEEXT2 0xbf000
+	}
+	SI_BIOS@0x580000 0xa80000 {
+		SMMSTORE(PRESERVE) 256K
+
+		RW_MISC 320K {
+			UNIFIED_MRC_CACHE(PRESERVE) {
+				RECOVERY_MRC_CACHE 128K
+				RW_MRC_CACHE 128K
+			}
+			RW_VPD(PRESERVE) 8K
+			RW_NVRAM(PRESERVE) 24K
+		}
+
+		BOOTSPLASH(CBFS) 512K
+
+		RW_SECTION_A {
+			VBLOCK_A 64K
+			COREBOOT_TS(CBFS)
+			RW_FWID_A 0x100
+		}
+
+		WP_RO 4M {
+			RO_VPD(PRESERVE) 16K
+			RO_SECTION {
+				FMAP 2K
+				RO_FRID 0x100
+				RO_FRID_PAD 0x700
+				GBB 12K
+				COREBOOT(CBFS)
+			}
+		}
+		TOPSWAP(CBFS) 512K
+		BOOTBLOCK(CBFS) 512K
+	}
+}

src/security/intel/acm/Makefile.mk

@@ -8,6 +8,10 @@ $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-file := $(CONFIG_INTEL_TXT_BIOSACM_FILE)
 $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-type := raw
 $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM)-align := $(CONFIG_INTEL_TXT_BIOSACM_ALIGNMENT)
 
+ifeq ($(CONFIG_INTEL_TOP_SWAP_SEPARATE_REGIONS))
+regions-for-file-$(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) = BOOTBLOCK,TOPSWAP
+endif # INTEL_TOP_SWAP_SEPARATE_REGIONS
+
 ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)
 $(call add_intermediate, add_acm_fit, $(IFITTOOL) set_fit_ptr)
 	$(IFITTOOL) -r COREBOOT -a -n $(CONFIG_INTEL_TXT_CBFS_BIOS_ACM) -t 2 \
@@ -23,6 +27,11 @@ $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-file := $(CONFIG_INTEL_TXT_SINITACM_FILE)
 $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-type := raw
 $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-align := 0x10
 $(CONFIG_INTEL_TXT_CBFS_SINIT_ACM)-compression := lzma
+
+ifeq ($(CONFIG_INTEL_TOP_SWAP_SEPARATE_REGIONS))
+regions-for-file-$(CONFIG_INTEL_TXT_CBFS_SINIT_ACM) = BOOTBLOCK,TOPSWAP
+endif # INTEL_TOP_SWAP_SEPARATE_REGIONS
+
 endif
 
 ifeq ($(CONFIG_CPU_INTEL_FIRMWARE_INTERFACE_TABLE),y)