CometlakeOpenBoardPkg: Add package and headers

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2280

Create the CometlakeOpenBoardPkg to provide board support code. The
package may support Cometlake boards. The package serves as a board
support package in the EDK II Minimum Platform design. Silicon support
for this package is provided in CometLakeFspBinPkg in the FSP repository
and CoffeelakeSiliconPkg in the edk2-platforms repository.

Signed-off-by: Kathappan Esakkithevar <[email protected]>
Cc: Sai Chaganty <[email protected]>
Cc: Chasel Chiu <[email protected]>
Cc: Nate DeSimone <[email protected]>
Cc: Deepika Kethi Reddy <[email protected]>
Reviewed-by: Chasel Chiu <[email protected]>
Reviewed-by: Nate DeSimone <[email protected]>
Reviewed-by: Sai Chaganty <[email protected]>

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/DxeCheckIommuSupportLib.h

@@ -0,0 +1,43 @@
+/** @file
+  Header file for the DxeCheckIommuSupport library.
+
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _DXE_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+#define _DXE_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+
+/**
+  Detect ME FW and Board Type and return the result via IommuSkuCheck.
+
+  IommuSkuCheck
+  BIT0: Indicate system has a Corporate CSME firmware
+  BIT1: Indicate BIOS is running on a CML RVP
+  BIT2: Indicate BIOS is running on a CFL-H RVP
+  BIT3: Indicate BIOS is running on a CFL-S 8+2 RVP
+
+  @retval Return 0 means not support, otherwise value is defined by IommuSkuCheck
+**/
+UINT8
+DetectMeAndBoard (
+  VOID
+  );
+
+/**
+  DxeCheckIommuSupport
+
+  Only WHL/CFL-H/CFL-S 8+2 Crop SKUs support Iommu.
+  This function will save sku information to PcdIommuSkuCheck.
+  BIOS will use PcdIommuSkuCheck and other factors to set PcdVTdPolicyPropertyMask on the next boot in PEI phase
+
+  This function might perform a system reset.
+**/
+EFI_STATUS
+EFIAPI
+DxeCheckIommuSupport (
+  VOID
+  );
+#endif // _DXE_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/DxeTbtPolicyLib.h

@@ -0,0 +1,49 @@
+/** @file
+  Prototype of the DxeTbtPolicyLib library.
+
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _DXE_TBT_POLICY_LIB_H_
+#define _DXE_TBT_POLICY_LIB_H_
+
+
+/**
+  Install TBT Policy.
+
+  @param[in] ImageHandle                Image handle of this driver.
+
+  @retval EFI_SUCCESS                   The policy is installed.
+  @retval EFI_OUT_OF_RESOURCES          Insufficient resources to create buffer
+
+**/
+EFI_STATUS
+EFIAPI
+InstallTbtPolicy (
+  IN  EFI_HANDLE                    ImageHandle
+  );
+
+/**
+  Update Tbt Policy Callback.
+
+  @param[in] Event         A pointer to the Event that triggered the callback.
+  @param[in] Context       A pointer to private data registered with the callback function.
+
+**/
+VOID
+EFIAPI
+UpdateTbtPolicyCallback (
+  VOID
+  );
+
+/**
+  Print DXE TBT Policy
+**/
+VOID
+TbtPrintDxePolicyConfig (
+  VOID
+  );
+#endif // _DXE_TBT_POLICY_LIB_H_
+

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/DxeTbtSecurityLib.h

@@ -0,0 +1,131 @@
+/** @file
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _TBT_SECURITY_LIB_H_
+#define _TBT_SECURITY_LIB_H_
+
+#include <Protocol/Tcg2Protocol.h>
+#include <Protocol/AcpiTable.h>
+#include <IndustryStandard/Pci.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/PcdLib.h>
+#include <Library/PciSegmentLib.h>
+#include <Library/AslUpdateLib.h>
+#include <Library/UefiLib.h>
+#include <Uefi.h>
+#include <SetupVariable.h>
+#include <OemSetup.h>
+#include <DmaRemappingTable.h>
+#include <PcieRegs.h>
+#include <Tcg2ConfigNvData.h>
+#include <TbtPolicyCommonDefinition.h>
+#include <Library/TbtCommonLib.h>
+
+#define TBT_SECURITY_EVENT_STRING                 "DMA Protection Disabled"
+#define TBT_SECURITY_EVENT_STRING_LEN             (sizeof (TBT_SECURITY_EVENT_STRING) - 1)
+
+#define TBT_SECURITY_LEVEL_DOWNGRADED_STRING      "Security Level is Downgraded to 0"
+#define TBT_SECURITY_LEVEL_DOWNGRADED_STRING_LEN  (sizeof (TBT_SECURITY_LEVEL_DOWNGRADED_STRING) - 1)
+
+#define GET_TBT_SECURITY_MODE    0
+#define SET_TBT_SECURITY_MODE    1
+
+typedef struct {
+  UINT8       EnableVtd;
+  BOOLEAN     SLDowngrade;
+} PCR7_DATA;
+
+/**
+  TBT Security ExtendPCR7 CallBackFunction
+  If the firmware/BIOS has an option to enable and disable DMA protections via a VT-d switch in BIOS options, then the shipping configuration must be with VT-d protection enabled.
+  On every boot where VT-d/DMA protection is disabled, or will be disabled, or configured to a lower security state, and a platform has a TPM enabled, then the platform SHALL extend an EV_EFI_ACTION event into PCR[7] before enabling external DMA.
+  The event string SHALL be "DMA Protection Disabled". The platform firmware MUST log this measurement in the event log using the string "DMA Protection Disabled" for the Event Data.
+  Measure and log launch of TBT Security, and extend the measurement result into a specific PCR.
+  Extend an EV_EFI_ACTION event into PCR[7] before enabling external DMA. The event string SHALL be "DMA Protection Disabled". The platform firmware MUST log this measurement in the event log using the string "DMA Protection Disabled" for the Event Data.
+
+  @param[in] Event     - A pointer to the Event that triggered the callback.
+  @param[in] Context   - A pointer to private data registered with the callback function.
+**/
+VOID
+EFIAPI
+ExtendPCR7CallBackFunction (
+  IN EFI_EVENT    Event,
+  IN VOID         *Context
+  );
+
+/**
+  TBT Security DisableBme CallBackFunction
+
+  BIOS will disable BME and tear down the Thunderbolt DMAR tables at ExitBootServices
+  in order to hand off security of TBT hierarchies to the OS.
+  The BIOS is expected to either: Disable BME from power on till the OS starts configuring the devices and enabling BME Enable BME only for devices that can be protected by VT-d in preboot environment,
+  but disable BME and tear down any Thunderbolt DMAR tables at ExitBootServices()
+
+  @param[in] Event     - A pointer to the Event that triggered the callback.
+  @param[in] Context   - A pointer to private data registered with the callback function.
+**/
+VOID
+EFIAPI
+TbtDisableBmeCallBackFunction (
+  IN EFI_EVENT    Event,
+  IN VOID         *Context
+  );
+
+/**
+  TBT Security SetDmarOptIn CallBackFunction
+
+  A new security feature will be supported to protect against Physical DMA attacks over Thunderbolt connects.
+  In order to do this, they need a new flag added to the DMAR tables that a DMA is only permitted into RMRR at ExitBootServices().  With this flag available, OS can then Bug Check if any DMA is requested outside of the RMRR before OS supported device drivers are started.
+  ReadyToBoot callback routine to update DMAR BIT2
+  Bit definition: DMA_CONTROL_GUARANTEE
+  If Set, the platform supports blocking all DMA outside of the regions defined in the RMRR structures from ExitBootServices() until OS supported device drivers are started.
+
+  @param[in] Event     - A pointer to the Event that triggered the callback.
+  @param[in] Context   - A pointer to private data registered with the callback function.
+**/
+VOID
+EFIAPI
+SetDmarOptInCallBackFunction (
+  IN EFI_EVENT    Event,
+  IN VOID         *Context
+  );
+
+
+/**
+  The function install DisableBme protocol for TBT Shell validation
+**/
+VOID
+InstallDisableBmeProtocol (
+  VOID
+  );
+
+/**
+  Get or set Thunderbolt(TM) security mode
+
+  @param[in]  DelayTime           - The delay time after do ForcePwr
+  @param[in]  SecurityMode        - TBT Security Level
+  @param[in]  Gpio3ForcePwrEn     - Force GPIO to power on or not
+  @param[in]  DTbtController      - Enable/Disable DTbtController
+  @param[in]  MaxControllerNumber - Number of contorller
+  @param[in]  Action              - 0 = get, 1 = set
+
+  @retval                         - Return security level
+**/
+UINT8
+EFIAPI
+GetSetSecurityMode (
+  IN UINTN                       DelayTime,
+  IN UINT8                       SecurityMode,
+  IN UINT8                       Gpio3ForcePwrEn,
+  IN UINT8                       *DTbtController,
+  IN UINT8                       MaxControllerNumber,
+  IN UINT8                       Action
+);
+#endif
+

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/PeiCheckIommuSupportLib.h

@@ -0,0 +1,21 @@
+/** @file
+  Header file for the PeiCheckIommuSupport library.
+
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _PEI_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+#define _PEI_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+
+/**
+  Check Iommu Ability base on SKU type, CSME FW type, Vtd and setup options.
+**/
+VOID
+PeiCheckIommuSupport (
+  VOID
+  );
+
+#endif // _PEI_CHECK_IOMMU_SUPPORT_LIBRARY_H_
+

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/PeiTbtPolicyLib.h

@@ -0,0 +1,43 @@
+/** @file
+  Prototype of the PeiTbtPolicyLib library.
+
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _PEI_TBT_POLICY_LIB_H_
+#define _PEI_TBT_POLICY_LIB_H_
+
+/**
+  Install Tbt Policy
+
+  @retval EFI_SUCCESS                   The policy is installed.
+  @retval EFI_OUT_OF_RESOURCES          Insufficient resources to create buffer
+
+**/
+EFI_STATUS
+EFIAPI
+InstallPeiTbtPolicy (
+  VOID
+  );
+
+/**
+  Update PEI TBT Policy Callback
+**/
+VOID
+EFIAPI
+UpdatePeiTbtPolicyCallback (
+  VOID
+  );
+
+/**
+  Print PEI TBT Policy
+**/
+VOID
+EFIAPI
+TbtPrintPeiPolicyConfig (
+  VOID
+  );
+#endif // _DXE_TBT_POLICY_LIB_H_
+

Platform/Intel/CometlakeOpenBoardPkg/Features/Tbt/Include/Library/PeiTbtTaskDispatchLib.h

@@ -0,0 +1,61 @@
+/** @file
+  PEI TBT Task Dispatch library Header file
+
+
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef __PEI_TBT_TASK_DISPATCH_LIB_H__
+#define __PEI_TBT_TASK_DISPATCH_LIB_H__
+#include <Library/PeiServicesLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/GpioLib.h>
+#include <Library/IoLib.h>
+#include <Library/PciSegmentLib.h>
+#include <Library/HobLib.h>
+#include <Library/PcdLib.h>
+#include <Ppi/PeiTbtPolicy.h>
+
+typedef
+EFI_STATUS
+(EFIAPI *TBT_TASK) (
+  PEI_TBT_POLICY  *PeiTbtConfig
+);
+
+typedef enum {
+  TBT_NULL,                ///< All policy flags turned off.
+  TBT_NORMAL   = (1 << 0), ///< Execute TBT function on cold reset.
+  TBT_S3       = (1 << 1), ///< Execute TBT function on S3 exit.
+  TBT_S4       = (1 << 2), ///< Execute TBT function on S4 exit.
+  TBT_ALL      = MAX_UINTN ///< Execute TBT function always.
+} TBT_BOOT_MODE;
+
+typedef struct {
+  TBT_TASK      TbtTask;         ///< Ptr to function to execute, with parameter list.
+  TBT_BOOT_MODE TbtBootModeFlag; ///< Call table base on TbtBootModeFlag
+  CHAR8         *String;         ///< Output string describing this task.
+} TBT_CALL_TABLE_ENTRY;
+
+/**
+  Covert the current EFI_BOOT_MODE to TBT_BOOT_MODE
+**/
+TBT_BOOT_MODE
+TbtGetBootMode (
+  VOID
+);
+
+/**
+  TbtTaskDistpach: Dispatch the TBT tasks according to TBT_CALL_TABLE_ENTRY
+
+  @param[in] TBT_CALL_TABLE_ENTRY   TbtCallTable
+
+**/
+VOID
+TbtTaskDistpach (
+  IN TBT_CALL_TABLE_ENTRY *TbtCallTable
+);
+#endif
+