Move security support from main app to drivers

- No board change; continue selecting `SECURITY` config
- Security state enum moved to driver header
- Update related doc

Signed-off-by: Tim Crawford <[email protected]>

Author: crawfxrd

docs/security.md

@@ -1,13 +1,18 @@
 # Firmware security
 
 The firmware security feature can be configured by setting `CONFIG_SECURITY=1`
-in the `src/board/system76/[board]/board.mk` file. This feature prevents
+in the `src/board/system76/<board>/board.mk` file. This feature prevents
 programming the EC firmware at runtime, unless the EC is unlocked with the
 `system76-ectool security unlock` command. After this, on the next reboot, the
-EC will respond to the SPI and reset commands. On boards where the `ME_WE` GPIO
-exists, it will be set high when the EC security state is unlocked.
+EC will respond to the SPI and reset commands.
+
+This feature will drive the `ME_WE` pin high when the state is unlocked. On
+Intel hosts, this pin is connected to `HDA_SDO` and will disable security
+policies set in the flash descriptor.
+
+- `HDA_SDO`: Flash Descriptor Security Override
 
 Other firmware components can use this state to perform their own locking and
-unlocking primitives. For example, in `coreboot`, flash regions may be locked
-when the EC security state is locked. In `EDK2`, a physical presence dialog may
-be shown when the EC security state is unlocked.
+unlocking primitives. For example, in coreboot, flash regions may be locked
+when the EC security state is locked. In the UEFI payload, a physical presence
+dialog may be shown when the EC security state is unlocked.

src/app/main/Makefile.mk

@@ -18,7 +18,6 @@ app-y += pnp.c
 app-y += ps2.c
 app-y += pwm.c
 app-y += scratch.c
-app-$(CONFIG_SECURITY) += security.c
 app-y += smbus.c
 app-y += smfi.c
 app-y += stdio.c
@@ -40,10 +39,6 @@ CFLAGS += -DI2C_SMBUS=$(CONFIG_I2C_SMBUS)
 # Uncomment to enable I2C debug on 0x76
 #CFLAGS+=-DI2C_DEBUGGER=0x76
 
-ifeq ($(CONFIG_SECURITY),y)
-CFLAGS+=-DCONFIG_SECURITY=1
-endif
-
 ifeq ($(CONFIG_PLATFORM_INTEL),y)
 app-y += peci.c
 app-y += power/intel.c

src/app/main/include/app/security.h

@@ -26,7 +26,7 @@
 #endif
 
 #if CONFIG_SECURITY
-#include <app/security.h>
+#include <drivers/security/security.h>
 #endif // CONFIG_SECURITY
 
 #define GPIO_SET_DEBUG(G, V) \

src/app/main/power/intel.c

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-3.0-only
 
-#include <app/security.h>
+#include "security.h"
 #include <board/gpio.h>
 
 static enum SecurityState security_state = SECURITY_STATE_LOCK;

src/app/main/security.c

@@ -22,7 +22,7 @@
 #include <app/scratch.h>
 
 #if CONFIG_SECURITY
-#include <app/security.h>
+#include <drivers/security/security.h>
 #endif // CONFIG_SECURITY
 #endif // !defined(__SCRATCH__)
 

src/app/main/smfi.c

@@ -77,15 +77,4 @@ enum CommandSpiFlag {
 
 #define CMD_LED_INDEX_ALL 0xFF
 
-enum SecurityState {
-    // Default value, flashing is prevented, cannot be set with CMD_SECURITY_SET
-    SECURITY_STATE_LOCK = 0,
-    // Flashing is allowed, cannot be set with CMD_SECURITY_SET
-    SECURITY_STATE_UNLOCK = 1,
-    // Flashing will be prevented on the next reboot
-    SECURITY_STATE_PREPARE_LOCK = 2,
-    // Flashing will be allowed on the next reboot
-    SECURITY_STATE_PREPARE_UNLOCK = 3,
-};
-
 #endif // _COMMON_COMMAND_H

src/common/include/common/command.h

@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: GPL-3.0-only
+# SPDX-FileCopyrightText: 2025 System76, Inc.
+
+# Firmware security state feature.
+#
+# Requires:
+# - Board must declare the `ME_WE` pin.
+#
+# External integrations:
+# - system76/coreboot: `ec/system76/ec` config `EC_SYSTEM76_EC_LOCKDOWN`.
+# - system76/firmware-setup: UEFI protocol for physical presence prompt.
+
+ifeq ($(CONFIG_SECURITY),y)
+
+CFLAGS += -DCONFIG_SECURITY=1
+
+drivers-y += security.c
+
+endif

src/drivers/security/Makefile.mk

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: GPL-3.0-only
+
+#include "security.h"
+#include <board/gpio.h>
+
+static enum SecurityState security_state = SECURITY_STATE_LOCK;
+
+enum SecurityState security_get(void) {
+    return security_state;
+}
+
+bool security_set(enum SecurityState state) {
+    switch (state) {
+    // Allow prepare states to be set
+    case SECURITY_STATE_PREPARE_LOCK:
+    case SECURITY_STATE_PREPARE_UNLOCK:
+        security_state = state;
+        return true;
+    // Any other states will be ignored
+    default:
+        return false;
+    }
+}
+
+bool security_power(void) {
+    switch (security_state) {
+    // Apply lock state and power on
+    case SECURITY_STATE_PREPARE_LOCK:
+        gpio_set(&ME_WE, false);
+        security_state = SECURITY_STATE_LOCK;
+        return true;
+    // Apply unlock state and power on
+    case SECURITY_STATE_PREPARE_UNLOCK:
+        gpio_set(&ME_WE, true);
+        security_state = SECURITY_STATE_UNLOCK;
+        return true;
+    // Any other states will be ignored
+    default:
+        return false;
+    }
+}

src/drivers/security/security.c

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-3.0-only
+
+#ifndef _DRIVERS_SECURITY_H
+#define _DRIVERS_SECURITY_H
+
+#include <stdbool.h>
+
+enum SecurityState {
+    // Default value, flashing is prevented, cannot be set with CMD_SECURITY_SET
+    SECURITY_STATE_LOCK = 0,
+    // Flashing is allowed, cannot be set with CMD_SECURITY_SET
+    SECURITY_STATE_UNLOCK = 1,
+    // Flashing will be prevented on the next reboot
+    SECURITY_STATE_PREPARE_LOCK = 2,
+    // Flashing will be allowed on the next reboot
+    SECURITY_STATE_PREPARE_UNLOCK = 3,
+};
+
+enum SecurityState security_get(void);
+bool security_set(enum SecurityState state);
+bool security_power(void);
+
+#endif // _DRIVERS_SECURITY_H