Redundancy backport capsule wip

configs/config.protectli_vp66xx_cmos_edk2

@@ -60,3 +60,5 @@ CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
 # CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
 # CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
 CONFIG_POST_DEVICE_LPC=y
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
+CONFIG_BOOTMEDIA_LOCK_TOPSWAP=y

payloads/external/edk2/Kconfig.dasharo

@@ -4,7 +4,7 @@ config EDK2_REPOSITORY
 	default "https://github.com/Dasharo/edk2"
 
 config EDK2_TAG_OR_REV
-	default "42934b120ff2a73051f64926e45fe5c2750ad741"
+	default "origin/capsule_redundancy"
 
 config EDK2_SYSTEM76_EC_LOGGING
 	bool "Enable edk2 logging to System76 EC"

src/mainboard/protectli/vault_adl_p/Kconfig

@@ -20,9 +20,11 @@ config BOARD_SPECIFIC_OPTIONS
 	select HAVE_CMOS_DEFAULT
 	select USE_OPTION_TABLE
 	select INTEL_HAS_TOP_SWAP
-	select INTEL_ADD_TOP_SWAP_BOOTBLOCK
-	select INTEL_TOP_SWAP_SEPARATE_REGIONS
-	select INTEL_TOP_SWAP_OPTION_CONTROL
+	select TOP_SWAP_REDUNDANCY
+	select CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE
+
+config INTEL_TOP_SWAP_BOOTBLOCK_SIZE
+       default 0x80000
 
 config MAINBOARD_DIR
 	default "protectli/vault_adl_p"

src/security/lockdown/Kconfig

@@ -72,6 +72,18 @@ config BOOTMEDIA_LOCK_WPRO_VBOOT_RO
 	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or
 	  has to be triggered later (e.g. by the payload or the OS).
 
+config BOOTMEDIA_LOCK_TOPSWAP
+	bool "Write-protect the COREBOOT & BOOTBLOCK regions"
+	depends on TOP_SWAP_REDUNDANCY
+	depends on BOOTMEDIA_LOCK_CONTROLLER
+	help
+	  Select this if you want to write-protect the BOOTBLOCK and COREBOOT
+	  (Slot A) regions as specified in the Top Swap FMAP. You will be able to
+	  write to the TOPSWAP and COREBOOT_TS (Slot B) regions and set the
+	  attempt_slot_b CMOS option to run updated firmware. The BOOTBLOCK and
+	  COREBOOT regions will remain a read-only golden copy, which you can
+	  then revert to by resetting CMOS.
+
 endchoice
 
 config BOOTMEDIA_LOCK_IN_VERSTAGE

src/security/lockdown/lockdown.c

@@ -33,6 +33,9 @@ void boot_device_security_lockdown(void)
 		} else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
 			printk(BIOS_DEBUG, "'WP_RO only'");
 			lock_type = CTRLR_WP;
+		} else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) {
+			printk(BIOS_DEBUG, "'COREBOOT + BOOTBLOCK'");
+			lock_type = CTRLR_WP;
 		}
 		printk(BIOS_DEBUG, " using CTRL...\n");
 	} else {
@@ -51,6 +54,11 @@ void boot_device_security_lockdown(void)
 			printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n");
 		else
 			rdev = &dev;
+	} else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) {
+		if (fmap_locate_area_as_rdev("COREBOOT", &dev) < 0)
+			printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'COREBOOT'\n");
+		else
+			rdev = &dev;
 	} else {
 		rdev = boot_device_ro();
 	}
@@ -59,6 +67,18 @@ void boot_device_security_lockdown(void)
 		printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n");
 	else
 		printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n");
+
+	if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) {
+		/*
+		 * Additionally set a protected range for the BOOTBLOCK region
+		 */
+		if (fmap_locate_area_as_rdev("BOOTBLOCK", &dev) < 0)
+			printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'BOOTBLOCK'\n");
+		else if (boot_device_wp_region(&dev, lock_type) >= 0)
+			printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection for BOOTBLOCK\n");
+		else
+			printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection for BOOTBLOCK\n");
+	}
 }
 
 static void lock(void *unused)

src/soc/intel/common/Kconfig.common

@@ -66,6 +66,19 @@ config INTEL_TOP_SWAP_OPTION_CONTROL
 	  option. Note that the option must be present in the board's cmos.layout.
 	  file.
 
+config TOP_SWAP_REDUNDANCY
+	bool "Toggle the Intel Top Swap - based redundancy"
+	depends on HAVE_OPTION_TABLE && INTEL_HAS_TOP_SWAP
+	select INTEL_ADD_TOP_SWAP_BOOTBLOCK
+	select INTEL_TOP_SWAP_SEPARATE_REGIONS
+	select INTEL_TOP_SWAP_OPTION_CONTROL
+	help
+	  Toggle the Intel Top Swap based redundancy, where the BOOTBLOCK and COREBOOT
+	  regions form a read-only golden copy and TOPSWAP and COREBOOT_TS are an
+	  update partition. CMOS option "attempt_top_swap" decides which of the slots
+	  gets booted, which means the platform can be reverted to the known-good copy
+	  via CMOS reset.
+
 endif
 
 config SOC_INTEL_COMMON

src/southbridge/intel/common/firmware/Makefile.mk

@@ -49,7 +49,7 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y)
 add_intel_firmware: $(call strip_quotes,$(CONFIG_EC_BIN_PATH))
 endif
 add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL)
-ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y)
+ifeq ($(CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y)
 	printf "    IFDTOOL    Modifying top swap PCH strap in IFD\n"
 	printf "     $(IFDTOOL_USE_CHIPSET)"
 	$(objutil)/ifdtool/ifdtool \
@@ -58,7 +58,7 @@ ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y)
 		-O $(obj)/ifd_custom_tsbs \
 		$(IFD_BIN_PATH)
 	printf "    DD         Adding Intel Firmware Descriptor\n"
-	dd if=$(obj)/ifd_custom_tsbs\
+	dd if=$(obj)/ifd_custom_tsbs \
 		of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
 else
 	printf "    DD         Adding Intel Firmware Descriptor\n"