Move security support from common to drivers

crawfxrd · crawfxrd · commit bc4107d9c59a · 2025-11-18T15:09:14.000-07:00
- No board change; continue selecting `CONFIG_SECURITY`
- Security state enum moved to driver header
- Update related doc

Signed-off-by: Tim Crawford &lt;tcrawford@system76.com&gt;
diff --git a/docs/security.md b/docs/security.md
@@ -1,13 +1,18 @@
 # Firmware security
 
 The firmware security feature can be configured by setting `CONFIG_SECURITY=1`
-in the `src/board/system76/[board]/board.mk` file. This feature prevents
+in the `src/board/system76/<board>/board.mk` file. This feature prevents
 programming the EC firmware at runtime, unless the EC is unlocked with the
 `system76-ectool security unlock` command. After this, on the next reboot, the
-EC will respond to the SPI and reset commands. On boards where the `ME_WE` GPIO
-exists, it will be set high when the EC security state is unlocked.
+EC will respond to the SPI and reset commands.
+
+This feature will drive the `ME_WE` pin high when the state is unlocked. On
+Intel hosts, this pin is connected to `HDA_SDO` and will disable security
+policies set in the flash descriptor.
+
+- `HDA_SDO`: Flash Descriptor Security Override
 
 Other firmware components can use this state to perform their own locking and
-unlocking primitives. For example, in `coreboot`, flash regions may be locked
-when the EC security state is locked. In `EDK2`, a physical presence dialog may
-be shown when the EC security state is unlocked.
+unlocking primitives. For example, in coreboot, flash regions may be locked
+when the EC security state is locked. In the UEFI payload, a physical presence
+dialog may be shown when the EC security state is unlocked.
diff --git a/src/board/system76/common/common.mk b/src/board/system76/common/common.mk
@@ -18,7 +18,6 @@ board-common-y += pnp.c
 board-common-y += ps2.c
 board-common-y += pwm.c
 board-common-y += scratch.c
-board-common-$(CONFIG_SECURITY) += security.c
 board-common-y += smbus.c
 board-common-y += smfi.c
 board-common-y += stdio.c
@@ -40,10 +39,6 @@ CFLAGS += -DI2C_SMBUS=$(CONFIG_I2C_SMBUS)
 # Uncomment to enable I2C debug on 0x76
 #CFLAGS+=-DI2C_DEBUGGER=0x76
 
-ifeq ($(CONFIG_SECURITY),y)
-CFLAGS+=-DCONFIG_SECURITY=1
-endif
-
 ifeq ($(CONFIG_PLATFORM_INTEL),y)
 board-common-y += peci.c
 board-common-y += power/intel.c
diff --git a/src/board/system76/common/include/board/security.h b/src/board/system76/common/include/board/security.h
diff --git a/src/board/system76/common/power/intel.c b/src/board/system76/common/power/intel.c
@@ -26,7 +26,7 @@
 #endif
 
 #if CONFIG_SECURITY
-#include <board/security.h>
+#include <drivers/security/security.h>
 #endif // CONFIG_SECURITY
 
 #define GPIO_SET_DEBUG(G, V) \
diff --git a/src/board/system76/common/smfi.c b/src/board/system76/common/smfi.c
@@ -22,7 +22,7 @@
 #include <board/scratch.h>
 
 #if CONFIG_SECURITY
-#include <board/security.h>
+#include <drivers/security/security.h>
 #endif // CONFIG_SECURITY
 #endif // !defined(__SCRATCH__)
 
diff --git a/src/common/include/common/command.h b/src/common/include/common/command.h
@@ -77,15 +77,4 @@ enum CommandSpiFlag {
 
 #define CMD_LED_INDEX_ALL 0xFF
 
-enum SecurityState {
-    // Default value, flashing is prevented, cannot be set with CMD_SECURITY_SET
-    SECURITY_STATE_LOCK = 0,
-    // Flashing is allowed, cannot be set with CMD_SECURITY_SET
-    SECURITY_STATE_UNLOCK = 1,
-    // Flashing will be prevented on the next reboot
-    SECURITY_STATE_PREPARE_LOCK = 2,
-    // Flashing will be allowed on the next reboot
-    SECURITY_STATE_PREPARE_UNLOCK = 3,
-};
-
 #endif // _COMMON_COMMAND_H
diff --git a/src/drivers/security/Makefile.mk b/src/drivers/security/Makefile.mk
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: GPL-3.0-only
+# SPDX-FileCopyrightText: 2025 System76, Inc.
+
+# Firmware security state feature.
+#
+# Requires:
+# - Board must declare the `ME_WE` pin.
+#
+# External integrations:
+# - system76/coreboot: `ec/system76/ec` config `EC_SYSTEM76_EC_LOCKDOWN`.
+# - system76/firmware-setup: UEFI protocol for physical presence prompt.
+
+ifeq ($(CONFIG_SECURITY),y)
+
+CFLAGS += -DCONFIG_SECURITY=1
+
+drivers-y += security.c
+
+
+endif
diff --git a/src/drivers/security/security.c b/src/drivers/security/security.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-3.0-only
 
+#include "security.h"
 #include <board/gpio.h>
-#include <board/security.h>
 
 static enum SecurityState security_state = SECURITY_STATE_LOCK;
 
diff --git a/src/drivers/security/security.h b/src/drivers/security/security.h
@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: GPL-3.0-only
+
+#ifndef _DRIVERS_SECURITY_H
+#define _DRIVERS_SECURITY_H
+
+#include <stdbool.h>
+
+enum SecurityState {
+    // Default value, flashing is prevented, cannot be set with CMD_SECURITY_SET
+    SECURITY_STATE_LOCK = 0,
+    // Flashing is allowed, cannot be set with CMD_SECURITY_SET
+    SECURITY_STATE_UNLOCK = 1,
+    // Flashing will be prevented on the next reboot
+    SECURITY_STATE_PREPARE_LOCK = 2,
+    // Flashing will be allowed on the next reboot
+    SECURITY_STATE_PREPARE_UNLOCK = 3,
+};
+
+enum SecurityState security_get(void);
+bool security_set(enum SecurityState state);
+bool security_power(void);
+
+#endif // _DRIVERS_SECURITY_H
