Introduction
In the previous post, we showed coreboot running on Gigabyte MZ33-AR1 with Turin CPU, the current, newest family of AMD server processors. However, we faced various obstacles and problems. Despite AMD publishing a set of blobs required for the Turin system initialization, they turned out to be not enough to release the CPU from reset by PSP. We were forced to do a workaround by injecting coreboot into the vendor firmware image and flashing it back. The whole process is far from ideal; thus, it forced us to perform an analysis, where we demystify and explain the problems and solutions we came up with.
AMD PSP firmware structure
Nowadays, the x86 CPUs are not the first entities that begin code execution after pressing the power button. The design of the processors and silicon overall drifted towards adding many co-processors, which perform a specialized subset of actions and have a very specific role in the system. For example: Intel Management Engine (ME) on Intel platforms and AMD Platform Security Processor (PSP), also known as AMD Security Processor (ASP). These co-processors run their own firmware, which is usually stored in the same flash memory as the BIOS for an x86 CPU. Often these firmwares contain other firmwares for yet another co-processors or IP blocks. This is true for both Intel and AMD. We will not dive into Intel specifics, but if you are curious, just open an Intel firmware image in UEFITool and expand the Intel ME region. You will see how many various applications or firmwares reside there.
The situation is no different on an AMD system, although the separation of x86 BIOS and PSP firmware/blobs is not as clean as on Intel systems. AMD PSP does not have any separate flash region for its own use. Instead, the PSP blobs are packed into specific directory structures, which you can read a bit about here.
To understand how it is supposed to work on the Turin system, we have to go through each structure of the PSP firmware and analyze it, starting with Embedded Firmware Structure (EFS), through PSP directories up to the BIOS directories.
Embedded Firmware Structure
Embedded Firmware Structure is like a header that indicates the location of PSP and BIOS directories. It is used by PSP during power-on to locate the blobs and configure certain properties of the system, e.g., SPI interface speeds, eSPI bus configuration, etc. The tool responsible for creating EFS, PSP and BIOS directories in coreboot are amdfwtool. The coreboot build system uses this utility during the build process to stitch all blobs together into a bootable image.
There has been some activity around this tool recently, which has enhanced its debugging and analysis capabilities:
Seeing this opportunity, I have reviewed and tested the patches, even added more information to be dumped, and fixed parsing of the images for Turin processors, to serve the purpose of my analysis:
... continue reading