Skip to content

mb/google/*: Add CFR options for Intel ME HECI1 and PAVP#27

Draft
movr4x wants to merge 4 commits intoMrChromebox:MrChromebox-2512from
movr4x:MrChromebox-2512-intel-me-cfr
Draft

mb/google/*: Add CFR options for Intel ME HECI1 and PAVP#27
movr4x wants to merge 4 commits intoMrChromebox:MrChromebox-2512from
movr4x:MrChromebox-2512-intel-me-cfr

Conversation

@movr4x
Copy link
Copy Markdown
Contributor

@movr4x movr4x commented Feb 22, 2026

Allow users to enable/disable HECI1 and PAVP via CFR options menu.

Kconfig DISABLE_HECI1_AT_PRE_BOOT and PAVP are compile-time only options.

This adds support for a run-time configurable CFR, where Kconfig is used as a default value, and updates SoC code to use this new CFR instead of Kconfig.

Should address issues like:
MrChromebox/firmware#887

I could not find any reference to CONFIG(PAVP) in Tigerlake SoC code, so I did not include PAVP CFR for VOLTEER. FSP-S code also does not touch PavpEnable param (it is available). We can change this.

There are Google boards with Pantherlake SoC, OCELOT/FATCAT, that could also use CFR for both HECI1 and PAVP, but they do not have CFR/cfr.c.

You will have to verify if all looks ok, as I can only test Skylake/Kabylake (FIZZ).

It would be possible to add few other CFRs for controlling ME remote functionality like AMT/AMT SoL/ASF/Manageability Mode, but non-vPro firmwares usually lack such features anyway.

Also, not sure if PAVP works in Linux for Google boards. I have tried to extract some info, but cannot see any difference between PAVP disabled/enabled. There is a possibility that it is disabled at a lower level like Intel PTT (iTPM), at least for FIZZ.

With Intel ME and HECI1 always enabled, and only toggling PAVP, I am getting the same results:

$ lsmod | grep -iE 'mei|heci|pxp|pavp|hdcp'
mei_me                 57344  0
mei                   188416  1 mei_me

$ ls -la /dev/mei*
crw------- 1 root root 240, 0 Feb 22 15:31 /dev/mei0

$ sudo ls /sys/bus/mei/devices/
0000:00:16.0-01e88543-8050-4380-9d6f-4f9cec704917
0000:00:16.0-082ee5a7-7c25-470a-9643-0c06f0466ea1
0000:00:16.0-309dcde8-ccb1-4062-8f78-600115a34327
0000:00:16.0-3c4852d6-d47b-4f46-b05e-b5edc1aa440e
0000:00:16.0-42b3ce2f-bd9f-485a-96ae-26406230b1ff
0000:00:16.0-55213584-9a29-4916-badf-0fb7ed682aeb
0000:00:16.0-5565a099-7fe2-45c1-a22b-d7e9dfea9a2e
0000:00:16.0-8c2f4425-77d6-4755-aca3-891fdbc66a58
0000:00:16.0-8e6a6715-9abc-4043-88ef-9e39c6f63e0f
0000:00:16.0-dba4d603-d7ed-4931-8823-17ad585705d5
0000:00:16.0-f908627d-13bf-4a04-b91f-a64e9245323d

$ sudo dmesg | grep -iE 'mei|heci|pxp|pavp|hdcp'
[nothing]

$ sudo cat /sys/kernel/debug/dri/0/i915_capabilities | grep -iE 'mei|heci|pxp|pavp|hdcp|content'
has_heci_pxp: no
has_heci_gscfi: no
has_pxp: no

$ vainfo --display drm --device /dev/dri/renderD128 
Trying display: drm
libva info: VA-API version 1.22.0
libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
libva info: Found init function __vaDriverInit_1_22
libva info: va_openDriver() returns 0
vainfo: VA-API version: 1.22 (libva 2.22.0)
vainfo: Driver version: Intel iHD driver for Intel(R) Gen Graphics - 25.2.3 ()
vainfo: Supported profile and entrypoints
      VAProfileMPEG2Simple            :	VAEntrypointVLD
      VAProfileMPEG2Main              :	VAEntrypointVLD
      VAProfileH264Main               :	VAEntrypointVLD
      VAProfileH264Main               :	VAEntrypointEncSliceLP
      VAProfileH264High               :	VAEntrypointVLD
      VAProfileH264High               :	VAEntrypointEncSliceLP
      VAProfileJPEGBaseline           :	VAEntrypointVLD
      VAProfileJPEGBaseline           :	VAEntrypointEncPicture
      VAProfileH264ConstrainedBaseline:	VAEntrypointVLD
      VAProfileH264ConstrainedBaseline:	VAEntrypointEncSliceLP
      VAProfileVP8Version0_3          :	VAEntrypointVLD
      VAProfileHEVCMain               :	VAEntrypointVLD
      VAProfileHEVCMain10             :	VAEntrypointVLD
      VAProfileVP9Profile0            :	VAEntrypointVLD
      VAProfileVP9Profile2            :	VAEntrypointVLD

$ drm_info | grep -iE 'mei|heci|pxp|pavp|hdcp|content'
│   │       ├───"content type": enum {No Data, Graphics, Photo, Cinema, Game} = No Data
│   │       ├───"Content Protection": enum {Undesired, Desired, Enabled} = Undesired
│   │       └───"HDCP Content Type": enum {HDCP Type0, HDCP Type1} = HDCP Type0
│   │       ├───"Content Protection": enum {Undesired, Desired, Enabled} = Undesired
│   │       └───"HDCP Content Type": enum {HDCP Type0, HDCP Type1} = HDCP Type0
│   │       ├───"content type": enum {No Data, Graphics, Photo, Cinema, Game} = No Data
│   │       ├───"Content Protection": enum {Undesired, Desired, Enabled} = Undesired
│   │       └───"HDCP Content Type": enum {HDCP Type0, HDCP Type1} = HDCP Type0
│   │       ├───"Content Protection": enum {Undesired, Desired, Enabled} = Undesired
│   │       └───"HDCP Content Type": enum {HDCP Type0, HDCP Type1} = HDCP Type0
│           ├───"content type": enum {No Data, Graphics, Photo, Cinema, Game} = No Data
│           ├───"Content Protection": enum {Undesired, Desired, Enabled} = Undesired
│           └───"HDCP Content Type": enum {HDCP Type0, HDCP Type1} = HDCP Type0

@movr4x
soc/intel/*: Add CFR support for Kconfig DISABLE_HECI1_AT_PRE_BOOT
9ec656d 
Kconfig DISABLE_HECI1_AT_PRE_BOOT is a compile-time only option.

This commit adds support for a run-time configurable CFR, where
Kconfig DISABLE_HECI1_AT_PRE_BOOT is used as a default value, and
updates SoC code to use this new CFR instead of Kconfig.

Signed-off-by: Lukasz Kutyla <luk.kutyla@gmail.com>
@movr4x
mb/google/*: Add CFR option for HECI1
d5861eb 
Allow users to enable/disable HECI1 via CFR options menu.

Signed-off-by: Lukasz Kutyla <luk.kutyla@gmail.com>
@movr4x
soc/intel/*: Add CFR support for Kconfig PAVP
2befcce 
Kconfig PAVP is a compile-time only option.

This commit adds support for a run-time configurable CFR, where
Kconfig PAVP is used as a default value, and updates SoC code to use
this new CFR instead of Kconfig.

Signed-off-by: Lukasz Kutyla <luk.kutyla@gmail.com>
@movr4x
mb/google/*: Add CFR option for PAVP
8c32637 
Allow users to enable/disable PAVP via CFR options menu.

Signed-off-by: Lukasz Kutyla <luk.kutyla@gmail.com>
@MrChromebox
Copy link
Copy Markdown
Owner

MrChromebox commented Feb 23, 2026

what's the use of enabling/disabling PAVP? I'm not a huge fan of adding options just to have them

@movr4x
Copy link
Copy Markdown
Contributor Author

movr4x commented Feb 23, 2026

@MrChromebox

what's the use of enabling/disabling PAVP? I'm not a huge fan of adding options just to have them

src/soc/intel/common/Kconfig.common:

config PAVP
	bool "Enable PAVP (Protected Audio-Video Path) support"
	default y
	help
	  Protected Audio-Video Path is an Intel technology used to enforce digital
	  rights protections on multimedia content. Streaming or other media playback
	  services may require it to be enabled for correct functioning.

	  Users might disable PAVP if the concept of digital rights management (DRM)
	  offends them, or if they have concerns about the security of
	  the Management Engine, which is where this technology is implemented.

	  Set this option to n to disable support.

It is available in Intel common Kconfig, so I have thought that it could be useful to also have it as a run-time configurable CFR, just like HECI1 device, especially since it requires HECI1 device to operate (AFAIK).

However, I am not sure if PAVP even works in Google boards (i.e. disabled at a lower level, so changing FSP-S param has no effect) or if this is some Linux related limitation.

Ideally I would need Windows to confirm, but at the moment I cannot test this.

If you want, then I can drop this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@movr4x @MrChromebox