From 2ac149d294af795710eb4bb20f093e9920604abd Mon Sep 17 00:00:00 2001 From: Nico Huber Date: Fri, 1 Sep 2017 23:28:14 +0200 Subject: [PATCH] sb/intel/bd82x6x: Revise flash ROM lockdown options The original options were named and described under the false assumption that the chipset lockdown would only be executed during S3 resume. Fix that. Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95 Signed-off-by: Nico Huber Reviewed-on: https://review.coreboot.org/21327 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Rudolph --- src/southbridge/intel/bd82x6x/Kconfig | 44 ++++++++++++++---------- src/southbridge/intel/bd82x6x/finalize.c | 5 +-- 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 9eb3111661..e3772bab01 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -75,29 +75,37 @@ endif if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK choice - prompt "Flash ROM locking on S3 resume" - default LOCK_SPI_ON_RESUME_NONE + prompt "Flash locking during chipset lockdown" + default LOCK_SPI_FLASH_NONE -config LOCK_SPI_ON_RESUME_NONE - bool "Don't lock ROM sections on S3 resume" +config LOCK_SPI_FLASH_NONE + bool "Don't lock flash sections" -config LOCK_SPI_ON_RESUME_RO - bool "Lock all flash ROM sections on S3 resume" +config LOCK_SPI_FLASH_RO + bool "Write-protect all flash sections" help - If the flash ROM shall be protected against write accesses from the - operating system (OS), the locking procedure has to be repeated after - each resume from S3. Select this if you never want to update the flash - ROM from within your OS. Notice: Even with this option, the write lock - has still to be enabled on the normal boot path (e.g. by the payload). + Select this if you want to write-protect the whole firmware flash + chip. The locking will take place during the chipset lockdown, which + is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) + or has to be triggered later (e.g. by the payload or the OS). -config LOCK_SPI_ON_RESUME_NO_ACCESS - bool "Lock and disable reads all flash ROM sections on S3 resume" + NOTE: If you trigger the chipset lockdown unconditionally, + you won't be able to write to the flash chip using the + internal programmer any more. + +config LOCK_SPI_FLASH_NO_ACCESS + bool "Write-protect all flash sections and read-protect non-BIOS sections" help - If the flash ROM shall be protected against all accesses from the - operating system (OS), the locking procedure has to be repeated after - each resume from S3. Select this if you never want to update the flash - ROM from within your OS. Notice: Even with this option, the lock - has still to be enabled on the normal boot path (e.g. by the payload). + Select this if you want to protect the firmware flash against all + further accesses (with the exception of the memory mapped BIOS re- + gion which is always readable). The locking will take place during + the chipset lockdown, which is either triggered by coreboot (when + INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. + by the payload or the OS). + + NOTE: If you trigger the chipset lockdown unconditionally, + you won't be able to write to the flash chip using the + internal programmer any more. endchoice diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c index a9cfa38c63..fe28af0385 100644 --- a/src/southbridge/intel/bd82x6x/finalize.c +++ b/src/southbridge/intel/bd82x6x/finalize.c @@ -25,12 +25,13 @@ void intel_pch_finalize_smm(void) u16 tco1_cnt; u16 pmbase; - if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) { + if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) || + IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) { /* Copy flash regions from FREG0-4 to PR0-4 and enable write protection bit31 */ int i; u32 lockmask = (1 << 31); - if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) + if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) lockmask |= (1 << 15); for (i = 0; i < 20; i += 4) RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;