ifdtool: Add locking/unlocking and dumping of access permissions

ifdtool will now dump access permissions of system comonents to
certain IFD sections:

Found Master Section
FLMSTR1:   0xffff0000 (Host CPU/BIOS)
  Platform Data Region Write Access: enabled
  GbE Region Write Access:           enabled
  Intel ME Region Write Access:      enabled
  Host CPU/BIOS Region Write Access: enabled
  Flash Descriptor Write Access:     enabled
  Platform Data Region Read Access:  enabled
  GbE Region Read Access:            enabled
  Intel ME Region Read Access:       enabled
  Host CPU/BIOS Region Read Access:  enabled
  Flash Descriptor Read Access:      enabled
  Requester ID:                      0x0000

FLMSTR2:   0x0c0d0000 (Intel ME)
  Platform Data Region Write Access: disabled
  GbE Region Write Access:           enabled
  Intel ME Region Write Access:      enabled
  Host CPU/BIOS Region Write Access: disabled
  Flash Descriptor Write Access:     disabled
  Platform Data Region Read Access:  disabled
  GbE Region Read Access:            enabled
  Intel ME Region Read Access:       enabled
  Host CPU/BIOS Region Read Access:  disabled
  Flash Descriptor Read Access:      enabled
  Requester ID:                      0x0000

FLMSTR3:   0x08080118 (GbE)
  Platform Data Region Write Access: disabled
  GbE Region Write Access:           enabled
  Intel ME Region Write Access:      disabled
  Host CPU/BIOS Region Write Access: disabled
  Flash Descriptor Write Access:     disabled
  Platform Data Region Read Access:  disabled
  GbE Region Read Access:            enabled
  Intel ME Region Read Access:       disabled
  Host CPU/BIOS Region Read Access:  disabled
  Flash Descriptor Read Access:      disabled
  Requester ID:                      0x0118

Also, ifdtool -u /path/to/image will unlock the host's
access to the firmware descriptor and ME region.
ifdtool -l /path/to/image will lock down the host's
access to the firmware descriptor and ME region.

Change-Id: I3e081b80a9bcb398772416f143b794bf307b1c36
Signed-off-by: Stefan Reinauer <reinauer@google.com>
Reviewed-on: http://review.coreboot.org/1755
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
Tested-by: build bot (Jenkins)

util/ifdtool/ifdtool.c

@@ -200,12 +200,12 @@ static void dump_fcba(fcba_t * fcba)
 	decode_component_density(fcba->flcomp & 7);
 	printf("\n");
 	printf("FLILL      0x%08x\n", fcba->flill);
-	printf("FLPB       0x%08x\n", fcba->flpb);
+	printf("FLPB       0x%08x\n\n", fcba->flpb);
 }
 
 static void dump_fpsba(fpsba_t * fpsba)
 {
-	printf("\nFound PCH Strap Section\n");
+	printf("Found PCH Strap Section\n");
 	printf("PCHSTRP0:  0x%08x\n", fpsba->pchstrp0);
 	printf("PCHSTRP1:  0x%08x\n", fpsba->pchstrp1);
 	printf("PCHSTRP2:  0x%08x\n", fpsba->pchstrp2);
@@ -221,20 +221,51 @@ static void dump_fpsba(fpsba_t * fpsba)
 	printf("PCHSTRP12: 0x%08x\n", fpsba->pchstrp12);
 	printf("PCHSTRP13: 0x%08x\n", fpsba->pchstrp13);
 	printf("PCHSTRP14: 0x%08x\n", fpsba->pchstrp14);
-	printf("PCHSTRP15: 0x%08x\n", fpsba->pchstrp15);
+	printf("PCHSTRP15: 0x%08x\n\n", fpsba->pchstrp15);
+}
+
+static void decode_flmstr(uint32_t flmstr)
+{
+	printf("  Platform Data Region Write Access: %s\n",
+		(flmstr & (1 << 28)) ? "enabled" : "disabled");
+	printf("  GbE Region Write Access:           %s\n",
+		(flmstr & (1 << 27)) ? "enabled" : "disabled");
+	printf("  Intel ME Region Write Access:      %s\n",
+		(flmstr & (1 << 26)) ? "enabled" : "disabled");
+	printf("  Host CPU/BIOS Region Write Access: %s\n",
+		(flmstr & (1 << 25)) ? "enabled" : "disabled");
+	printf("  Flash Descriptor Write Access:     %s\n",
+		(flmstr & (1 << 24)) ? "enabled" : "disabled");
+
+	printf("  Platform Data Region Read Access:  %s\n",
+		(flmstr & (1 << 20)) ? "enabled" : "disabled");
+	printf("  GbE Region Read Access:            %s\n",
+		(flmstr & (1 << 19)) ? "enabled" : "disabled");
+	printf("  Intel ME Region Read Access:       %s\n",
+		(flmstr & (1 << 18)) ? "enabled" : "disabled");
+	printf("  Host CPU/BIOS Region Read Access:  %s\n",
+		(flmstr & (1 << 17)) ? "enabled" : "disabled");
+	printf("  Flash Descriptor Read Access:      %s\n",
+		(flmstr & (1 << 16)) ? "enabled" : "disabled");
+
+	printf("  Requester ID:                      0x%04x\n\n",
+		flmstr & 0xffff);
 }
 
 static void dump_fmba(fmba_t * fmba)
 {
-	printf("\nFound Master Section\n");
+	printf("Found Master Section\n");
-	printf("FLMSTR1:   0x%08x\n", fmba->flmstr1);
+	printf("FLMSTR1:   0x%08x (Host CPU/BIOS)\n", fmba->flmstr1);
-	printf("FLMSTR2:   0x%08x\n", fmba->flmstr2);
+	decode_flmstr(fmba->flmstr1);
-	printf("FLMSTR3:   0x%08x\n", fmba->flmstr3);
+	printf("FLMSTR2:   0x%08x (Intel ME)\n", fmba->flmstr2);
+	decode_flmstr(fmba->flmstr2);
+	printf("FLMSTR3:   0x%08x (GbE)\n", fmba->flmstr3);
+	decode_flmstr(fmba->flmstr3);
 }
 
 static void dump_fmsba(fmsba_t * fmsba)
 {
-	printf("\nFound Processor Strap Section\n");
+	printf("Found Processor Strap Section\n");
 	printf("????:      0x%08x\n", fmsba->data[0]);
 	printf("????:      0x%08x\n", fmsba->data[1]);
 	printf("????:      0x%08x\n", fmsba->data[2]);
@@ -348,6 +379,31 @@ static void set_em100_mode(char *filename, char *image, int size)
 	set_spi_frequency(filename, image, size, SPI_FREQUENCY_20MHZ);
 }
 
+static void lock_descriptor(char *filename, char *image, int size)
+{
+	fdbar_t *fdb = find_fd(image, size);
+	fmba_t *fmba = (fmba_t *) (image + (((fdb->flmap1) & 0xff) << 4));
+	/* TODO: Dynamically take Platform Data Region and GbE Region
+	 * into regard.
+	 */
+	fmba->flmstr1 = 0x0a0b0000;
+	fmba->flmstr2 = 0x0c0d0000;
+	fmba->flmstr3 = 0x08080118;
+
+	write_image(filename, image, size);
+}
+
+static void unlock_descriptor(char *filename, char *image, int size)
+{
+	fdbar_t *fdb = find_fd(image, size);
+	fmba_t *fmba = (fmba_t *) (image + (((fdb->flmap1) & 0xff) << 4));
+	fmba->flmstr1 = 0xffff0000;
+	fmba->flmstr2 = 0xffff0000;
+	fmba->flmstr3 = 0x08080118;
+
+	write_image(filename, image, size);
+}
+
 void inject_region(char *filename, char *image, int size, int region_type,
 		   char *region_fname)
 {
@@ -442,6 +498,8 @@ static void print_usage(const char *name)
 	       "   -s | --spifreq <20|33|50>         set the SPI frequency\n"
 	       "   -e | --em100                      set SPI frequency to 20MHz and disable\n"
 	       "                                     Dual Output Fast Read Support\n"
+	       "   -l | --lock                       Lock firmware descriptor and ME region\n"
+	       "   -u | --unlock                     Unlock firmware descriptor and ME region\n"
 	       "   -v | --version:                   print the version\n"
 	       "   -h | --help:                      print this help\n\n"
 	       "<region> is one of Descriptor, BIOS, ME, GbE, Platform\n"
@@ -452,7 +510,7 @@ int main(int argc, char *argv[])
 {
 	int opt, option_index = 0;
 	int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;
-	int mode_em100 = 0;
+	int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0;
 	char *region_type_string = NULL, *region_fname = NULL;
 	int region_type = -1, inputfreq = 0;
 	enum spi_frequency spifreq = SPI_FREQUENCY_20MHZ;
@@ -463,12 +521,14 @@ int main(int argc, char *argv[])
 		{"inject", 1, NULL, 'i'},
 		{"spifreq", 1, NULL, 's'},
 		{"em100", 0, NULL, 'e'},
+		{"lock", 0, NULL, 'l'},
+		{"unlock", 0, NULL, 'u'},
 		{"version", 0, NULL, 'v'},
 		{"help", 0, NULL, 'h'},
 		{0, 0, 0, 0}
 	};
 
-	while ((opt = getopt_long(argc, argv, "dxi:s:evh?",
+	while ((opt = getopt_long(argc, argv, "dxi:s:eluvh?",
 				  long_options, &option_index)) != EOF) {
 		switch (opt) {
 		case 'd':
@@ -531,6 +591,20 @@ int main(int argc, char *argv[])
 		case 'e':
 			mode_em100 = 1;
 			break;
+		case 'l':
+			mode_locked = 1;
+			if (mode_unlocked == 1) {
+				fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");
+				exit(EXIT_FAILURE);
+			}
+			break;
+		case 'u':
+			mode_unlocked = 1;
+			if (mode_locked == 1) {
+				fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");
+				exit(EXIT_FAILURE);
+			}
+			break;
 		case 'v':
 			print_version();
 			exit(EXIT_SUCCESS);
@@ -544,14 +618,16 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if ((mode_dump + mode_extract + mode_inject + mode_spifreq) > 1) {
+	if ((mode_dump + mode_extract + mode_inject +
-		fprintf(stderr, "Only one mode allowed.\n\n");
+		(mode_spifreq | mode_em100 | mode_unlocked |
+		 mode_locked)) > 1) {
+		fprintf(stderr, "You may not specify more than one mode.\n\n");
 		print_usage(argv[0]);
 		exit(EXIT_FAILURE);
 	}
 
 	if ((mode_dump + mode_extract + mode_inject + mode_spifreq +
-	     mode_em100) == 0) {
+	     mode_em100 + mode_locked + mode_unlocked) == 0) {
 		fprintf(stderr, "You need to specify a mode.\n\n");
 		print_usage(argv[0]);
 		exit(EXIT_FAILURE);
@@ -607,6 +683,12 @@ int main(int argc, char *argv[])
 	if (mode_em100)
 		set_em100_mode(filename, image, size);
 
+	if(mode_locked)
+		lock_descriptor(filename, image, size);
+
+	if (mode_unlocked)
+		unlock_descriptor(filename, image, size);
+
 	free(image);
 
 	return 0;

util/ifdtool/ifdtool.h

@@ -18,7 +18,7 @@
  */
 
 #include <stdint.h>
-#define IFDTOOL_VERSION "1.0"
+#define IFDTOOL_VERSION "1.1"
 
 enum spi_frequency {
 	SPI_FREQUENCY_20MHZ = 0,