util/ifdtool: Enable CPU read of the ME region
We are implementing a mechanism in coreboot to update CSME firmware, this requires coreboot to be able to read CSME region. Exposing the CSME data is not an issue since the data stored by CSE is all encrypted. This patch provides a command line option "-r" which will enable read access to CSME region when locking. Without this change, locking SPI regions using ifdtool will block BIOS access to read/access CSME. This will cause failure since BIOS can't read basic information such as CSME version. TEST=Flashrom returns success while erasing the SI_ME region. After rebooting the DUT, DUT boots into OS without any issues on Drawlat EVT. Signed-off-by: Usha P <usha.p@intel.com> Change-Id: I1d9a8e17fba19b717453476fbcb7bcf95b278abe Reviewed-on: https://review.coreboot.org/c/coreboot/+/46441 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Rizwan Qureshi <rizwan.qureshi@intel.com> Reviewed-by: Maulik V Vaghela <maulik.v.vaghela@intel.com> Reviewed-by: Subrata Banik <subrata.banik@intel.com> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
parent
5abf040265
commit
412679d892
|
@ -1266,6 +1266,25 @@ static void lock_descriptor(const char *filename, char *image, int size)
|
||||||
write_image(filename, image, size);
|
write_image(filename, image, size);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void enable_cpu_read_me(const char *filename, char *image, int size)
|
||||||
|
{
|
||||||
|
int rd_shift;
|
||||||
|
fmba_t *fmba = find_fmba(image, size);
|
||||||
|
|
||||||
|
if (!fmba)
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
|
||||||
|
if (ifd_version >= IFD_VERSION_2)
|
||||||
|
rd_shift = FLMSTR_RD_SHIFT_V2;
|
||||||
|
else
|
||||||
|
rd_shift = FLMSTR_RD_SHIFT_V1;
|
||||||
|
|
||||||
|
/* CPU/BIOS can read ME. */
|
||||||
|
fmba->flmstr1 |= (1 << REGION_ME) << rd_shift;
|
||||||
|
|
||||||
|
write_image(filename, image, size);
|
||||||
|
}
|
||||||
|
|
||||||
static void unlock_descriptor(const char *filename, char *image, int size)
|
static void unlock_descriptor(const char *filename, char *image, int size)
|
||||||
{
|
{
|
||||||
fmba_t *fmba = find_fmba(image, size);
|
fmba_t *fmba = find_fmba(image, size);
|
||||||
|
@ -1626,6 +1645,7 @@ static void print_usage(const char *name)
|
||||||
" -e | --em100 set SPI frequency to 20MHz and disable\n"
|
" -e | --em100 set SPI frequency to 20MHz and disable\n"
|
||||||
" Dual Output Fast Read Support\n"
|
" Dual Output Fast Read Support\n"
|
||||||
" -l | --lock Lock firmware descriptor and ME region\n"
|
" -l | --lock Lock firmware descriptor and ME region\n"
|
||||||
|
" -r | --read Enable CPU/BIOS read access for ME region\n"
|
||||||
" -u | --unlock Unlock firmware descriptor and ME region\n"
|
" -u | --unlock Unlock firmware descriptor and ME region\n"
|
||||||
" -M | --altmedisable <0|1> Set the MeDisable and AltMeDisable (or HAP for skylake or newer platform)\n"
|
" -M | --altmedisable <0|1> Set the MeDisable and AltMeDisable (or HAP for skylake or newer platform)\n"
|
||||||
" bits to disable ME\n"
|
" bits to disable ME\n"
|
||||||
|
@ -1652,7 +1672,7 @@ int main(int argc, char *argv[])
|
||||||
int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;
|
int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;
|
||||||
int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0, mode_validate = 0;
|
int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0, mode_validate = 0;
|
||||||
int mode_layout = 0, mode_newlayout = 0, mode_density = 0, mode_setstrap = 0;
|
int mode_layout = 0, mode_newlayout = 0, mode_density = 0, mode_setstrap = 0;
|
||||||
int mode_altmedisable = 0, altmedisable = 0;
|
int mode_read = 0, mode_altmedisable = 0, altmedisable = 0;
|
||||||
char *region_type_string = NULL, *region_fname = NULL;
|
char *region_type_string = NULL, *region_fname = NULL;
|
||||||
const char *layout_fname = NULL;
|
const char *layout_fname = NULL;
|
||||||
char *new_filename = NULL;
|
char *new_filename = NULL;
|
||||||
|
@ -1675,6 +1695,7 @@ int main(int argc, char *argv[])
|
||||||
{"altmedisable", 1, NULL, 'M'},
|
{"altmedisable", 1, NULL, 'M'},
|
||||||
{"em100", 0, NULL, 'e'},
|
{"em100", 0, NULL, 'e'},
|
||||||
{"lock", 0, NULL, 'l'},
|
{"lock", 0, NULL, 'l'},
|
||||||
|
{"read", 0, NULL, 'r'},
|
||||||
{"unlock", 0, NULL, 'u'},
|
{"unlock", 0, NULL, 'u'},
|
||||||
{"version", 0, NULL, 'v'},
|
{"version", 0, NULL, 'v'},
|
||||||
{"help", 0, NULL, 'h'},
|
{"help", 0, NULL, 'h'},
|
||||||
|
@ -1685,7 +1706,7 @@ int main(int argc, char *argv[])
|
||||||
{0, 0, 0, 0}
|
{0, 0, 0, 0}
|
||||||
};
|
};
|
||||||
|
|
||||||
while ((opt = getopt_long(argc, argv, "S:V:df:D:C:M:xi:n:O:s:p:eluvth?",
|
while ((opt = getopt_long(argc, argv, "S:V:df:D:C:M:xi:n:O:s:p:elruvth?",
|
||||||
long_options, &option_index)) != EOF) {
|
long_options, &option_index)) != EOF) {
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
case 'd':
|
case 'd':
|
||||||
|
@ -1859,6 +1880,9 @@ int main(int argc, char *argv[])
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 'r':
|
||||||
|
mode_read = 1;
|
||||||
|
break;
|
||||||
case 'u':
|
case 'u':
|
||||||
mode_unlocked = 1;
|
mode_unlocked = 1;
|
||||||
if (mode_locked == 1) {
|
if (mode_locked == 1) {
|
||||||
|
@ -2000,6 +2024,9 @@ int main(int argc, char *argv[])
|
||||||
if (mode_locked)
|
if (mode_locked)
|
||||||
lock_descriptor(new_filename, image, size);
|
lock_descriptor(new_filename, image, size);
|
||||||
|
|
||||||
|
if (mode_read)
|
||||||
|
enable_cpu_read_me(new_filename, image, size);
|
||||||
|
|
||||||
if (mode_unlocked)
|
if (mode_unlocked)
|
||||||
unlock_descriptor(new_filename, image, size);
|
unlock_descriptor(new_filename, image, size);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue