GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bd82x6x, ibexpeak: Support fully locking ROM on S3 resume. 

Currently only RO-lock is supported. Make full lock available as an option.

Change-Id: Ib68a1e82733a51053a9adc80ac501b6205c6b8a7
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-on: http://review.coreboot.org/10191
Tested-by: build bot (Jenkins)
Reviewed-by: Edward O'Callaghan <edward.ocallaghan@koparo.com>
This commit is contained in:
Vladimir Serbinenko 2015-05-12 12:39:53 +02:00
parent e62cf5210c
commit d3b194e6fe
2 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/southbridge/intel/bd82x6x/Kconfig
View File

@ -151,9 +151,19 @@ config LOCK_MANAGEMENT_ENGINE
If unsure, say N. If unsure, say N.
config LOCK_SPI_ON_RESUME endif
if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
choice
prompt "Flash ROM locking on S3 resume"
default LOCK_SPI_ON_RESUME_NONE
config LOCK_SPI_ON_RESUME_NONE
bool "Don't lock ROM sections on S3 resume"
config LOCK_SPI_ON_RESUME_RO
bool "Lock all flash ROM sections on S3 resume" bool "Lock all flash ROM sections on S3 resume"
default n
help help
If the flash ROM shall be protected against write accesses from the If the flash ROM shall be protected against write accesses from the
operating system (OS), the locking procedure has to be repeated after operating system (OS), the locking procedure has to be repeated after
@ -161,4 +171,15 @@ config LOCK_SPI_ON_RESUME
ROM from within your OS. Notice: Even with this option, the write lock ROM from within your OS. Notice: Even with this option, the write lock
has still to be enabled on the normal boot path (e.g. by the payload). has still to be enabled on the normal boot path (e.g. by the payload).
config LOCK_SPI_ON_RESUME_NO_ACCESS
bool "Lock and disable reads all flash ROM sections on S3 resume"
help
If the flash ROM shall be protected against all accesses from the
operating system (OS), the locking procedure has to be repeated after
each resume from S3. Select this if you never want to update the flash
ROM from within your OS. Notice: Even with this option, the lock
has still to be enabled on the normal boot path (e.g. by the payload).
endchoice
endif endif

9
src/southbridge/intel/bd82x6x/finalize.c
View File

@ -25,13 +25,16 @@
void intel_pch_finalize_smm(void) void intel_pch_finalize_smm(void)
{ {
#if CONFIG_LOCK_SPI_ON_RESUME if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
/* Copy flash regions from FREG0-4 to PR0-4 /* Copy flash regions from FREG0-4 to PR0-4
and enable write protection bit31 */ and enable write protection bit31 */
int i; int i;
u32 lockmask = (1 << 31);
if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
lockmask |= (1 << 15);
for (i = 0; i < 20; i += 4) for (i = 0; i < 20; i += 4)
RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31); RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;
#endif }
/* Set SPI opcode menu */ /* Set SPI opcode menu */
RCBA16(0x3894) = SPI_OPPREFIX; RCBA16(0x3894) = SPI_OPPREFIX;