We are implementing a mechanism in coreboot to update CSME firmware,
this requires coreboot to be able to read CSME region. Exposing the
CSME data is not an issue since the data stored by CSE is all encrypted.
This patch provides a command line option "-r" which will enable read
access to CSME region when locking.
Without this change, locking SPI regions using ifdtool will block BIOS
access to read/access CSME. This will cause failure since BIOS can't
read basic information such as CSME version.
TEST=Flashrom returns success while erasing the SI_ME region.
After rebooting the DUT, DUT boots into OS without any issues on
Drawlat EVT.
Signed-off-by: Usha P <usha.p@intel.com>
Change-Id: I1d9a8e17fba19b717453476fbcb7bcf95b278abe
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46441
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Rizwan Qureshi <rizwan.qureshi@intel.com>
Reviewed-by: Maulik V Vaghela <maulik.v.vaghela@intel.com>
Reviewed-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This will let you at least dump / add these regions.
Signed-off-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Change-Id: I195ba5e93823603e712cd16cecbb48141302bed6
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46822
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Marc Jones <marc@marcjonesconsulting.com>
BUG=b:153888802
TEST=Able to list correct PCH revision, SPI/eSPI frequency as per
ADL SPI flash guide.
Without this CL :
PCH Revision: 500 series Tiger Point
With this CL :
PCH Revision: 500 series Tiger Point/ 600 series Alder Point
Change-Id: I0faf0f0fdb625ff82eb0033b5b77e6470971bc23
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45808
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
BUG=b:153888802
TEST=Able to list correct eSPI frequency as per TGL SPI flash guide
Without this CL :
Found Component Section
FLCOMP 0x093030f6
Dual Output Fast Read Support: not supported
Read ID/Read Status Clock Frequency: 50MHz
Write/Erase Clock Frequency: 50MHz
Fast Read Clock Frequency: 50MHz
Fast Read Support: supported
Read Clock Frequency: 20MHz
With this CL :
Found Component Section
FLCOMP 0x093030f6
Dual Output Fast Read Support: not supported
Read ID/Read Status Clock Frequency: 50MHz
Write/Erase Clock Frequency: 50MHz
Fast Read Clock Frequency: 50MHz
Fast Read Support: supported
Read eSPI/EC Bus Frequency: 60MHz
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Change-Id: I20840e6f931d7c1fabea0b6892e3bd19ead81168
Reviewed-on: https://review.coreboot.org/c/coreboot/+/44820
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
BUG=b:153888802
TEST=Able to list correct SPI frequency as per TGL SPI flash guide
Without this CL :
Found Component Section
FLCOMP 0x093030f6
Dual Output Fast Read Support: not supported
Read ID/Read Status Clock Frequency: 33MHz
Write/Erase Clock Frequency: 33MHz
Fast Read Clock Frequency: 33MHz
Fast Read Support: supported
Read Clock Frequency: 20MHz
With this CL :
Found Component Section
FLCOMP 0x093030f6
Dual Output Fast Read Support: not supported
Read ID/Read Status Clock Frequency: 50MHz
Write/Erase Clock Frequency: 50MHz
Fast Read Clock Frequency: 50MHz
Fast Read Support: supported
Read Clock Frequency: 20MHz
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Change-Id: Id0a0a0cbd948ef8334cf522c09e881b464e87f0e
Reviewed-on: https://review.coreboot.org/c/coreboot/+/44819
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Consider IBEX_PEAK onwards all chipsets are belong to PCH family.
BUG=b:153888802
TEST=Able to print correct PCH revision on Hatch Platform.
> ifdtool -d coreboot.rom
Without this CL :
ICH Revision: 300 series Cannon Point/ 400 series Ice Point
With this CL :
PCH Revision: 300 series Cannon Point/ 400 series Ice Point
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Change-Id: Ifd40dddc9179f347c0ea75149ec08089a829fdb4
Reviewed-on: https://review.coreboot.org/c/coreboot/+/44816
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Able to uniquely identify the chipset without specifying the platform
specific quirks (adl/cnl/icl/jsl/tgl etc.).
BUG=b:153888802
TEST=Able to dump FD contains correctly without specifying platform
quirks on Hatch Platform.
> ifdtool -d coreboot.rom
Without this CL :
ICH Revision: 100 series Sunrise Point
With this CL :
ICH Revision: 300 series Cannon Point/ 400 series Ice Point
Signed-off-by: Subrata Banik <subrata.banik@intel.com>
Change-Id: I83763adb721e069343b19a10e503975ffa6abb24
Reviewed-on: https://review.coreboot.org/c/coreboot/+/44815
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Read the PCH Strap Length field in FLMAP1 as described in the
"SPI Programming Guide" and print the number of fields specified there.
This code dumps the following straps:
* Intel GM45: 8 straps
* Intel C216: 72 straps
* Intel C240: 360 straps
Add a new function to easily set PCH straps, which is useful for debugging.
Change-Id: Ieb7891b214d82c984379794de9b3fe1a6d0d3466
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41693
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Hug <philipp@hug.cx>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
We have the git history which is a more reliable librarian.
Change-Id: Idbcc5ceeb33804204e56d62491cb58146f7c9f37
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41175
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: ron minnich <rminnich@gmail.com>
Add an optional commandline flag to define the filename of the resulting
output file. If this flag is not defined, it will behave like before by
using the old filename with a ".new" suffix.
With this additional flag it is not necessary to move the output file at
build-time, and the stdout print "Writing new image to <filename>" makes
more sense in the build context.
Change-Id: I824e94e93749f55c3576e4ee2f7804d855fefed2
Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38828
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
The -M option of ifdtool sets not only AltMeDisable bit, but also
MeDisable bit in ICH0 and MCH0 straps. Make it obvious and mention
in the help message.
Change-Id: I9dba2fa6509a9c833f72414367944bc606671e7b
Signed-off-by: Evgeny Zinoviev <me@ch1p.io>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38934
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Peter Lemenkov <lemenkov@gmail.com>
Add the capability to update the Flash Descriptor directly instead
of raising a Segmentation Fault. In this way it will be possible to
add a Kconfig options to modify the ifd descriptor at build-time.
Change-Id: Id3db09291af2bd2e759c283e316afd5da1fb4ca7
Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38711
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
When regions are resized they are always aligned to the top of the
region. For the BIOS region this is correct. The other regions however
should be aligned to the bottom of the region.
Update the region handling to only align BIOS region to top of region.
BUG=N/A
TEST=verified image resize
Change-Id: Ied0e763b5335f5f124fc00de38e5db1a4d0f6785
Signed-off-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38460
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
When `mode_validate` was added, a second copy of `mode_layout` was
accidentally added to the multiple-mode-argument check instead. This
prevents `-f` from working. Fix the check to reference the correct
variable.
Change-Id: Ibac6f090550ff63ec9158355b0450da204a300a7
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/36049
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Add an option to ifdtool which validates that the flash regions defined
in the descriptor match the coresponding areas in the FMAP.
BUG=chromium:992215
TEST=Ran 'ifdtool -t' with a good bios image and verify no issues
run 'ifdtool -t' with a bad bios image and verify expected issues
Signed-off-by: Mathew King <mathewk@chromium.org>
Change-Id: Idebf105dee1b8f829d54bd65c82867af7aa4aded
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34802
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
These functions are only used in ifdtool, so they can be made static.
Change-Id: Ia48bfecb89a7445dbd0f140acb5ac0592da2ebe7
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33860
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
Instead of assuming GbE/PDR/EC regions may exist or not, check if there
is a valid region defined in the descriptor and set the region access
permissions based on that.
The net effect change is to enable the use of the PDR region on the
sarien platform, which also uses the GbE and EC regions.
This results in the following example changes:
mb/google/sarien (GbE, PDR, EC)
. DESC BIOS ME GbE PDR EC
-BIOS r rw rw r
-------------------------------
+BIOS r rw rw rw r
mb/google/eve: (no GbE, no PDR, no EC)
. DESC BIOS ME GbE PDR EC
-BIOS r rw rw r
-ME r rw r
-GbE r rw
-EC r rw
-------------------------------
+BIOS r rw
+ME r rw
+GbE
+EC
BUG=b:134703987
Change-Id: I7aeffc8f8194638c6012340b43aea8f8460d268a
Signed-off-by: Duncan Laurie <dlaurie@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33273
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
As the previous comment indicated, this null check is
currently superfluous, but adding it in makes Coverity
happy, and future-proofs the code in case someone changes
the internals of 'find_fcba' later and forgets/doesn't know
to update this error check.
Found-by: Coverity Scan #1395066
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Change-Id: I594cd0098f5b36cef5b3efc4c904710d3ba9b815
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32691
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Allow EC region to be readable by BIOS/CPU so that flashrom
can read it.
BUG=b:123199222
TEST=Build coreboot with CONFIG_LOCK_MANAGEMENT_ENGINE set,
run firmware_LockedME test.
Change-Id: I306c74a0893355e57632a22a712b1f4fdaa19306
Signed-off-by: Bora Guvendik <bora.guvendik@intel.com>
Reviewed-on: https://review.coreboot.org/c/31377
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Version 2 IFD will have flmstr5 as EC region access control, consider it
during descriptor lock/unlock process.
BUG=N/A
TEST=Build coreboot with CONFIG_LOCK_MANAGEMENT_ENGINE set, and check
flmstr5 value by hexdump the SPI image at offset FMBA+0x90.
Signed-off-by: Lijian Zhao <lijian.zhao@intel.com>
Change-Id: I970064dcf6114a15f054ab7c44349841deb99dc8
Reviewed-on: https://review.coreboot.org/c/31111
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Cannonlake and Icelake have same read/write region permission settings
with skylake and kabylake, so add it here as well.
BUG=b:123199222
TEST=Turn on CONFIG_LOCK_MANAGEMENT_ENGINE and build image, check the
setting matches 0x0D for read and 0x04 for write.
Signed-off-by: Lijian Zhao <lijian.zhao@intel.com>
Change-Id: I71d8b815c7dff7dcbcff2bf77c85ebf80b8df6d2
Reviewed-on: https://review.coreboot.org/c/31104
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
The old version was unnecessarily complex and allowed one region to
include the other.
Change-Id: Ibf7faf8103c8945b82c3962b5a7b82c3288b871f
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/30673
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Port the newest feature of me_cleaner to ifdtool
(https://github.com/corna/me_cleaner/ , Discussed in
https://github.com/corna/me_cleaner/issues/53 ) to
set AltMeDisable (or HAP for skylake/ME11) bit to the
IFD to disable ME.
In this commit I use (ifd_version >= IFD_VERSION_2) to
judge whether HAP instead AltMeDisable should be set,
since this condition is only fulfilled on skylake
or newer platforms.
This feature needs to guess ich revision, which needs
guess_ich_chipset() from flashrom to be ported here.
Routines to dump those bits are also added.
Change-Id: I9a2ecc60cfbb9ee9d96f15be3d53226cb428729a
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21437
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
The Upper Map section in the descriptor contains a database of flash
chips (VSCC Table). Its offset is located at a fixed offset from
the beginning of the image. ifdtool falsely calculates the offset
from the descriptor signature which has moved by 16 bytes with
step b of the Ibex Peak (5 series) chipset. This produces bogus
output for all chipsets older than that.
This patch corrects the behavior by calculating the offset of
flumap by adding 4096 - 256 - 4 to the start of the image.
Change-Id: I14f029fe702c129dfd8069a58fbd41113700f7ef
Signed-off-by: Stefan Tauner <stefan.tauner@gmx.at>
Reviewed-on: https://review.coreboot.org/27858
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
ifdtool has relied on one of the fields within FCBA(read_freq) to
determine whether a platform supports IFD_VERSION_1 or
IFD_VERSION_2. However, newer platforms like GLK and CNL do not have
read_freq field in FCBA and so the value of these bits cannot be used
as an indicator to distinguish IFD versions. In the long run, we need
to re-write ifdtool to have a better mapping of SoC to IFD fields. But
until that is done, this change adds a list of platforms that we know
do not support read_freq field but still use IFD_VERSION_2. This
change also updates GLK and CNL to pass in platform parameter to
ifdtool.
BUG=b:79109029, b:69270831
Change-Id: I36c49f4dcb480ad53b0538ad12292fb94b0e3934
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/26023
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The default values used by ifdtool for setting region access control
do not match the expected values for SKL/KBL as per the SPI
programming guide. This change adds platform "sklkbl" that sets region
access control bits differently for SKL/KBL images.
BUG=b:76098647
BRANCH=poppy
TEST=Verified that the access control bits on KBL images is set
correctly.
Change-Id: I1328d8006c25be282b3223268d8f1fd0a64e2ed3
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/25306
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Using ifdtool to change layout on a 'ifd v2' file causes an error
about region type 5 not being valid.
The limit to check against is dynamic depending on ifd version, not
static.
Change-Id: Id4cdce4eac18fb0d171d1bdfa2044340bf93056a
Signed-off-by: Youness Alaoui <youness.alaoui@puri.sm>
Reviewed-on: https://review.coreboot.org/21962
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Martin Roth <martinroth@google.com>
Add find_fcba(), find_frba(), find_fmba(), find_fpsba()
and find_fmsba() to replace those copy-pasted addressings.
This commit is one separated from the original I6d05418c.
Change-Id: I98965711e4cb9792e5cc86cc4c1035559e0274f5
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21511
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Redesign some array-like structures as true arrays,
and rewrite functions to dump them as loops.
This commit is one separated from the original I6d05418c.
Change-Id: I161c9a2ae83d26e658d67d0804e943fff95fe076
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21510
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
There is no reason to keep a separate region_filenames array,
so I merge it into region_name(s).
This commit is one separated from the original I6d05418c.
Change-Id: I38489c6d3b3c161e9b0281188e6cdd0b62e38335
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21509
Reviewed-by: Nico Huber <nico.h@gmx.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Const-correct some functions which do not write back,
and use pointers to access existing region_t variables.
The last changeset is dismantled this time.
This commit is only focused on const-correctness.
Change-Id: I6d05418c8b32fa31dcd038a3e56f9aefe13fa9c4
Signed-off-by: Bill XIE <persmule@gmail.com>
Reviewed-on: https://review.coreboot.org/21288
Reviewed-by: Nico Huber <nico.h@gmx.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
In get_region, ifdtool assigns a not-known-to-be-aligned
pointer to a uint32_t *. Now you know and I know that it is
almost certainly aligned, but clang on OSX doesn't like this,
and it's a dicey thing to do in any event, just waiting
to hit someone hard at some future date.
Assign the pointer to a void * and use memmove to copy
the value to a uint32_t.
This usage is more portable to all little-endian architectures,
now, but is still not endian-safe. I doubt we'll ever care.
Change-Id: Ifb2f260c3363ab0f5b4a59e5a4e0b5ecf049fa96
Signed-off-by: Ronald G. Minnich <rminnich@gmail.com>
Reviewed-on: https://review.coreboot.org/19921
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Without this change, error "Unknown descriptor version: 4" will be
returned if this frequency is selected (seen on GLKRVP)
Change-Id: Ib5bfb996b85c7245d8f9c70988bfd5bbac882d74
Signed-off-by: Hannah Williams <hannah.williams@intel.com>
Reviewed-on: https://review.coreboot.org/18688
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins)
With coreboot 4.4 switched to "Descriptor mode" for Lenovo T500
it automatically unlocks all flash regions. For Gbe region
the "Requester ID" was hardcoded resulting in *dead* Gbe.
Keep board specific "Requester ID" while unlocking Gbe region.
Allows Lenovo T500 to boot with IFD "Descriptor mode" with unlocked
flash regions.
Signed-off-by: Patrick Rudolph <siro@das-labor.org>
Change-Id: Ia4b5d1928e84bee42182fc83020e3a13fadc93c4
Reviewed-on: https://review.coreboot.org/18055
Tested-by: build bot (Jenkins)
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Apollo Lake uses yet another descriptor format where only two masters
are used: CPU/BIOS and CSE/TXE. CSE stores data in a region number 5
that has not been used previously and CPU must not write it. Add quirk
(-p aplk) that locks descriptor according to recommended values.
BUG=chrome-os-partner:58974
TEST=ifdtool -p aplk -l bios.bin; ifdtool -d bios.bin.new. Make sure
FLMSTR1 and FLMSTR2 are set correctly. unlock with -l and make sure
FLMSTRs are restored.
Change-Id: I3f33372bef3ff75d0e34030694c79cd07d5540de
Signed-off-by: Andrey Petrov <andrey.petrov@intel.com>
Reviewed-on: https://review.coreboot.org/17202
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>