<p>Nico Huber has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/21327">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">sb/intel/bd82x6x: Revise flash ROM lockdown options<br><br>The original options were named and described under the false assumption<br>that the chipset lockdown would only be executed during S3 resume. Fix<br>that.<br><br>Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95<br>Signed-off-by: Nico Huber <nico.h@gmx.de><br>---<br>M src/southbridge/intel/bd82x6x/Kconfig<br>M src/southbridge/intel/bd82x6x/finalize.c<br>2 files changed, 33 insertions(+), 20 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/21327/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig<br>index 9eb3111..fcaa139 100644<br>--- a/src/southbridge/intel/bd82x6x/Kconfig<br>+++ b/src/southbridge/intel/bd82x6x/Kconfig<br>@@ -75,29 +75,41 @@<br> if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK<br> <br> choice<br>- prompt "Flash ROM locking on S3 resume"<br>- default LOCK_SPI_ON_RESUME_NONE<br>+ prompt "Flash ROM locking during chipset lockdown"<br>+ default LOCK_SPI_FLASH_NONE<br> <br>-config LOCK_SPI_ON_RESUME_NONE<br>- bool "Don't lock ROM sections on S3 resume"<br>+config LOCK_SPI_FLASH_NONE<br>+ bool "Don't lock ROM sections"<br> <br>-config LOCK_SPI_ON_RESUME_RO<br>- bool "Lock all flash ROM sections on S3 resume"<br>+config LOCK_SPI_FLASH_RO<br>+ bool "Lock all flash ROM sections"<br> help<br>- If the flash ROM shall be protected against write accesses from the<br>- operating system (OS), the locking procedure has to be repeated after<br>- each resume from S3. Select this if you never want to update the flash<br>- ROM from within your OS. Notice: Even with this option, the write lock<br>- has still to be enabled on the normal boot path (e.g. by the payload).<br>+ Select this if you want to write-protect the whole firmware flash<br>+ chip. The locking will take place during the chipset lockdown, which<br>+ is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)<br>+ or has to be triggered later (e.g. by the payload or the OS).<br> <br>-config LOCK_SPI_ON_RESUME_NO_ACCESS<br>- bool "Lock and disable reads all flash ROM sections on S3 resume"<br>+ NOTE: If you trigger the chipset lockdown unconditionally,<br>+ you won't be able to write to the flash chip using the<br>+ internal programmer any more.<br>+<br>+#' fix syntax highlighting<br>+<br>+config LOCK_SPI_FLASH_NO_ACCESS<br>+ bool "Lock and disable reads for all flash ROM sections"<br> help<br>- If the flash ROM shall be protected against all accesses from the<br>- operating system (OS), the locking procedure has to be repeated after<br>- each resume from S3. Select this if you never want to update the flash<br>- ROM from within your OS. Notice: Even with this option, the lock<br>- has still to be enabled on the normal boot path (e.g. by the payload).<br>+ Select this if you want to protect the firmware flash against all<br>+ further accesses (with the exception of the memory mapped BIOS re-<br>+ gion which is always readable). The locking will take place during<br>+ the chipset lockdown, which is either triggered by coreboot (when<br>+ INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.<br>+ by the payload or the OS).<br>+<br>+ NOTE: If you trigger the chipset lockdown unconditionally,<br>+ you won't be able to write to the flash chip using the<br>+ internal programmer any more.<br>+<br>+#' fix syntax highlighting<br> <br> endchoice<br> <br>diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c<br>index a9cfa38..fe28af0 100644<br>--- a/src/southbridge/intel/bd82x6x/finalize.c<br>+++ b/src/southbridge/intel/bd82x6x/finalize.c<br>@@ -25,12 +25,13 @@<br> u16 tco1_cnt;<br> u16 pmbase;<br> <br>- if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {<br>+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) ||<br>+ IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) {<br> /* Copy flash regions from FREG0-4 to PR0-4<br> and enable write protection bit31 */<br> int i;<br> u32 lockmask = (1 << 31);<br>- if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)<br>+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS))<br> lockmask |= (1 << 15);<br> for (i = 0; i < 20; i += 4)<br> RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;<br></pre><p>To view, visit <a href="https://review.coreboot.org/21327">change 21327</a>. To unsubscribe, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/21327"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95 </div>
<div style="display:none"> Gerrit-Change-Number: 21327 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Nico Huber <nico.h@gmx.de> </div>