<p>Bill XIE has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/21607">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">ifdtool: Port the feature to jail ME from me_cleaner<br><br>port the feature to "remove the ME/TXE Read/Write permissions<br> to the other regions (-d)" of<br> me_cleaner (https://github.com/corna/me_cleaner/) here.<br><br>Change-Id: I00533f4e2569c4763fbfc302bb460db1e60e5564<br>Signed-off-by: Bill XIE <persmule@gmail.com><br>---<br>M util/ifdtool/ifdtool.c<br>1 file changed, 31 insertions(+), 9 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/07/21607/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c<br>index dfdf547..86094b3 100644<br>--- a/util/ifdtool/ifdtool.c<br>+++ b/util/ifdtool/ifdtool.c<br>@@ -787,7 +787,7 @@<br> write_image(filename, image, size);<br> }<br> <br>-static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd)<br>+static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd, bool jail_me)<br> {<br> int wr_shift, rd_shift;<br> /* TODO: Dynamically take Platform Data Region and GbE Region<br>@@ -850,15 +850,25 @@<br> */<br> fmba->flmstr1 = 0xffffff00 |<br> (fmba->flmstr1 & 0xff);<br>-<br>- fmba->flmstr2 = 0xffffff00 |<br>- (fmba->flmstr2 & 0xff);<br>-<br>+ if (jail_me) {<br>+ fmba->flmstr2 &= 0xff;<br>+ /* ME can read ME. */<br>+ fmba->flmstr2 |= 0x4 << rd_shift;<br>+ /* ME can write ME. */<br>+ fmba->flmstr2 |= 0x4 << wr_shift;<br>+ } else {<br>+ fmba->flmstr2 = 0xffffff00 |<br>+ (fmba->flmstr2 & 0xff);<br>+ }<br> fmba->flmstr3 = 0xffffff00 |<br> (fmba->flmstr3 & 0xff);<br> } else {<br> fmba->flmstr1 = 0xffff0000;<br>- fmba->flmstr2 = 0xffff0000;<br>+ if (jail_me) {<br>+ fmba->flmstr2 = 0x04040000;<br>+ } else {<br>+ fmba->flmstr2 = 0xffff0000;<br>+ }<br> /* Keep chipset specific Requester ID */<br> fmba->flmstr3 = 0x08080000 |<br> (fmba->flmstr3 & 0xffff);<br>@@ -1133,6 +1143,9 @@<br> " Dual Output Fast Read Support\n"<br> " -l | --lock Lock firmware descriptor and ME region\n"<br> " -u | --unlock Unlock firmware descriptor and ME region\n"<br>+ " -j | --jail Unlock firmware descriptor and ME region,\n"<br>+ " and remove the ME/TXE's Read/Write permissions\n"<br>+ " to the other regions\n"<br> " -p | --platform Add platform-specific quirks\n"<br> " aplk - Apollo Lake\n"<br> " -v | --version: print the version\n"<br>@@ -1145,7 +1158,7 @@<br> {<br> int opt, option_index = 0;<br> int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;<br>- int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0;<br>+ int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0, mode_jail = 0;<br> int mode_layout = 0, mode_newlayout = 0, mode_density = 0;<br> char *region_type_string = NULL, *region_fname = NULL;<br> const char *layout_fname = NULL;<br>@@ -1165,13 +1178,14 @@<br> {"em100", 0, NULL, 'e'},<br> {"lock", 0, NULL, 'l'},<br> {"unlock", 0, NULL, 'u'},<br>+ {"jail", 0, NULL, 'j'},<br> {"version", 0, NULL, 'v'},<br> {"help", 0, NULL, 'h'},<br> {"platform", 0, NULL, 'p'},<br> {0, 0, 0, 0}<br> };<br> <br>- while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:eluvh?",<br>+ while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:elujvh?",<br> long_options, &option_index)) != EOF) {<br> switch (opt) {<br> case 'd':<br>@@ -1322,6 +1336,14 @@<br> exit(EXIT_FAILURE);<br> }<br> break;<br>+ case 'j':<br>+ mode_unlocked = 1;<br>+ mode_jail = 1;<br>+ if (mode_locked == 1) {<br>+ fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");<br>+ exit(EXIT_FAILURE);<br>+ }<br>+ break;<br> case 'p':<br> if (!strcmp(optarg, "aplk")) {<br> platform = PLATFORM_APOLLOLAKE;<br>@@ -1422,7 +1444,7 @@<br> <br> if (mode_locked || mode_unlocked) {<br> fmba_t *fmba = find_fmba(image, size);<br>- fmba_toggle_permission(fmba, mode_locked);<br>+ fmba_toggle_permission(fmba, mode_locked, mode_jail);<br> write_image(filename, image, size);<br> }<br> <br></pre><p>To view, visit <a href="https://review.coreboot.org/21607">change 21607</a>. To unsubscribe, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/21607"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I00533f4e2569c4763fbfc302bb460db1e60e5564 </div>
<div style="display:none"> Gerrit-Change-Number: 21607 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Bill XIE <persmule@gmail.com> </div>