<p>Julien Viard de Galbert has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/25441">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">soc/intel/denverton_ns: Lock SPIBAR<br><br>Allow flash access when "Security Override" is set.<br>Don't lock when relax_security is set.<br><br>Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9<br>Signed-off-by: Julien Viard de Galbert <jviarddegalbert@online.net><br>---<br>M src/soc/intel/common/block/fast_spi/fast_spi_def.h<br>M src/soc/intel/denverton_ns/lpc.c<br>2 files changed, 58 insertions(+), 1 deletion(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/25441/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/soc/intel/common/block/fast_spi/fast_spi_def.h b/src/soc/intel/common/block/fast_spi/fast_spi_def.h</span><br><span>index a389e34..324006d 100644</span><br><span>--- a/src/soc/intel/common/block/fast_spi/fast_spi_def.h</span><br><span>+++ b/src/soc/intel/common/block/fast_spi/fast_spi_def.h</span><br><span>@@ -37,7 +37,7 @@</span><br><span> #define SPIBAR_DLOCK                   0x0c</span><br><span> #define SPIBAR_FDATA(n)                 (0x10 + ((n) & 0xf) * 4)</span><br><span> #define SPIBAR_FPR_BASE                 0x84</span><br><span style="color: hsl(0, 100%, 40%);">-#define SPIBAR_FPR(n)                       0x84 + (4 * n))</span><br><span style="color: hsl(120, 100%, 40%);">+#define SPIBAR_FPR(n)                  (0x84 + (4 * n))</span><br><span> #define SPIBAR_PREOP                        0xA4</span><br><span> #define SPIBAR_OPTYPE                   0xA6</span><br><span> #define SPIBAR_OPMENU_LOWER             0xA8</span><br><span>@@ -71,6 +71,7 @@</span><br><span> #define SPIBAR_HSFSTS_FLOCKDN               (1 << 15)</span><br><span> #define SPIBAR_HSFSTS_FDV            (1 << 14)</span><br><span> #define SPIBAR_HSFSTS_FDOPSS         (1 << 13)</span><br><span style="color: hsl(120, 100%, 40%);">+#define SPIBAR_HSFSTS_PRR34_LOCKDN     (1 << 12)</span><br><span> #define SPIBAR_HSFSTS_WRSDIS         (1 << 11)</span><br><span> #define SPIBAR_HSFSTS_SAF_CE         (1 << 8)</span><br><span> #define SPIBAR_HSFSTS_SAF_ACTIVE      (1 << 7)</span><br><span>diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c</span><br><span>index 1ac0961..8f2542a 100644</span><br><span>--- a/src/soc/intel/denverton_ns/lpc.c</span><br><span>+++ b/src/soc/intel/denverton_ns/lpc.c</span><br><span>@@ -2,6 +2,7 @@</span><br><span>  * This file is part of the coreboot project.</span><br><span>  *</span><br><span>  * Copyright (C) 2014 - 2017 Intel Corporation.</span><br><span style="color: hsl(120, 100%, 40%);">+ * Copyright (C) 2018 Online SAS</span><br><span>  *</span><br><span>  * This program is free software; you can redistribute it and/or modify</span><br><span>  * it under the terms of the GNU General Public License as published by</span><br><span>@@ -25,6 +26,7 @@</span><br><span> #include <cpu/x86/smm.h></span><br><span> #include <bootstate.h></span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+#include <fsp/api.h></span><br><span> #include <soc/lpc.h></span><br><span> #include <soc/pci_devs.h></span><br><span> #include <soc/ramstage.h></span><br><span>@@ -32,6 +34,10 @@</span><br><span> #include <soc/pcr.h></span><br><span> #include <soc/p2sb.h></span><br><span> #include <soc/acpi.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <fast_spi_def.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <intelblocks/fast_spi.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <spi_flash.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <spi-generic.h></span><br><span> </span><br><span> #include "chip.h"</span><br><span> </span><br><span>@@ -326,8 +332,58 @@</span><br><span>       .device = LPC_DEVID,</span><br><span> };</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static void spi_lock_bar(bool relax_security)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+      void *spibar = fast_spi_get_bar();</span><br><span style="color: hsl(120, 100%, 40%);">+    uint32_t reg32, hsfs;</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Check SPIBAR */</span><br><span style="color: hsl(120, 100%, 40%);">+    hsfs = read32(spibar + SPIBAR_HSFSTS_CTL);</span><br><span style="color: hsl(120, 100%, 40%);">+    if (!(hsfs & SPIBAR_HSFSTS_FDOPSS)) {</span><br><span style="color: hsl(120, 100%, 40%);">+             /* When the flash security override strap is set, allow flashrom</span><br><span style="color: hsl(120, 100%, 40%);">+                 to update the flash, this is done by clearing the protection</span><br><span style="color: hsl(120, 100%, 40%);">+                  and locking the configuration to ensure FSP notify will not</span><br><span style="color: hsl(120, 100%, 40%);">+                   change it again */</span><br><span style="color: hsl(120, 100%, 40%);">+         int i;</span><br><span style="color: hsl(120, 100%, 40%);">+                struct device *dev;</span><br><span style="color: hsl(120, 100%, 40%);">+           printk(BIOS_CRIT, "FLASH SECURITY OVERRIDE SET:"</span><br><span style="color: hsl(120, 100%, 40%);">+                              "DISABLE FLASH PROTECTIONS!\n");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+                /* disable protections FPR0-4 + GPR0 */</span><br><span style="color: hsl(120, 100%, 40%);">+               for (i = 0; i < 6; i++)</span><br><span style="color: hsl(120, 100%, 40%);">+                    write32(spibar + SPIBAR_FPR(i), 0);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+         /* Disable WPD and EISS */</span><br><span style="color: hsl(120, 100%, 40%);">+            dev = dev_find_slot(0, PCI_DEVFN(SPI_DEV, SPI_FUNC));</span><br><span style="color: hsl(120, 100%, 40%);">+         if (dev != NULL) {</span><br><span style="color: hsl(120, 100%, 40%);">+                    reg32 = pci_read_config32(dev, SPIBAR_BIOS_CONTROL);</span><br><span style="color: hsl(120, 100%, 40%);">+                  reg32 &= ~(SPIBAR_BIOS_CONTROL_EISS |</span><br><span style="color: hsl(120, 100%, 40%);">+                                SPIBAR_BIOS_CONTROL_WPD);</span><br><span style="color: hsl(120, 100%, 40%);">+                  /* lock to ensure FSP cannot change it */</span><br><span style="color: hsl(120, 100%, 40%);">+                     if (!relax_security)</span><br><span style="color: hsl(120, 100%, 40%);">+                          reg32 |= SPIBAR_BIOS_CONTROL_LOCK_ENABLE |</span><br><span style="color: hsl(120, 100%, 40%);">+                                     SPIBAR_BIOS_CONTROL_BILD;</span><br><span style="color: hsl(120, 100%, 40%);">+                    pci_write_config32(dev, SPIBAR_BIOS_CONTROL, reg32);</span><br><span style="color: hsl(120, 100%, 40%);">+          }</span><br><span style="color: hsl(120, 100%, 40%);">+     }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+   if (!relax_security) {</span><br><span style="color: hsl(120, 100%, 40%);">+                /* Lock SPIBAR */</span><br><span style="color: hsl(120, 100%, 40%);">+             hsfs |= SPIBAR_HSFSTS_FLOCKDN | SPIBAR_HSFSTS_PRR34_LOCKDN;</span><br><span style="color: hsl(120, 100%, 40%);">+           reg32 = read32(spibar + SPIBAR_DLOCK);</span><br><span style="color: hsl(120, 100%, 40%);">+                reg32 |= 0x11f0f;</span><br><span style="color: hsl(120, 100%, 40%);">+             write32(spibar + SPIBAR_DLOCK, reg32);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+              write32(spibar + SPIBAR_HSFSTS_CTL, hsfs);</span><br><span style="color: hsl(120, 100%, 40%);">+    }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static void finalize_chipset(void *unused)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+   bool relax_security = fsp_relax_security();</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ spi_lock_bar(relax_security);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>      printk(BIOS_DEBUG, "Finalizing SMM.\n");</span><br><span>   outb(APM_CNT_FINALIZE, APM_CNT);</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/25441">change 25441</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/25441"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9 </div>
<div style="display:none"> Gerrit-Change-Number: 25441 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Julien Viard de Galbert <jviarddegalbert@online.net> </div>