Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/25196
Change subject: security/flash: Add SPI flash protection
......................................................................
security/flash: Add SPI flash protection
* get/set write protection for SPI flash.
* GPIO weak function for WP pin lookup (VBOOT).
Change-Id: I12656d7c111ed3622fab5578f6e0c462fe5d4796
Signed-off-by: zaolin <zaolin(a)das-labor.org>
---
M src/security/Kconfig
M src/security/Makefile.inc
A src/security/flash/Kconfig
A src/security/flash/Makefile.inc
A src/security/flash/flash.c
A src/security/flash/flash.h
6 files changed, 229 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/96/25196/1
diff --git a/src/security/Kconfig b/src/security/Kconfig
index 6a334ac..006d089 100644
--- a/src/security/Kconfig
+++ b/src/security/Kconfig
@@ -14,3 +14,4 @@
source "src/security/vboot/Kconfig"
source "src/security/tpm/Kconfig"
+source "src/security/flash/Kconfig"
diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc
index a940b82..413f7d0 100644
--- a/src/security/Makefile.inc
+++ b/src/security/Makefile.inc
@@ -1,2 +1,3 @@
subdirs-y += vboot
subdirs-y += tpm
+subdirs-y += flash
diff --git a/src/security/flash/Kconfig b/src/security/flash/Kconfig
new file mode 100644
index 0000000..67e62c7
--- /dev/null
+++ b/src/security/flash/Kconfig
@@ -0,0 +1,102 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2017 Philipp Deppenwiese, Facebook, Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+
+menu "Flash write protection"
+
+config FLASH_SPI_PROTECTIONS
+ bool
+ default y if MAINBOARD_HAS_FLASH_SPI_PROTECTIONS || USER_FLASH_SPI_PROTECTIONS
+ depends on SPI_FLASH
+
+config FLASH_PCH_PROTECTIONS
+ bool
+ default y if MAINBOARD_HAS_FLASH_PCH_PROTECTIONS || USER_FLASH_PCH_PROTECTIONS
+
+config MAINBOARD_HAS_FLASH_PCH_PROTECTIONS
+ bool
+
+config MAINBOARD_HAS_FLASH_SPI_PROTECTIONS
+ bool
+
+if !MAINBOARD_HAS_FLASH_SPI_PROTECTIONS && !MAINBOARD_HAS_FLASH_PCH_PROTECTIONS
+
+choice
+ prompt "Type"
+ default USER_FLASH_PCH_PROTECTIONS
+
+config USER_FLASH_SPI_PROTECTIONS
+ bool "SPI flash"
+ help
+ Enable this option to enable SPI flash write protection.
+
+config USER_FLASH_PCH_PROTECTIONS
+ bool "Platform PCH"
+ help
+ Enable this option to enable PCH flash write protection.
+
+endchoice
+
+endif
+
+config FLASH_MODE_VBOOT
+ bool
+ default y if MAINBOARD_HAS_FLASH_MODE_VBOOT || USER_FLASH_SPI_PROTECTIONS
+ depends on VBOOT
+
+config FLASH_MODE_BIOS
+ bool
+ default y if MAINBOARD_HAS_FLASH_MODE_BIOS || USER_FLASH_PCH_PROTECTIONS
+
+config FLASH_MODE_EVERYTHING
+ bool
+ default y if MAINBOARD_HAS_FLASH_MODE_EVERYTHING || USER_FLASH_PCH_PROTECTIONS
+
+config MAINBOARD_HAS_FLASH_MODE_VBOOT
+ bool
+
+config MAINBOARD_HAS_FLASH_MODE_BIOS
+ bool
+
+config MAINBOARD_HAS_FLASH_MODE_EVERYTHING
+ bool
+
+if !MAINBOARD_HAS_FLASH_MODE_VBOOT && !MAINBOARD_HAS_FLASH_MODE_BIOS && !MAINBOARD_HAS_FLASH_MODE_EVERYTHING
+
+choice
+ prompt "Mode"
+ default USER_NO_FLASH_PROTECTION
+
+config USER_NO_FLASH_PROTECTION
+ bool "disabled"
+
+config USER_FLASH_MODE_VBOOT
+ bool "Verified Boot"
+ help
+ Enable this option to enable VBoot mode.
+
+config USER_FLASH_MODE_BIOS
+ bool "BIOS region"
+ help
+ Enable this option to enable BIOS region write protection.
+
+config USER_FLASH_MODE_EVERYTHING
+ bool "Entire SPI flash"
+ help
+ Enable this option to enable entire flash write protection.
+
+endchoice
+
+endif
+
+endmenu
diff --git a/src/security/flash/Makefile.inc b/src/security/flash/Makefile.inc
new file mode 100644
index 0000000..50d4a7a
--- /dev/null
+++ b/src/security/flash/Makefile.inc
@@ -0,0 +1,5 @@
+## flash
+
+verstage-y += flash.c
+romstage-y += flash.c
+ramstage-y += flash.c
diff --git a/src/security/flash/flash.c b/src/security/flash/flash.c
new file mode 100644
index 0000000..b103909
--- /dev/null
+++ b/src/security/flash/flash.c
@@ -0,0 +1,96 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2018 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <commonlib/region.h>
+#include <fmap.h>
+#include <security/flash/flash.h>
+#include <spi_flash.h>
+
+#define FMAP_VBOOT_RO_REGION "WP_RO"
+#define FMAP_BIOS_REGION "BIOS"
+#define FMAP_FLASH_REGION "FLASH"
+
+__attribute__((weak)) int gpio_get_wp_state(void) { return 0; }
+
+int set_write_protect_enabled(void)
+{
+ int result = -1;
+ struct region region;
+
+ if (IS_ENABLED(CONFIG_FLASH_SPI_PROTECTIONS)) {
+ struct spi_flash flash;
+
+ spi_init();
+ if (spi_flash_probe(0, 0, &flash))
+ return result;
+
+ if (IS_ENABLED(CONFIG_FLASH_MODE_VBOOT)) {
+ if (fmap_locate_area(FMAP_VBOOT_RO_REGION, ®ion) ==
+ 0) {
+ result = spi_flash_set_write_protected(&flash,
+ ®ion);
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_MODE_BIOS)) {
+ if (fmap_locate_area(FMAP_BIOS_REGION, ®ion) == 0) {
+ result = spi_flash_set_write_protected(&flash,
+ ®ion);
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_MODE_EVERYTHING)) {
+ if (fmap_locate_area(FMAP_FLASH_REGION, ®ion) == 0) {
+ result = spi_flash_set_write_protected(&flash,
+ ®ion);
+ }
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_PCH_PROTECTIONS)) {
+ }
+
+ return result;
+}
+
+int get_write_protect_state(void)
+{
+ int result = -1;
+ struct region region;
+
+ if (IS_ENABLED(CONFIG_FLASH_SPI_PROTECTIONS)) {
+ struct spi_flash flash;
+
+ spi_init();
+ if (spi_flash_probe(0, 0, &flash))
+ return result;
+
+ if (IS_ENABLED(CONFIG_FLASH_MODE_VBOOT)) {
+ if (fmap_locate_area(FMAP_VBOOT_RO_REGION, ®ion) ==
+ 0) {
+ result = spi_flash_is_write_protected(&flash,
+ ®ion);
+ result &= gpio_get_wp_state();
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_MODE_BIOS)) {
+ if (fmap_locate_area(FMAP_BIOS_REGION, ®ion) == 0) {
+ result = spi_flash_is_write_protected(&flash,
+ ®ion);
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_MODE_EVERYTHING)) {
+ if (fmap_locate_area(FMAP_FLASH_REGION, ®ion) == 0) {
+ result = spi_flash_is_write_protected(&flash,
+ ®ion);
+ }
+ }
+ } else if (IS_ENABLED(CONFIG_FLASH_PCH_PROTECTIONS)) {
+ }
+
+ return result;
+}
diff --git a/src/security/flash/flash.h b/src/security/flash/flash.h
new file mode 100644
index 0000000..bbd60df
--- /dev/null
+++ b/src/security/flash/flash.h
@@ -0,0 +1,24 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2018 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef FLASH_H_
+#define FLASH_H_
+
+int gpio_get_wp_state(void);
+
+int set_write_protect_enabled(void);
+int get_write_protect_state(void);
+
+#endif /* FLASH_H_ */
--
To view, visit https://review.coreboot.org/25196
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I12656d7c111ed3622fab5578f6e0c462fe5d4796
Gerrit-Change-Number: 25196
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki(a)gmail.com>