Aamir Bohra has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/37708 )
Change subject: mb/intel/icelake_rvp: Use board ID and spd index from mainboard common
......................................................................
mb/intel/icelake_rvp: Use board ID and spd index from mainboard common
Change-Id: I5d1a8a6da855b7ec2906a135a60ca2902307fd4c
Signed-off-by: Aamir Bohra <aamir.bohra(a)intel.com>
---
M src/mainboard/intel/icelake_rvp/Makefile.inc
D src/mainboard/intel/icelake_rvp/board_id.c
D src/mainboard/intel/icelake_rvp/board_id.h
M src/mainboard/intel/icelake_rvp/romstage_fsp_params.c
M src/mainboard/intel/icelake_rvp/spd/spd_util.c
M src/soc/intel/icelake/Kconfig
6 files changed, 4 insertions(+), 91 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/08/37708/1
diff --git a/src/mainboard/intel/icelake_rvp/Makefile.inc b/src/mainboard/intel/icelake_rvp/Makefile.inc
index 74d02cb..c9c817f 100644
--- a/src/mainboard/intel/icelake_rvp/Makefile.inc
+++ b/src/mainboard/intel/icelake_rvp/Makefile.inc
@@ -22,12 +22,10 @@
romstage-$(CONFIG_CHROMEOS) += chromeos.c
romstage-y += romstage_fsp_params.c
-romstage-y += board_id.c
ramstage-$(CONFIG_CHROMEOS) += chromeos.c
ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_HDA_VERB) += hda_verb.c
ramstage-y += mainboard.c
-ramstage-y += board_id.c
subdirs-y += variants/baseboard
CPPFLAGS_common += -I$(src)/mainboard/$(MAINBOARDDIR)/variants/baseboard/include
diff --git a/src/mainboard/intel/icelake_rvp/board_id.c b/src/mainboard/intel/icelake_rvp/board_id.c
deleted file mode 100644
index c0def22..0000000
--- a/src/mainboard/intel/icelake_rvp/board_id.c
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- * Copyright (C) 2018 Intel Corporation.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- */
-#include "board_id.h"
-#include <boardid.h>
-#include <ec/acpi/ec.h>
-#include <stdint.h>
-#include <ec/google/chromeec/ec.h>
-
-static int get_board_id_via_ext_ec(void)
-{
- uint32_t id = BOARD_ID_INIT;
-
- if (google_chromeec_get_board_version(&id))
- id = BOARD_ID_UNKNOWN;
-
- return id;
-}
-
-/* Get Board ID via EC I/O port write/read */
-int get_board_id(void)
-{
- MAYBE_STATIC_NONZERO int id = -1;
-
- if (id < 0) {
- if (CONFIG(EC_GOOGLE_CHROMEEC))
- id = get_board_id_via_ext_ec();
- else{
- uint8_t buffer[2];
- uint8_t index;
- if (send_ec_command(EC_FAB_ID_CMD) == 0) {
- for (index = 0; index < sizeof(buffer); index++)
- buffer[index] = recv_ec_data();
- id = (buffer[0] << 8) | buffer[1];
- }
- }
- }
-
- return id;
-}
diff --git a/src/mainboard/intel/icelake_rvp/board_id.h b/src/mainboard/intel/icelake_rvp/board_id.h
deleted file mode 100644
index 3ccfe37..0000000
--- a/src/mainboard/intel/icelake_rvp/board_id.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * This file is part of the coreboot project.
- *
- * Copyright (C) 2018 Intel Corporation.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 of the License.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- */
-
-#ifndef _MAINBOARD_BOARD_ID_H_
-#define _MAINBOARD_BOARD_ID_H_
-
-/* Board/FAB ID Command */
-#define EC_FAB_ID_CMD 0x0D
-
-/*
- * Returns board information (board id[15:8] and
- * Fab info[7:0]) on success and < 0 on error
- */
-int get_board_id(void);
-
-#endif /* _MAINBOARD_BOARD_ID_H_ */
diff --git a/src/mainboard/intel/icelake_rvp/romstage_fsp_params.c b/src/mainboard/intel/icelake_rvp/romstage_fsp_params.c
index 5a4d681..5db6f18 100644
--- a/src/mainboard/intel/icelake_rvp/romstage_fsp_params.c
+++ b/src/mainboard/intel/icelake_rvp/romstage_fsp_params.c
@@ -15,15 +15,15 @@
#include <console/console.h>
#include <fsp/api.h>
+#include <intel_mb/spd.h>
#include <soc/romstage.h>
#include <spd_bin.h>
-#include "board_id.h"
#include "spd/spd.h"
void mainboard_memory_init_params(FSPM_UPD *mupd)
{
FSP_M_CONFIG *mem_cfg = &mupd->FspmConfig;
- u8 spd_index = (get_board_id() & 0x1F) & 0x7;
+ u8 spd_index = get_spd_index();
printk(BIOS_DEBUG, "spd index is 0x%x\n", spd_index);
if (spd_index > 0 && spd_index != 2) {
diff --git a/src/mainboard/intel/icelake_rvp/spd/spd_util.c b/src/mainboard/intel/icelake_rvp/spd/spd_util.c
index d7babbd..cae3974 100644
--- a/src/mainboard/intel/icelake_rvp/spd/spd_util.c
+++ b/src/mainboard/intel/icelake_rvp/spd/spd_util.c
@@ -15,10 +15,10 @@
#include <arch/cpu.h>
#include <intelblocks/mp_init.h>
+#include <intel_mb/spd.h>
#include <stdint.h>
#include <string.h>
-#include "../board_id.h"
#include "spd.h"
enum icl_dimm_type {
@@ -47,13 +47,6 @@
memcpy(dq_map_ptr, dq_map, sizeof(dq_map));
}
-static uint8_t get_spd_index(void)
-{
- uint8_t spd_index = (get_board_id() & 0x1F) & 0x7;
-
- return spd_index;
-}
-
void mainboard_fill_dqs_map_ch0(void *dqs_map_ptr)
{
/* DQS CPU<>DRAM map Ch0 */
diff --git a/src/soc/intel/icelake/Kconfig b/src/soc/intel/icelake/Kconfig
index 7f1cd89..09b22d5 100644
--- a/src/soc/intel/icelake/Kconfig
+++ b/src/soc/intel/icelake/Kconfig
@@ -26,6 +26,7 @@
select INTEL_GMA_ACPI
select INTEL_GMA_ADD_VBT if RUN_FSP_GOP
select IOAPIC
+ select MAINBOARD_INTEL_COMMON
select MRC_SETTINGS_PROTECT
select PARALLEL_MP
select PARALLEL_MP_AP_WORK
--
To view, visit https://review.coreboot.org/c/coreboot/+/37708
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I5d1a8a6da855b7ec2906a135a60ca2902307fd4c
Gerrit-Change-Number: 37708
Gerrit-PatchSet: 1
Gerrit-Owner: Aamir Bohra <aamir.bohra(a)intel.com>
Gerrit-Reviewer: Aamir Bohra <aamir.bohra(a)intel.com>
Gerrit-Reviewer: Martin Roth <martinroth(a)google.com>
Gerrit-Reviewer: Patrick Georgi <pgeorgi(a)google.com>
Gerrit-Reviewer: Patrick Rudolph <siro(a)das-labor.org>
Gerrit-MessageType: newchange
Evgeny Zinoviev has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/38770 )
Change subject: Documentation: Add MacBook internal flashing tutorial
......................................................................
Documentation: Add MacBook internal flashing tutorial
Change-Id: I2650d5d60db7a29a1567e44e89b785def9342df2
Signed-off-by: Evgeny Zinoviev <me(a)ch1p.io>
---
M Documentation/flash_tutorial/int_flashrom.md
A Documentation/flash_tutorial/int_macbook.md
2 files changed, 294 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/70/38770/1
diff --git a/Documentation/flash_tutorial/int_flashrom.md b/Documentation/flash_tutorial/int_flashrom.md
index 28b534b..0ca59af 100644
--- a/Documentation/flash_tutorial/int_flashrom.md
+++ b/Documentation/flash_tutorial/int_flashrom.md
@@ -16,4 +16,9 @@
flashrom -p internal -w coreboot.rom
```
+## Vendor-specific
+
+- [Lenovo ThinkPad xx30 series](../lenovo/ivb_internal_flashing)
+- [Apple MacBook](int_macbook.md) - 2011-2012 models
+
[flashrom's wiki]: https://www.flashrom.org/Flashrom
diff --git a/Documentation/flash_tutorial/int_macbook.md b/Documentation/flash_tutorial/int_macbook.md
new file mode 100644
index 0000000..b0638ca
--- /dev/null
+++ b/Documentation/flash_tutorial/int_macbook.md
@@ -0,0 +1,289 @@
+# Apple MacBook internal flashing
+
+This page describes a method of flashing coreboot on 2011-2012 models of
+Apple MacBooks. Whether it can be used on other generations of MacBooks
+is unknown.
+
+This is a very delicate prodecure. Be very careful, check everything
+twice, especially the numbers. A single mistake may brick your machine
+and you'll have to flash the backup externally. Given this fact, you
+should have an external means of flashing, just in case.
+
+It was tested and confirmed to work on following models:
+- MacBook Air 5,2
+- MacBook Pro 8,1
+- MacBook Pro 10,1
+
+MacBook Air 4,2 should work too, but it's not tested.
+
+## Introduction
+
+Apple's "Think Different" slogan fits perfectly with their approach to
+firmware security. Besides the fact that they do not use SMM_BWP to
+protect SPI flash from being writable from userspace, they do not even
+protect Flash Descriptor (`fd`) and Management Engine (`me`) regions.
+
+The Intel Flash Descriptor is a data structure of fixed size (4KB)
+stored on the flash chip (resides in `0x0000-0x0fff`), that contains
+various information such as space allocated for each region on the
+flash, access permissions, some chipset configuration and more. In
+particular, it contains access permissions for `fd` and `me` regions.
+Normally they should be read-only in production, but Apple, for whatever
+reasons, keeps them read-write.
+
+Instead, they decided to use SPI Protected Range Registers (PR0-PR4) to
+set protection over `fd`, but here they failed again. Due to a bug in
+their firmware, `0x0000-0x0fff` is not write-protected after cold boot
+and becomes read-only only after resuming from S3. You can dump PRx
+protections by running `flashrom -p internal`.
+
+This is what you should see after a cold boot (if so, then you can use
+this guide):
+```
+PR0: Warning: 0x00190000-0x0066ffff is read-only.
+PR1: Warning: 0x00692000-0x01ffffff is read-only.
+```
+
+And this is after resuming from S3:
+```
+PR0: Warning: 0x00000000-0x00000fff is read-only.
+PR1: Warning: 0x00190000-0x0066ffff is read-only.
+PR2: Warning: 0x00692000-0x01ffffff is read-only.
+```
+
+So, after cold boot flash descriptor is not protected neither by PRx
+registers nor by access permissions bits on the flash descriptor itself.
+Under certain circumstances, **writable flash descriptor allows to flash
+whole SPI flash** by using a couple of tricks.
+
+The idea is that we can shrink ME firmware with me_cleaner, flash small
+coreboot image on the freed space and move reset vector there. Then
+power off, boot coreboot and flash full image, as there will be no more
+PRx set.
+
+## Stage 1. Flashing temporary BIOS
+
+#### Preparations
+
+Dump your ROM:
+```
+flashrom -p internal -r orig.bin
+```
+
+Please save this backup to an external drive. You may need it in case of
+failure.
+
+Extract flash layout:
+```
+ifdtool -f orig_layout.txt orig.bin
+cat orig_layout.txt
+```
+
+You should see something like or exactly this:
+```
+00000000:00000fff fd
+00190000:007fffff bios
+00001000:0018ffff me
+```
+If you compare these regions with what's protected by PR0 and PR1,
+you'll notice that `fd` and `me` regions are fully writable and only
+`bios` is protected. Writable ME region gives us around 1.5 MB which we
+can use for our goals.
+
+Extract flash regions from the dump into separate files:
+```
+ifdtool -x orig.bin
+```
+
+You can see that 3 new files were created:
+```
+ls flash*
+flashregion_0_flashdescriptor.bin flashregion_1_bios.bin flashregion_2_intel_me.bin
+```
+
+The ME firmware is ~1.5 MB in size, but we can truncate it with
+me_cleaner:
+```
+me_cleaner.py -t -r -O flashregion_2_intel_me_truncated.bin flashregion_2_intel_me.bin
+```
+
+The truncated firmware should be around 90K:
+```
+stat --printf=%s flashregion_2_intel_me_truncated.bin
+94208
+```
+
+Rename the original `flashregion_2_intel_me.bin` file to not mix them up
+in future:
+```
+mv flashregion_2_intel_me.bin flashregion_2_intel_me_orig.bin
+```
+
+Now we need to write a new flash layout. 128K is more than enough for
+the "neutered" ME firmware. We can use the rest for new `bios` region,
+but 892K is enough:
+
+```
+00000000:00000fff fd
+00001000:00020fff me
+00021000:000fffff bios
+00100000:007fffff pd
+```
+
+Note that we must allocate the remaining `0x100000-0x7fffff` for
+something to be able to address and flash it in future. Let's just mark
+it as `pd` (which stands for "Platform Data") for now.
+
+Save the new layout to a file `new_layout.txt` and update regions in the
+dump:
+```
+ifdtool -n new_layout.txt orig.bin
+```
+
+The updated image will be saved to `orig.bin.new`. Move it to a
+separate directory for convenience:
+```
+mkdir patched && cd $_
+mv ../orig.bin.new .
+```
+
+Extract flash regions again, now from the updated image:
+```
+fdtool -x orig.bin.new
+```
+
+By now we have new `flashregion_0_flashdescriptor.bin` file with our
+custom layout. Let's also move the patched ME here:
+```
+rm flashregion_2_intel_me.bin
+mv ../flashregion_2_intel_me_truncated.bin .
+```
+
+So far, so good. At this point our preparations for the first stage are
+finished and we're ready to configure coreboot.
+
+#### Configuring and flashing coreboot
+
+Run `make menuconfig` and configure as shown below. Note that you need
+to change **ROM chip size**, **CBFS size** and specify paths to modified
+`flashregion_0_flashdescriptor.bin` and
+`flashregion_2_intel_me_truncated.bin`.
+
+```
+Mainboard --->
+ Mainboard vendor (Apple)
+ Mainboard model () # Set according to your model
+ ROM chip size (1024 KB (1 MB))
+ (0xd0000) Size of CBFS filesystem in ROM
+
+Chipset --->
+ [*] Add Intel descriptor.bin file
+ (/path/to/patched/flashregion_0_flashdescriptor.bin) Path and filename of the descriptor.bin file
+ [*] Add Intel ME/TXE firmware
+ (/path/to/patched/flashregion_2_intel_me_truncated.bin) Path to management engine firmware
+ [ ] Verify the integrity of the supplied ME/TXE firmware
+ [ ] Strip down the Intel ME/TXE firmware
+ Protect flash regions (Unlock flash regions)
+```
+
+Then you need to decide which payload to use. For now, it's recommended
+to use GRUB2. Be sure to include a good config for it that can load variety
+of setups. SeaBIOS works too, but currently needs a patch for internal
+MacBook's keyboard to work.
+
+When configuration is done, run `make` to build coreboot. In the end you
+should have 1024 KB coreboot ROM at `build/coreboot.rom`. Flashrom won't
+accept it, because it's size must match the chip, so we have to make it
+8 MB. Just add 7 MB of zeroes:
+```
+dd if=/dev/zero of=7M.bin bs=1024 count=7168
+```
+```
+cat build/coreboot.rom 7M.bin > coreboot8.rom
+```
+
+Now cross your fingers and flash the new **`fd`** (`0x0000-0x0fff`),
+**`me`** (`0x1000-0x20fff`) and **`bios`** (`0x21000-0xfffff`) regions
+using the layout file:
+```
+flashrom -p internal -w coreboot8.rom -l new_layout.txt -i fd -N
+flashrom -p internal -w coreboot8.rom -l new_layout.txt -i me -N
+flashrom -p internal -w coreboot8.rom -l new_layout.txt -i bios -N
+```
+
+The first stage is completed. Power off the machine now. Reboot won't
+work: new flash descriptor becomes active on cold boot.
+
+On the next boot, if you're lucky and didn't do any mistake, coreboot
+will be loaded from the new `bios` region, and Apple's EFI, that still
+resides in `0x190000-0x7fffff`, will be ignored.
+
+## Stage 2. Flashing full ROM
+
+Now we can flash whole 8 MB chip, because no PRx are set anymore. Let's
+relayout the chip again.
+
+If you want to continue using truncated ME:
+```
+00000000:00000fff fd
+00001000:00020fff me
+00021000:007fffff bios
+```
+
+If you want to flash full ME firmware back:
+```
+00000000:00000fff fd
+00001000:0018ffff me
+00190000:007fffff bios
+```
+
+Save it to `final_layout.txt` and create new flash descriptor again.
+```
+mkdir patched2 && cd $_
+cp ../orig.bin .
+ifdtool -n final_layout.txt orig.bin
+ifdtool -x orig.bin.new
+```
+
+Go back to coreboot directory and run `make menuconfing`.
+
+In the **Mainboard** section change **ROM chip size** back to 8 MB and
+set **Size of CBFS** according to your needs: now you have plenty of
+space. `0x500000` or so should work just fine.
+
+In the **Chipset** section, update paths to the flash descriptor and ME
+firmware files. If you decided to stick to truncated ME, use
+`flashregion_2_intel_me_truncated.bin`, otherwise use
+`flashregion_2_intel_me_orig.bin`.
+
+```
+Mainboard --->
+ ROM chip size (8192 KB (8 MB))
+ (0x500000) Size of CBFS filesystem in ROM
+
+Chipset --->
+ [*] Add Intel descriptor.bin file
+
+ # Use the latest flashdescriptor from the patched2 directory
+ (/path/to/patched2/flashregion_0_flashdescriptor.bin) Path and filename of the descriptor.bin file
+
+ [*] Add Intel ME/TXE firmware
+ (/path/to/patched/flashregion_2_intel_me_truncated.bin) Path to management engine firmware
+ [ ] Verify the integrity of the supplied ME/TXE firmware
+ [ ] Strip down the Intel ME/TXE firmware
+```
+
+Save the config and `make` it again. Then flash `fd` and `bios`
+according to the `final_layout.txt`:
+```
+flashrom -p internal -w build/coreboot.rom -l final_layout.txt -i fd -N
+flashrom -p internal -w build/coreboot.rom -l final_layout.txt -i bios -N
+```
+
+If you changed ME firmware back to original, flash it as well:
+```
+flashrom -p internal -w build/coreboot.rom -l final_layout.txt -i me -N
+```
+
+Stage 2 is completed. Power off (reboot won't work again). On the next
+boot, you will have completely corebooted MacBook.
--
To view, visit https://review.coreboot.org/c/coreboot/+/38770
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I2650d5d60db7a29a1567e44e89b785def9342df2
Gerrit-Change-Number: 38770
Gerrit-PatchSet: 1
Gerrit-Owner: Evgeny Zinoviev <me(a)ch1p.io>
Gerrit-MessageType: newchange