Jonathan Zhang has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/41981 )
Change subject: drivers/mrc_cache: generate debug messages for MRC cache update
......................................................................
drivers/mrc_cache: generate debug messages for MRC cache update
When MRC cached data update is performed, messages are written to
event log, which is flash based. For system that does not have flash
based event log, the messages are lost.
Added corresponding BIOS_DEBUG messages.
Signed-off-by: Jonathan Zhang <jonzhang(a)fb.com>
Change-Id: I1ef4794151fea7213c8317ddc898b0e37da280b5
---
M src/drivers/mrc_cache/mrc_cache.c
1 file changed, 6 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/81/41981/1
diff --git a/src/drivers/mrc_cache/mrc_cache.c b/src/drivers/mrc_cache/mrc_cache.c
index 4e6e91c..73f5701 100644
--- a/src/drivers/mrc_cache/mrc_cache.c
+++ b/src/drivers/mrc_cache/mrc_cache.c
@@ -397,6 +397,7 @@
return;
if (!mrc_cache_needs_update(&latest_rdev, to_be_updated)) {
+ printk(BIOS_DEBUG, "MRC: '%s' does not need update.\n", cr->name);
log_event_cache_update(cr->elog_slot, ALREADY_UPTODATE);
return;
}
@@ -405,10 +406,13 @@
if (region_file_update_data(&cache_file,
cbmem_entry_start(to_be_updated),
- cbmem_entry_size(to_be_updated)) < 0)
+ cbmem_entry_size(to_be_updated)) < 0){
+ printk(BIOS_DEBUG, "MRC: failed to update '%s'.\n", cr->name);
log_event_cache_update(cr->elog_slot, UPDATE_FAILURE);
- else
+ } else {
+ printk(BIOS_DEBUG, "MRC: updated '%s'.\n", cr->name);
log_event_cache_update(cr->elog_slot, UPDATE_SUCCESS);
+ }
}
/* Read flash status register to determine if write protect is active */
--
To view, visit https://review.coreboot.org/c/coreboot/+/41981
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I1ef4794151fea7213c8317ddc898b0e37da280b5
Gerrit-Change-Number: 41981
Gerrit-PatchSet: 1
Gerrit-Owner: Jonathan Zhang <jonzhang(a)fb.com>
Gerrit-MessageType: newchange
Hello Daniel Gröber,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/41747
to review the following change.
Change subject: lockdown: Add Kconfigs for SPI media protection mode
......................................................................
lockdown: Add Kconfigs for SPI media protection mode
SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors
such as Macronix only support permanent protection but conditional on
the WP# pin state.
Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Signed-off-by: Daniel Gröber <dxld(a)darkboxed.org>
---
M src/drivers/spi/boot_device_rw_nommap.c
M src/security/lockdown/Kconfig
2 files changed, 37 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/41747/1
diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c
index ba11d05..1d68285 100644
--- a/src/drivers/spi/boot_device_rw_nommap.c
+++ b/src/drivers/spi/boot_device_rw_nommap.c
@@ -96,9 +96,16 @@
if (type == MEDIA_WP) {
if (spi_flash_is_write_protected(boot_dev,
region_device_region(rd)) != 1) {
+ enum spi_flash_status_reg_lockdown lock;
+ if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT))
+ lock = SPI_WRITE_PROTECTION_REBOOT;
+ else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN))
+ lock = SPI_WRITE_PROTECTION_PIN;
+ else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT))
+ lock = SPI_WRITE_PROTECTION_PERMANENT;
+
return spi_flash_set_write_protected(boot_dev,
- region_device_region(rd),
- SPI_WRITE_PROTECTION_REBOOT);
+ region_device_region(rd), lock);
}
/* Already write protected */
diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig
index 30b5237..97094ff 100644
--- a/src/security/lockdown/Kconfig
+++ b/src/security/lockdown/Kconfig
@@ -82,3 +82,31 @@
possible. This option prevents using write protecting facilities in
ramstage, like the MRC cache for example.
Use this option if you don't trust code running after verstage.
+
+choice
+ prompt "SPI Flash write protection duration"
+ default BOOTMEDIA_SPI_LOCK_REBOOT
+ depends on BOOTMEDIA_LOCK_CHIP
+ depends on BOOT_DEVICE_SPI_FLASH
+
+config BOOTMEDIA_SPI_LOCK_REBOOT
+ bool "Lock SPI flash until next reboot"
+ help
+ The SPI chip is locked until power is removed and re-applied.
+ Supported by Winbond parts.
+
+config BOOTMEDIA_SPI_LOCK_PIN
+ bool "Lock SPI flash using WP# pin"
+ help
+ The SPI chip is locked using a non-volatile configuration bit. Writes
+ are only possible if the WP# is not asserted. Supported by Winbond
+ and Macronix parts.
+
+config BOOTMEDIA_SPI_LOCK_PERMANENT
+ bool "Lock SPI flash permanently"
+ help
+ The SPI chip is permanently locked using a non-volatile configuration
+ bit. No writes are ever possible again after we perform the lock.
+ Supported by Winbond parts.
+
+endchoice
--
To view, visit https://review.coreboot.org/c/coreboot/+/41747
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Gerrit-Change-Number: 41747
Gerrit-PatchSet: 1
Gerrit-Owner: Daniel Gröber (dxld)
Gerrit-Reviewer: Daniel Gröber <dxld(a)darkboxed.org>
Gerrit-MessageType: newchange