Nicholas Chin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/79903?usp=email )
Change subject: util/dell-flash-unlock: Add utility to unlock internal flashing
......................................................................
Patch Set 1:
(2 comments)
File util/dell-flash-unlock/COPYING:
PS1:
Probably not needed?
File util/dell-flash-unlock/accessors.c:
https://review.coreboot.org/c/coreboot/+/79903/comment/fe51406e_88ac5af3 :
PS1, Line 22: uint32_t
: pci_read_32(uint32_t dev, uint8_t reg)
: {
: sys_outl(PCI_CFG_ADDR, dev | reg);
: return sys_inl(PCI_CFG_DATA);
: }
:
: void
: pci_write_32(uint32_t dev, uint8_t reg, uint32_t value)
: {
: sys_outl(PCI_CFG_ADDR, dev | reg);
: sys_outl(PCI_CFG_DATA, value);
: }
I originally did this to avoid any external dependencies, but this probably isn't a safe way of doing PCI access and libpci would probably be better. Flashrom requires libpci anyway.
--
To view, visit https://review.coreboot.org/c/coreboot/+/79903?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: If11643991ceaed46efb8eaa05065b16e9947d38c
Gerrit-Change-Number: 79903
Gerrit-PatchSet: 1
Gerrit-Owner: Nicholas Chin <nic.c3.14(a)gmail.com>
Gerrit-Comment-Date: Wed, 10 Jan 2024 21:25:59 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment
Attention is currently required from: Arthur Heymans, Martin L Roth, Matt DeVillier, Michał Żygowski, Piotr Król.
Felix Held has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/79852?usp=email )
Change subject: mb/pcengines/apu2/BiosCallOuts: don't have binaryPI clear LPC decodes
......................................................................
Patch Set 3:
(1 comment)
Patchset:
PS3:
> > setting HUDSON_LEGACY_FREE to n will also set the FADT bit that says that there's a 8042 keyboard […]
addressed that in CB:79893 and CB:79894
--
To view, visit https://review.coreboot.org/c/coreboot/+/79852?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I91ef4423bd7bf6c1d7a175336f0f89479f2cde02
Gerrit-Change-Number: 79852
Gerrit-PatchSet: 3
Gerrit-Owner: Felix Held <felix-coreboot(a)felixheld.de>
Gerrit-Reviewer: Krystian Hebel <krystian.hebel(a)3mdeb.com>
Gerrit-Reviewer: Martin L Roth <gaumless(a)gmail.com>
Gerrit-Reviewer: Matt DeVillier <matt.devillier(a)amd.corp-partner.google.com>
Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com>
Gerrit-Reviewer: Paul Menzel <paulepanter(a)mailbox.org>
Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-CC: Arthur Heymans <arthur(a)aheymans.xyz>
Gerrit-Attention: Michał Żygowski <michal.zygowski(a)3mdeb.com>
Gerrit-Attention: Martin L Roth <gaumless(a)gmail.com>
Gerrit-Attention: Matt DeVillier <matt.devillier(a)amd.corp-partner.google.com>
Gerrit-Attention: Arthur Heymans <arthur(a)aheymans.xyz>
Gerrit-Attention: Piotr Król <piotr.krol(a)3mdeb.com>
Gerrit-Comment-Date: Wed, 10 Jan 2024 21:23:28 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Arthur Heymans <arthur(a)aheymans.xyz>
Comment-In-Reply-To: Felix Held <felix-coreboot(a)felixheld.de>
Gerrit-MessageType: comment
Nicholas Chin has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/79903?usp=email )
Change subject: util/dell-flash-unlock: Add utility to unlock internal flashing
......................................................................
util/dell-flash-unlock: Add utility to unlock internal flashing
Dell's Latitude and Precision laptops from at least GM45 until Haswell
have a EC command which tells it to set the Flash Descriptor Override
strap on the next boot. On GM45 systems, SMM BIOS lock protection
remains in place, but this can be bypassed by exploiting a vulnerable
chipset configuration to disable SMIs. On newer systems, the vendor
firmware detects that the FDO was set by the EC and skips setting any
protections on the BIOS region. This utility performs this process as
appropriate to allow internal flashing of the entire flash chip while
still running the vendor firmware.
Change-Id: If11643991ceaed46efb8eaa05065b16e9947d38c
Signed-off-by: Nicholas Chin <nic.c3.14(a)gmail.com>
---
A util/dell-flash-unlock/COPYING
A util/dell-flash-unlock/Makefile
A util/dell-flash-unlock/README.md
A util/dell-flash-unlock/accessors.c
A util/dell-flash-unlock/accessors.h
A util/dell-flash-unlock/dell_flash_unlock.c
A util/dell-flash-unlock/description.md
7 files changed, 494 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/03/79903/1
diff --git a/util/dell-flash-unlock/COPYING b/util/dell-flash-unlock/COPYING
new file mode 100644
index 0000000..bf82341
--- /dev/null
+++ b/util/dell-flash-unlock/COPYING
@@ -0,0 +1,19 @@
+Copyright (c) 2023 Nicholas Chin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/util/dell-flash-unlock/Makefile b/util/dell-flash-unlock/Makefile
new file mode 100644
index 0000000..fae52de
--- /dev/null
+++ b/util/dell-flash-unlock/Makefile
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2023 Nicholas Chin
+
+CC=cc
+CFLAGS=-Wall -Wextra -Werror -O2 -pedantic
+ifeq ($(shell uname), OpenBSD)
+ CFLAGS += -l$(shell uname -p)
+endif
+SRCS=dell_flash_unlock.c accessors.c
+
+all: $(SRCS) accessors.h
+ $(CC) $(CFLAGS) $(SRCS) -o dell_flash_unlock
+
+clean:
+ rm -f dell_flash_unlock
diff --git a/util/dell-flash-unlock/README.md b/util/dell-flash-unlock/README.md
new file mode 100644
index 0000000..f7b6ae3
--- /dev/null
+++ b/util/dell-flash-unlock/README.md
@@ -0,0 +1,134 @@
+# Dell Laptop Internal Flashing
+
+This utility allows you to use flashrom's internal programmer to program the
+entire BIOS flash chip from software while still running the original Dell
+BIOS, which normally restricts software writes to the flash chip. It seems like
+this works on any Dell laptop that has an EC similar to the SMSC MEC5035 on the
+E6400, which mainly seem to be the Latitude and Precision lines starting from
+around 2008 (E6400 era).
+
+## TL;DR
+
+### Linux specific
+- On Linux, ensure you are booting with the `iomem=relaxed` kernel parameter.
+- If you get a "Function not implemented" error, ensure that your kernel has
+ "CONFIG_X86_IOPL_IOPERM" set to "y". Here are several common locations for
+ the config and how to check them:
+ - `zcat /proc/config.gz | grep IOPL`
+ - `grep IOPL /boot/config`
+ - `grep IOPL /boot/config-$(uname -r)`
+ If it says it is not set, then you will need to install or compile a kernel
+ with that option set.
+
+### OpenBSD
+- On OpenBSD, ensure you are booting with securelevel set to -1.
+
+### General
+Make sure an AC adapter is plugged into your system
+
+Run `make` to compile the utility, and then run `./dell_flash_unlock` with
+root/superuser permissions and follow the directions it outputs.
+
+## Confirmed supported devices
+- Latitude E6400, E6500
+- Latitude E6410, E4310
+- Latitude E6420, E6520
+- Latitude E6430, E6530, E5530
+- Latitude E7240
+- Precision M6800, M5800
+
+It is likely that any other Latitude/Precision laptops from the same era as
+devices specifically mentioned in the above list will work as Dell seems to use
+the same ECs in one generation.
+
+## Tested
+These systems have been tested, but were reported as not working with
+dell-flash-unlock. This could be due to user error, a bug in this utility, or
+the feature not being implemented in Dell's firmware. If you have such a system,
+please test the utility and report whether or not it actually works for you.
+
+- Latitude E6220
+- Latitude E6330
+
+## Detailed device specific behavior
+- On GM45 era laptops, the expected behavior is that you will run the utility
+ for the first time, which will tell the EC to set the descriptor override on
+ the next boot. Then you will need to shut down the system, after which the
+ system will automatically boot up. You should then re-run the utility to
+ disable SMM, after which you can run flashrom. Finally, you should run the
+ utility a third time to reenable SMM so that shutdown works properly
+ afterwards.
+- On 1st Generation Intel Core systems such as the E6410 and newer, run the
+ utility and shutdown in the same way as the E6400. However, it seems like the
+ EC no longer automatically boots the system. In this case you should manually
+ power it on. It also seems that the firmware does not set the BIOS Lock bit
+ when the descriptor override is set, making the 2nd run after the reboot
+ technically unnecessary. There is no harm in rerunning it though, as the
+ utility can detect when the flash is unlocked and perform the correct steps
+ as necessary.
+
+## How it works
+There are several ways the firmware can protect itself from being overwritten.
+One way is the Intel Flash Descriptor (IFD) permissions. On Intel systems, the
+flash image is divided into several regions such as the IFD itself, Gigabit
+Ethernet (GBE) non-volative memory, Management Engine (ME) firmware, Platform
+Data (PD), and the BIOS. The IFD contains a section which specifies the
+read/write permissions for each SPI controller (such as the host system) and
+each region of the flash, which are enforced by the chipset.
+
+On the Latitude E6400, the host has read-only access to the IFD, no access to
+the ME region, and read-write access to the PD, GBE, and BIOS regions. In order
+for flashrom to write to the entire flash internally, the host needs full
+permissions to all of these regions. Since the IFD is read only, we cannot
+change these permissions unless we directly access the chip using an external
+programmer, which defeats the purpose of internal flashing.
+
+However, Intel chipsets have a pin strap that allows the flash descriptor
+permissions to be overridden depending on the value of the pin at power on,
+granting RW permissions to all regions. On the ICH9M chipset on the E6400, this
+pin is HDA\_DOCK\_EN/GPIO33, which will enable the override if it is sampled
+low. This pin happens to be connected to a GPIO controlled by the Embedded
+Controller (EC), a small microcontroller on the board which handles things like
+the keyboard, touchpad, LEDs, and other system level tasks. Software can send a
+certain command to the EC, which tells it to pull GPIO33 low on the next boot.
+
+Although we now have full access according to the IFD permissions, we still
+cannot flash the whole chip, due to another protection the firmware uses.
+Before software can update the BIOS, it must change the BIOS Write Enable
+(BIOSWE) bit in the chipset from 0 to 1. However, if the BIOS Lock Enable (BLE)
+bit is also set to 1, then changing the BIOSWE bit triggers a System Management
+Interrupt (SMI). This causes the processor to enter System Management Mode
+(SMM), a highly privileged x86 execution state which operates transparently to
+the operating system. The code that SMM runs is provided by the BIOS, which
+checks the BIOSWE bit and sets it back to 0 before returning control to the OS.
+This feature is intended to only allow SMM code to update the system firmware.
+As the switch to SMM suspends the execution of the OS, it appears to the OS
+that the BIOSWE bit was never set to 1. Unfortunately, the BLE bit cannot be
+set back to 0 once it is set to 1, so this functionality cannot be disabled
+after it is first enabled by the BIOS.
+
+Older versions of the E6400 BIOS did not set the BLE bit, allowing flashrom to
+flash the entire flash chip internally after only setting the descriptor
+override. However, more recent versions do set it, so we may have hit a dead
+end unless we force downgrade to an older version (though there is a more
+convenient method, as we are about to see).
+
+What if there was a way to sidestep the BIOS Lock entirely? As it turns out,
+there is, and it's called the Global SMI Enable (GBL\_SMI\_EN) bit. If it's set
+to 1, then the chipset will generate SMIs, such as when we change BIOSWE with
+BLE set. If it's 0, then no SMI will be generated, even with the BLE bit set.
+On the E6400, GBL\_SMI\_EN is set to 1, and it can be changed back to 0, unlike
+the BLE bit. But there still might be one bit in the way, the SMI\_LOCK bit,
+which prevents modifications to GBL\_SMI\_EN when SMI\_LOCK is 1. Like the BLE
+bit, it cannot be changed back to 0 once it set to 1. But we are in luck, as
+the vendor E6400 BIOS leaves SMI\_LOCK unset at 0, allowing us to clear
+GBL\_SMI\_EN and disable SMIs, bypassing the BIOS Lock protections.
+
+There are other possible protection mechanisms that the firmware can utilize,
+such as Protected Range Register settings, which apply access permissions to
+address ranges of the flash, similar to the IFD. However, the E6400 vendor
+firmware does not utilize these, so they will not be discussed.
+
+## References
+- Open Security Training: Advanced x86: BIOS and SMM Internals - SMI Suppression
+ - https://opensecuritytraining.info/IntroBIOS_files/Day1_XX_Advanced%20x86%20…
diff --git a/util/dell-flash-unlock/accessors.c b/util/dell-flash-unlock/accessors.c
new file mode 100644
index 0000000..99b1530
--- /dev/null
+++ b/util/dell-flash-unlock/accessors.c
@@ -0,0 +1,91 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#if defined(__linux__)
+#include <sys/io.h>
+#endif
+
+#if defined(__OpenBSD__)
+#include <machine/sysarch.h>
+#include <sys/types.h>
+#if defined(__amd64__)
+#include <amd64/pio.h>
+#elif defined(__i386__)
+#include <i386/pio.h>
+#endif /* __i386__ */
+#endif /* __OpenBSD__ */
+
+#include <errno.h>
+
+#include "accessors.h"
+
+uint32_t
+pci_read_32(uint32_t dev, uint8_t reg)
+{
+ sys_outl(PCI_CFG_ADDR, dev | reg);
+ return sys_inl(PCI_CFG_DATA);
+}
+
+void
+pci_write_32(uint32_t dev, uint8_t reg, uint32_t value)
+{
+ sys_outl(PCI_CFG_ADDR, dev | reg);
+ sys_outl(PCI_CFG_DATA, value);
+}
+
+void
+sys_outb(unsigned int port, uint8_t data)
+{
+ #if defined(__linux__)
+ outb(data, port);
+ #endif
+ #if defined(__OpenBSD__)
+ outb(port, data);
+ #endif
+}
+
+void
+sys_outl(unsigned int port, uint32_t data)
+{
+ #if defined(__linux__)
+ outl(data, port);
+ #endif
+ #if defined(__OpenBSD__)
+ outl(port, data);
+ #endif
+}
+
+uint8_t
+sys_inb(unsigned int port)
+{
+ #if defined(__linux__) || defined(__OpenBSD__)
+ return inb(port);
+ #endif
+ return 0;
+}
+
+uint32_t
+sys_inl(unsigned int port)
+{
+ #if defined(__linux__) || defined(__OpenBSD__)
+ return inl(port);
+ #endif
+ return 0;
+}
+
+int
+sys_iopl(int level)
+{
+#if defined(__linux__)
+ return iopl(level);
+#endif
+#if defined(__OpenBSD__)
+#if defined(__i386__)
+ return i386_iopl(level);
+#elif defined(__amd64__)
+ return amd64_iopl(level);
+#endif /* __amd64__ */
+#endif /* __OpenBSD__ */
+ errno = ENOTSUP;
+ return -1;
+}
diff --git a/util/dell-flash-unlock/accessors.h b/util/dell-flash-unlock/accessors.h
new file mode 100644
index 0000000..a19f215
--- /dev/null
+++ b/util/dell-flash-unlock/accessors.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#include <stdint.h>
+
+#define PCI_CFG_ADDR 0xcf8
+#define PCI_CFG_DATA 0xcfc
+#define PCI_DEV(bus, dev, func) (1u << 31 | bus << 16 | dev << 11 | func << 8)
+
+uint32_t pci_read_32(uint32_t dev, uint8_t reg);
+void pci_write_32(uint32_t dev, uint8_t reg, uint32_t value);
+
+int sys_iopl(int level);
+void sys_outb(unsigned int port, uint8_t data);
+void sys_outl(unsigned int port, uint32_t data);
+uint8_t sys_inb(unsigned int port);
+uint32_t sys_inl(unsigned int port);
diff --git a/util/dell-flash-unlock/dell_flash_unlock.c b/util/dell-flash-unlock/dell_flash_unlock.c
new file mode 100644
index 0000000..ea554d3
--- /dev/null
+++ b/util/dell-flash-unlock/dell_flash_unlock.c
@@ -0,0 +1,217 @@
+/* SPDX-License-Identifier: MIT */
+/* SPDX-FileCopyrightText: 2023 Nicholas Chin */
+
+#include <sys/mman.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "accessors.h"
+
+int get_fdo_status(void);
+int check_lpc_decode(void);
+void ec_set_fdo(void);
+void write_ec_reg(uint8_t index, uint8_t data);
+void send_ec_cmd(uint8_t cmd);
+int wait_ec(void);
+int check_bios_write_en(void);
+int set_gbl_smi_en(int enable);
+int get_gbl_smi_en(void);
+
+#define EC_INDEX 0x910
+#define EC_DATA 0x911
+#define EC_ENABLE_FDO 2
+
+#define LPC_DEV PCI_DEV(0, 0x1f, 0)
+
+#define RCBA_MMIO_LEN 0x4000
+
+/* Register offsets */
+#define SPIBAR 0x3800
+#define HSFS_REG 0x04
+#define SMI_EN_REG 0x30
+
+volatile uint8_t *rcba_mmio;
+uint16_t pmbase;
+
+int
+main(int argc, char *argv[])
+{
+ int devmemfd;
+ (void)argc;
+ (void)argv;
+
+ if (sys_iopl(3) == -1)
+ err(errno, "Could not access IO ports");
+ if ((devmemfd = open("/dev/mem", O_RDONLY)) == -1)
+ err(errno, "/dev/mem");
+
+ /* Read RCBA and PMBASE from the LPC config registers */
+ long rcba = pci_read_32(LPC_DEV, 0xf0) & 0xffffc000;
+ pmbase = pci_read_32(LPC_DEV, 0x40) & 0xff80;
+
+ /* FDO pin-strap status bit is in RCBA mmio space */
+ rcba_mmio = mmap(0, RCBA_MMIO_LEN, PROT_READ, MAP_SHARED, devmemfd,
+ rcba);
+ if (rcba_mmio == MAP_FAILED)
+ err(errno, "Could not map RCBA");
+
+ if (get_fdo_status() == 1) { /* Descriptor not overridden */
+ if (check_lpc_decode() == -1)
+ err(errno = ECANCELED, "Can't forward I/O to LPC");
+
+ printf("Sending FDO override command to EC:\n");
+ ec_set_fdo();
+ printf("Flash Descriptor Override enabled.\n"
+ "Shut down (don't reboot) now.\n\n"
+ "The EC may auto-boot on some systems; if not then "
+ "manually power on.\n When the system boots rerun "
+ "this utility to finish unlocking.\n");
+ } else if (check_bios_write_en() == 0) {
+ /* SMI locks in place, try disabling SMIs to bypass them */
+ if (set_gbl_smi_en(0)) {
+ printf("SMIs disabled. Internal flashing should work "
+ "now.\n After flashing, re-run this utility "
+ "to enable SMIs.\n (shutdown is buggy when "
+ "SMIs are disabled)\n");
+ } else {
+ err(errno = ECANCELED, "Could not disable SMIs!");
+ }
+ } else { /* SMI locks not in place or bypassed */
+ if (get_gbl_smi_en()) {
+ /* SMIs are still enabled, assume this is an Exx10
+ * or newer which don't need the SMM bypass */
+ printf("Flash is unlocked.\n"
+ "Internal flashing should work.\n");
+ } else {
+ /* SMIs disabled, assume this is an Exx00 after
+ * unlocking and flashing */
+ set_gbl_smi_en(1);
+ printf("SMIs enabled.\n"
+ "You can now shutdown the system.\n");
+ }
+ }
+ return errno;
+}
+
+int
+get_fdo_status(void)
+{
+ return (*(uint16_t *)(rcba_mmio + SPIBAR + HSFS_REG) >> 13) & 1;
+}
+
+int
+check_lpc_decode(void)
+{
+ /* Check that at a Generic Decode Range Register is set up to
+ * forward I/O ports 0x910 and 0x911 over LPC for the EC */
+ int i = 0;
+ int gen_dec_free = -1;
+ for (; i < 4; i++) {
+ uint32_t reg_val = pci_read_32(LPC_DEV, 0x84 + 4*i);
+ uint16_t base_addr = reg_val & 0xfffc;
+ uint16_t mask = ((reg_val >> 16) & 0xfffc) | 0x3;
+
+ /* Bit 0 is the enable for each decode range. If disabled, note
+ * this register as available to add our own range decode */
+ if ((reg_val & 1) == 0)
+ gen_dec_free = i;
+
+ /* Check if the current range register matches port 0x910.
+ * 0x911 doesn't need to be checked as the LPC bridge only
+ * decodes at the dword level, and thus a check is redundant */
+ if ((0x910 & ~mask) == base_addr) {
+ return 0;
+ }
+ }
+
+ /* No matching range found, try setting a range in a free register */
+ if (gen_dec_free != -1) {
+ /* Set up an I/O decode range from 0x910-0x913 */
+ pci_write_32(LPC_DEV, 0x84 + 4 * gen_dec_free, 0x911);
+ return 0;
+ } else {
+ return -1;
+ }
+}
+
+void
+ec_set_fdo()
+{
+ /* EC FDO command arguments for reference:
+ * 0 = Query EC FDO status
+ * 2 = Enable FDO for next boot
+ * 3 = Disable FDO for next boot */
+ write_ec_reg(0x12, EC_ENABLE_FDO);
+ send_ec_cmd(0xb8);
+}
+
+void
+write_ec_reg(uint8_t index, uint8_t data)
+{
+ sys_outb(EC_INDEX, index);
+ sys_outb(EC_DATA, data);
+}
+
+void
+send_ec_cmd(uint8_t cmd)
+{
+ sys_outb(EC_INDEX, 0);
+ sys_outb(EC_DATA, cmd);
+ if (wait_ec() == -1)
+ err(errno = ECANCELED, "Timeout while waiting for EC!");
+}
+
+int
+wait_ec(void)
+{
+ uint8_t busy;
+ int timeout = 1000;
+ do {
+ sys_outb(EC_INDEX, 0);
+ busy = sys_inb(EC_DATA);
+ timeout--;
+ usleep(1000);
+ } while (busy && timeout > 0);
+ return timeout > 0 ? 0 : -1;
+}
+
+int
+check_bios_write_en(void)
+{
+ uint8_t bios_cntl = pci_read_32(LPC_DEV, 0xdc) & 0xff;
+ /* Bit 5 = SMM BIOS Write Protect Disable (SMM_BWP)
+ * Bit 1 = BIOS Lock Enable (BLE)
+ * If both are 0, then there's no write protection */
+ if ((bios_cntl & 0x22) == 0)
+ return 1;
+
+ /* SMM protection is enabled, but try enabling writes
+ * anyway in case the vendor SMM code doesn't reset it */
+ pci_write_32(LPC_DEV, 0xdc, bios_cntl | 0x1);
+ return pci_read_32(LPC_DEV, 0xdc) & 0x1;
+}
+
+int
+set_gbl_smi_en(int enable)
+{
+ uint32_t smi_en = sys_inl(pmbase + SMI_EN_REG);
+ if (enable) {
+ smi_en |= 1;
+ } else {
+ smi_en &= ~1;
+ }
+ sys_outl(pmbase + SMI_EN_REG, smi_en);
+ return (get_gbl_smi_en() == enable);
+}
+
+int
+get_gbl_smi_en(void)
+{
+ return sys_inl(pmbase + SMI_EN_REG) & 1;
+}
diff --git a/util/dell-flash-unlock/description.md b/util/dell-flash-unlock/description.md
new file mode 100644
index 0000000..a0681ad
--- /dev/null
+++ b/util/dell-flash-unlock/description.md
@@ -0,0 +1 @@
+Unlock Dell Latitude/Precision for internal flashing `C`
--
To view, visit https://review.coreboot.org/c/coreboot/+/79903?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: If11643991ceaed46efb8eaa05065b16e9947d38c
Gerrit-Change-Number: 79903
Gerrit-PatchSet: 1
Gerrit-Owner: Nicholas Chin <nic.c3.14(a)gmail.com>
Gerrit-MessageType: newchange
Attention is currently required from: Michał Żygowski, Piotr Król.
Felix Held has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/79894?usp=email )
Change subject: mb/pcengines/apu2/Kconfig: select HUDSON_FADT_LEGACY_DEVICES
......................................................................
mb/pcengines/apu2/Kconfig: select HUDSON_FADT_LEGACY_DEVICES
The APU boards have an NCT5104D chip on the LPC bus that implements some
serial ports that have the legacy IO port interface to the host and
doesn't describe this in the ACPI tables, so select
HUDSON_FADT_LEGACY_DEVICES to have the corresponding FADT bit set. Since
this chip doesn't provide an 8042-compatible keyboard controller, don't
select HUDSON_FADT_8042.
TEST=Surprisingly, this doesn't seem to make a difference to the Linux
kernel; is creates all ttyS[0..3] devices with and without this patch.
Signed-off-by: Felix Held <felix-coreboot(a)felixheld.de>
Change-Id: I8872b8c3d6e0610630ba17a0fccdcf8cebb1d3c0
---
M src/mainboard/pcengines/apu2/Kconfig
1 file changed, 1 insertion(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/94/79894/1
diff --git a/src/mainboard/pcengines/apu2/Kconfig b/src/mainboard/pcengines/apu2/Kconfig
index 028d3b6..381bfcb 100644
--- a/src/mainboard/pcengines/apu2/Kconfig
+++ b/src/mainboard/pcengines/apu2/Kconfig
@@ -12,6 +12,7 @@
select SUPERIO_NUVOTON_NCT5104D
select HAVE_PIRQ_TABLE
select HAVE_ACPI_TABLES
+ select HUDSON_FADT_LEGACY_DEVICES
select BOARD_ROMSIZE_KB_8192
select HAVE_SPD_IN_CBFS
select MEMORY_MAPPED_TPM
--
To view, visit https://review.coreboot.org/c/coreboot/+/79894?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I8872b8c3d6e0610630ba17a0fccdcf8cebb1d3c0
Gerrit-Change-Number: 79894
Gerrit-PatchSet: 1
Gerrit-Owner: Felix Held <felix-coreboot(a)felixheld.de>
Gerrit-Reviewer: Michał Żygowski <michal.zygowski(a)3mdeb.com>
Gerrit-Reviewer: Piotr Król <piotr.krol(a)3mdeb.com>
Gerrit-Attention: Michał Żygowski <michal.zygowski(a)3mdeb.com>
Gerrit-Attention: Piotr Król <piotr.krol(a)3mdeb.com>
Gerrit-MessageType: newchange
Felix Held has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/79893?usp=email )
Change subject: sb/amd/pi/hudson/Kconfig: replace HUDSON_LEGACY_FREE option
......................................................................
sb/amd/pi/hudson/Kconfig: replace HUDSON_LEGACY_FREE option
HUDSON_LEGACY_FREE controlled both if the legacy devices and the 8042
flags are set in the IA-PC boot architecture filed of the FADT. Since
some systems have legacy devices on the LPC bus, but no 8042-compatible
keyboard controller, replace this option with the two new options
HUDSON_FADT_LEGACY_DEVICES and HUDSON_FADT_8042.
TEST=The FACP table doesn't change on APU2
Signed-off-by: Felix Held <felix-coreboot(a)felixheld.de>
Change-Id: Id4ff85630c90fb2ae8c8826bbc9049a08668210d
---
M src/mainboard/pcengines/apu2/Kconfig
M src/southbridge/amd/pi/hudson/Kconfig
M src/southbridge/amd/pi/hudson/fadt.c
3 files changed, 16 insertions(+), 15 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/93/79893/1
diff --git a/src/mainboard/pcengines/apu2/Kconfig b/src/mainboard/pcengines/apu2/Kconfig
index dd6536c..028d3b6 100644
--- a/src/mainboard/pcengines/apu2/Kconfig
+++ b/src/mainboard/pcengines/apu2/Kconfig
@@ -51,10 +51,6 @@
bool
default y
-config HUDSON_LEGACY_FREE
- bool
- default y
-
config AGESA_BINARY_PI_FILE
string
default "3rdparty/blobs/mainboard/pcengines/apu2/AGESA.bin"
diff --git a/src/southbridge/amd/pi/hudson/Kconfig b/src/southbridge/amd/pi/hudson/Kconfig
index 0b90b9a..6205149 100644
--- a/src/southbridge/amd/pi/hudson/Kconfig
+++ b/src/southbridge/amd/pi/hudson/Kconfig
@@ -128,11 +128,16 @@
comment "IDE to AHCI7804"
depends on HUDSON_SATA_MODE = 6
-config HUDSON_LEGACY_FREE
- bool "System is legacy free"
+config HUDSON_FADT_LEGACY_DEVICES
+ bool
help
- Select y if there is no keyboard controller in the system.
- This sets variables in AGESA and ACPI.
+ Select if there are legacy devices on the LPC bus.
+
+config HUDSON_FADT_8042
+ bool
+ help
+ Select if there is an 8042-compatible keyboard controller in the
+ system.
config AMDFW_OUTSIDE_CBFS
def_bool n
diff --git a/src/southbridge/amd/pi/hudson/fadt.c b/src/southbridge/amd/pi/hudson/fadt.c
index 34d67b4..f76a054 100644
--- a/src/southbridge/amd/pi/hudson/fadt.c
+++ b/src/southbridge/amd/pi/hudson/fadt.c
@@ -11,12 +11,6 @@
#include "hudson.h"
#include "smi.h"
-#if CONFIG(HUDSON_LEGACY_FREE)
- #define FADT_BOOT_ARCH ACPI_FADT_LEGACY_FREE
-#else
- #define FADT_BOOT_ARCH (ACPI_FADT_LEGACY_DEVICES | ACPI_FADT_8042)
-#endif
-
/*
* Reference section 5.2.9 Fixed ACPI Description Table (FADT)
* in the ACPI 3.0b specification.
@@ -40,7 +34,13 @@
fadt->duty_offset = 1; /* CLK_VAL bits 3:1 */
fadt->duty_width = 3; /* CLK_VAL bits 3:1 */
- fadt->iapc_boot_arch = FADT_BOOT_ARCH; /* See table 5-10 */
+
+ fadt->iapc_boot_arch = ACPI_FADT_LEGACY_FREE; /* See table 5-10 */
+ if (CONFIG(HUDSON_FADT_LEGACY_DEVICES))
+ fadt->iapc_boot_arch |= ACPI_FADT_LEGACY_DEVICES;
+ if (CONFIG(HUDSON_FADT_8042))
+ fadt->iapc_boot_arch |= ACPI_FADT_8042;
+
fadt->res2 = 0; /* reserved, MUST be 0 ACPI 3.0 */
fadt->flags |= ACPI_FADT_WBINVD | /* See table 5-10 ACPI 3.0a spec */
ACPI_FADT_C1_SUPPORTED |
--
To view, visit https://review.coreboot.org/c/coreboot/+/79893?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: Id4ff85630c90fb2ae8c8826bbc9049a08668210d
Gerrit-Change-Number: 79893
Gerrit-PatchSet: 1
Gerrit-Owner: Felix Held <felix-coreboot(a)felixheld.de>
Gerrit-MessageType: newchange
Attention is currently required from: Shelley Chen.
Nick Vaccaro has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/79892?usp=email )
Change subject: mb/google/brox: Enable Elan trackpad
......................................................................
Patch Set 2: Code-Review+2
--
To view, visit https://review.coreboot.org/c/coreboot/+/79892?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: If6da1c722e87a50c6d422b300f16a52d884fa08f
Gerrit-Change-Number: 79892
Gerrit-PatchSet: 2
Gerrit-Owner: Shelley Chen <shchen(a)google.com>
Gerrit-Reviewer: Nick Vaccaro <nvaccaro(a)google.com>
Gerrit-Attention: Shelley Chen <shchen(a)google.com>
Gerrit-Comment-Date: Wed, 10 Jan 2024 21:18:08 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
Shelley Chen has uploaded a new patch set (#2). ( https://review.coreboot.org/c/coreboot/+/79892?usp=email )
Change subject: mb/google/brox: Enable Elan trackpad
......................................................................
mb/google/brox: Enable Elan trackpad
BUG=b:311450057,b:300690448
BRANCH=None
TEST=to be tested on a device with i2cdetect
Change-Id: If6da1c722e87a50c6d422b300f16a52d884fa08f
Signed-off-by: Shelley Chen <shchen(a)google.com>
---
M src/mainboard/google/brox/variants/baseboard/brox/devicetree.cb
1 file changed, 10 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/92/79892/2
--
To view, visit https://review.coreboot.org/c/coreboot/+/79892?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: If6da1c722e87a50c6d422b300f16a52d884fa08f
Gerrit-Change-Number: 79892
Gerrit-PatchSet: 2
Gerrit-Owner: Shelley Chen <shchen(a)google.com>
Gerrit-MessageType: newpatchset
Attention is currently required from: Matt DeVillier.
Hello Matt DeVillier, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/79874?usp=email
to look at the new patch set (#5).
Change subject: soc/intel/common/tcss: Rename tcss_mux_init
......................................................................
soc/intel/common/tcss: Rename tcss_mux_init
Rename tcss_mux_init to disconnect_tcss_devices to make it clear
what this function is doing, as it doesn't initialise anything.
Signed-off-by: Sean Rhodes <sean(a)starlabs.systems>
Change-Id: I5e43f0cca9d49bc30fc189663490a306efd71584
---
M src/soc/intel/common/block/tcss/tcss.c
1 file changed, 2 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/74/79874/5
--
To view, visit https://review.coreboot.org/c/coreboot/+/79874?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I5e43f0cca9d49bc30fc189663490a306efd71584
Gerrit-Change-Number: 79874
Gerrit-PatchSet: 5
Gerrit-Owner: Sean Rhodes <sean(a)starlabs.systems>
Gerrit-Reviewer: Matt DeVillier <matt.devillier(a)gmail.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-Attention: Matt DeVillier <matt.devillier(a)gmail.com>
Gerrit-MessageType: newpatchset
Sean Rhodes has abandoned this change. ( https://review.coreboot.org/c/coreboot/+/79876?usp=email )
Change subject: soc/intel/common/tcss: Guard disconnect_tcss_display for ChromeOS
......................................................................
Abandoned
Superseded
--
To view, visit https://review.coreboot.org/c/coreboot/+/79876?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I4685344224f321211944505b666d0d643affef2e
Gerrit-Change-Number: 79876
Gerrit-PatchSet: 3
Gerrit-Owner: Sean Rhodes <sean(a)starlabs.systems>
Gerrit-Reviewer: build bot (Jenkins) <no-reply(a)coreboot.org>
Gerrit-MessageType: abandon