Tristan Corrick has uploaded this change for review.

View Change

sb/intel/lynxpoint: Allow the flash chip to be write-protected

This patch is based on the bd82x6x code. Lynx Point uses the same
register locations and layout for flash protection.

Tested on an ASRock H81M-HDS. When write-protection is configured,
flashrom reports all flash regions as read-only, and does not manage
to alter the contents of the flash chip.

Change-Id: I781082b1ed507b00815d1e85aec3e56ae5a4bef2
Signed-off-by: Tristan Corrick <tristan@corrick.kiwi>
---
M src/southbridge/intel/lynxpoint/Kconfig
M src/southbridge/intel/lynxpoint/finalize.c
2 files changed, 21 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/29977/1

diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 5b06c4b..0690972 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -59,6 +59,20 @@
 	  If you set this option to y, the serial IRQ machine will be
 	  operated in continuous mode.
 
+config SPI_FLASH_WRITE_PROTECT
+	bool "Write-protect the SPI flash during chipset lockdown"
+	help
+	  Select this if you want the entire firmware flash chip to be
+	  write-protected during chipset lockdown. This can provide a
+	  security benefit, as malware will not be able to write to the
+	  flash chip. However, it is important to note that ALL writes
+	  and erases are blocked, so you will not be able to update
+	  coreboot using flashrom's internal programmer.
+
+	  If you have configured coreboot not to run the chipset lockdown
+	  (see `INTEL_CHIPSET_LOCKDOWN`), then the payload must initiate
+	  the lockdown in order for this setting to take effect.
+
 config ME_MBP_CLEAR_LATE
 	bool "Defer wait for ME MBP Cleared"
 	default y
diff --git a/src/southbridge/intel/lynxpoint/finalize.c b/src/southbridge/intel/lynxpoint/finalize.c
index 590a245..3971874 100644
--- a/src/southbridge/intel/lynxpoint/finalize.c
+++ b/src/southbridge/intel/lynxpoint/finalize.c
@@ -32,6 +32,13 @@
 	RCBA32(0x3898) = SPI_OPMENU_LOWER;
 	RCBA32(0x389c) = SPI_OPMENU_UPPER;
 
+	if (IS_ENABLED(CONFIG_SPI_FLASH_WRITE_PROTECT)) {
+		int i;
+		for (i = 0; i <= 4; i++)
+			SPIBAR32(0x74 + i * 4) =
+				SPIBAR32(0x54 + i * 4) | (1UL << 31);
+	}
+
 	/* Lock SPIBAR */
 	RCBA32_OR(0x3804, (1 << 15));
 

To view, visit change 29977. To unsubscribe, or for help writing mail filters, visit settings.