[coreboot-gerrit] Change in coreboot[master]: Documentation: Mark up register names as code

9 Feb 2020

Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/38721 )
Change subject: Documentation: Mark up register names as code
......................................................................
Documentation: Mark up register names as code
Change-Id: I708385bca8edcd74b0d4c0a3ecc181b6ccd30c2b
Signed-off-by: Paul Menzel pmenzel@molgen.mpg.de
Reviewed-on: https://review.coreboot.org/c/coreboot/+/38721
Reviewed-by: Peter Lemenkov lemenkov@gmail.com
Tested-by: build bot (Jenkins) no-reply@coreboot.org
---
M Documentation/mainboard/lenovo/ivb_internal_flashing.md
1 file changed, 15 insertions(+), 15 deletions(-)
Approvals:
  build bot (Jenkins): Verified
  Peter Lemenkov: Looks good to me, approved

diff --git a/Documentation/mainboard/lenovo/ivb_internal_flashing.md b/Documentation/mainboard/lenovo/ivb_internal_flashing.md
index 355cf98..e6b597b 100644
--- a/Documentation/mainboard/lenovo/ivb_internal_flashing.md
+++ b/Documentation/mainboard/lenovo/ivb_internal_flashing.md
@@ -5,9 +5,9 @@
 Old versions of stock BIOS for these models have several security issues.
 In order to flash coreboot internally, two of them are of interest.
-**First** is the fact the SMM_BWP and BLE are not enabled in BIOS
+**First** is the fact the `SMM_BWP` and `BLE` are not enabled in BIOS
 versions released before 2014. We have tested many versions on T430 and
-X230 and found out that SMM_BWP=1 only since the update, the changelog
+X230 and found out that `SMM_BWP=1` only since the update, the changelog
 of which contains following line:
...
(New) Improved the UEFI BIOS security feature.
@@ -159,14 +159,14 @@
   Configuration Registers. When set to 1, PR0-PR4 registers cannot be
   written. Once set to 1, cannot be changed anymore.
-To be able to flash, we need SMM_BWP=0, BIOSWE=1, BLE=0, FLOCKDN=0 or
+To be able to flash, we need `SMM_BWP=0`, `BIOSWE=1`, `BLE=0`, `FLOCKDN=0` or
 SPI protected ranges (PRx) to have a WP bit set to 0.
-Let's see what we have. Examine HSFS register:
+Let's see what we have. Examine `HSFS` register:
sudo chipsec_main -m chipsec.modules.common.spi_lock
-You should see that FLOCKDN=1:
+You should see that `FLOCKDN=1`:
[x][ =======================================================================
     [x][ Module: SPI Flash Controller Configuration Locks
@@ -181,11 +181,11 @@
         [14] FDV              = 1 << Flash Descriptor Valid
         [15] FLOCKDN          = 1 << Flash Configuration Lock-Down
-Then check BIOS_CNTL and PR0-PR4:
+Then check `BIOS_CNTL` and PR0-PR4:
sudo chipsec_main -m common.bios_wp
-Good news: on old BIOS versions, SMM_BWP=0 and BLE=0.
+Good news: on old BIOS versions, `SMM_BWP=0` and `BLE=0`.
Bad news: there are 4 write protected SPI ranges:
@@ -215,8 +215,8 @@
sudo chipsec_util mmio dump SPIBAR
-You will see SPIBAR address (0xFED1F800) and registers (for example,
-00000004 is HSFS):
+You will see `SPIBAR` address (0xFED1F800) and registers (for example,
+`00000004` is `HSFS`):
[mmio] MMIO register range [0x00000000FED1F800:0x00000000FED1F800+00000200]:
     +00000000: 0BFF0500
@@ -224,11 +224,11 @@
     ...
As you can see, the only thing we need is to unset WP bit on PR0-PR4.
-But that cannot be done once FLOCKDN is set to 1.
+But that cannot be done once `FLOCKDN` is set to 1.
Now the fun part!
-FLOCKDN may only be cleared by a hardware reset, which includes S3
+`FLOCKDN` may only be cleared by a hardware reset, which includes S3
 state. On S3 resume boot path, the chipset configuration has to be
 restored and it's done by executing so-called S3 Boot Scripts. You can
 dump these scripts by executing:
@@ -236,7 +236,7 @@
     sudo chipsec_util uefi s3bootscript
There are many entries. Along them, you can find instructions to write
-to HSFS (remember, we know that SPIBAR is 0xFED1F800):
+to `HSFS` (remember, we know that `SPIBAR` is 0xFED1F800):
Entry at offset 0x2B8F (len = 0x17, header len = 0x0):
      Data:
@@ -251,7 +251,7 @@
These scripts are stored in memory. The vulnerability is that we can
 overwrite this memory, change these instructions and they will be
-executed on S3 resume. Once we patch that instruction to not set FLOCKDN
+executed on S3 resume. Once we patch that instruction to not set `FLOCKDN`
 bit, we will be able to write to PR0-PR4 registers.
## Creating a backup
@@ -274,7 +274,7 @@
## Removing protections (practice)
-The original boot script writes 0xE009 to HSFS. FLOCKDN is 15th bit, so
+The original boot script writes 0xE009 to `HSFS`. `FLOCKDN` is 15th bit, so
 let's write 0x6009 instead:
sudo chipsec_main -m tools.uefi.s3script_modify -a replace_op,mmio_wr,0xFED1F804,0x6009,0x2
@@ -297,7 +297,7 @@
      [*] After sleep/resume, check the value of register 0xFED1F804 is 0x6009
      [+] PASSED: The script has been modified. Go to sleep..
-Now go to S3, then resume and check FLOCKDN. It should be 0:
+Now go to S3, then resume and check `FLOCKDN`. It should be 0:
sudo chipsec_main -m chipsec.modules.common.spi_lock
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/38721
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I708385bca8edcd74b0d4c0a3ecc181b6ccd30c2b
Gerrit-Change-Number: 38721
Gerrit-PatchSet: 3
Gerrit-Owner: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: Peter Lemenkov lemenkov@gmail.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-MessageType: merged



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: Documentation: Mark up register names as code