Julien Viard de Galbert has uploaded this change for review. ( https://review.coreboot.org/25441
Change subject: soc/intel/denverton_ns: Lock SPIBAR ......................................................................
soc/intel/denverton_ns: Lock SPIBAR
Allow flash access when "Security Override" is set. Don't lock when relax_security is set.
Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9 Signed-off-by: Julien Viard de Galbert jviarddegalbert@online.net --- M src/soc/intel/common/block/fast_spi/fast_spi_def.h M src/soc/intel/denverton_ns/lpc.c 2 files changed, 58 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/25441/1
diff --git a/src/soc/intel/common/block/fast_spi/fast_spi_def.h b/src/soc/intel/common/block/fast_spi/fast_spi_def.h index a389e34..324006d 100644 --- a/src/soc/intel/common/block/fast_spi/fast_spi_def.h +++ b/src/soc/intel/common/block/fast_spi/fast_spi_def.h @@ -37,7 +37,7 @@ #define SPIBAR_DLOCK 0x0c #define SPIBAR_FDATA(n) (0x10 + ((n) & 0xf) * 4) #define SPIBAR_FPR_BASE 0x84 -#define SPIBAR_FPR(n) 0x84 + (4 * n)) +#define SPIBAR_FPR(n) (0x84 + (4 * n)) #define SPIBAR_PREOP 0xA4 #define SPIBAR_OPTYPE 0xA6 #define SPIBAR_OPMENU_LOWER 0xA8 @@ -71,6 +71,7 @@ #define SPIBAR_HSFSTS_FLOCKDN (1 << 15) #define SPIBAR_HSFSTS_FDV (1 << 14) #define SPIBAR_HSFSTS_FDOPSS (1 << 13) +#define SPIBAR_HSFSTS_PRR34_LOCKDN (1 << 12) #define SPIBAR_HSFSTS_WRSDIS (1 << 11) #define SPIBAR_HSFSTS_SAF_CE (1 << 8) #define SPIBAR_HSFSTS_SAF_ACTIVE (1 << 7) diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c index 1ac0961..8f2542a 100644 --- a/src/soc/intel/denverton_ns/lpc.c +++ b/src/soc/intel/denverton_ns/lpc.c @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright (C) 2014 - 2017 Intel Corporation. + * Copyright (C) 2018 Online SAS * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -25,6 +26,7 @@ #include <cpu/x86/smm.h> #include <bootstate.h>
+#include <fsp/api.h> #include <soc/lpc.h> #include <soc/pci_devs.h> #include <soc/ramstage.h> @@ -32,6 +34,10 @@ #include <soc/pcr.h> #include <soc/p2sb.h> #include <soc/acpi.h> +#include <fast_spi_def.h> +#include <intelblocks/fast_spi.h> +#include <spi_flash.h> +#include <spi-generic.h>
#include "chip.h"
@@ -326,8 +332,58 @@ .device = LPC_DEVID, };
+static void spi_lock_bar(bool relax_security) +{ + void *spibar = fast_spi_get_bar(); + uint32_t reg32, hsfs; + /* Check SPIBAR */ + hsfs = read32(spibar + SPIBAR_HSFSTS_CTL); + if (!(hsfs & SPIBAR_HSFSTS_FDOPSS)) { + /* When the flash security override strap is set, allow flashrom + to update the flash, this is done by clearing the protection + and locking the configuration to ensure FSP notify will not + change it again */ + int i; + struct device *dev; + printk(BIOS_CRIT, "FLASH SECURITY OVERRIDE SET:" + "DISABLE FLASH PROTECTIONS!\n"); + + /* disable protections FPR0-4 + GPR0 */ + for (i = 0; i < 6; i++) + write32(spibar + SPIBAR_FPR(i), 0); + + /* Disable WPD and EISS */ + dev = dev_find_slot(0, PCI_DEVFN(SPI_DEV, SPI_FUNC)); + if (dev != NULL) { + reg32 = pci_read_config32(dev, SPIBAR_BIOS_CONTROL); + reg32 &= ~(SPIBAR_BIOS_CONTROL_EISS | + SPIBAR_BIOS_CONTROL_WPD); + /* lock to ensure FSP cannot change it */ + if (!relax_security) + reg32 |= SPIBAR_BIOS_CONTROL_LOCK_ENABLE | + SPIBAR_BIOS_CONTROL_BILD; + pci_write_config32(dev, SPIBAR_BIOS_CONTROL, reg32); + } + } + + if (!relax_security) { + /* Lock SPIBAR */ + hsfs |= SPIBAR_HSFSTS_FLOCKDN | SPIBAR_HSFSTS_PRR34_LOCKDN; + reg32 = read32(spibar + SPIBAR_DLOCK); + reg32 |= 0x11f0f; + write32(spibar + SPIBAR_DLOCK, reg32); + + write32(spibar + SPIBAR_HSFSTS_CTL, hsfs); + } + +} + static void finalize_chipset(void *unused) { + bool relax_security = fsp_relax_security(); + + spi_lock_bar(relax_security); + printk(BIOS_DEBUG, "Finalizing SMM.\n"); outb(APM_CNT_FINALIZE, APM_CNT); }