Julien Viard de Galbert has uploaded this change for review.
soc/intel/denverton_ns: Lock SPIBAR
Allow flash access when "Security Override" is set.
Don't lock when relax_security is set.
Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9
Signed-off-by: Julien Viard de Galbert <jviarddegalbert@online.net>
---
M src/soc/intel/common/block/fast_spi/fast_spi_def.h
M src/soc/intel/denverton_ns/lpc.c
2 files changed, 58 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/25441/1
diff --git a/src/soc/intel/common/block/fast_spi/fast_spi_def.h b/src/soc/intel/common/block/fast_spi/fast_spi_def.h
index a389e34..324006d 100644
--- a/src/soc/intel/common/block/fast_spi/fast_spi_def.h
+++ b/src/soc/intel/common/block/fast_spi/fast_spi_def.h
@@ -37,7 +37,7 @@
#define SPIBAR_DLOCK 0x0c
#define SPIBAR_FDATA(n) (0x10 + ((n) & 0xf) * 4)
#define SPIBAR_FPR_BASE 0x84
-#define SPIBAR_FPR(n) 0x84 + (4 * n))
+#define SPIBAR_FPR(n) (0x84 + (4 * n))
#define SPIBAR_PREOP 0xA4
#define SPIBAR_OPTYPE 0xA6
#define SPIBAR_OPMENU_LOWER 0xA8
@@ -71,6 +71,7 @@
#define SPIBAR_HSFSTS_FLOCKDN (1 << 15)
#define SPIBAR_HSFSTS_FDV (1 << 14)
#define SPIBAR_HSFSTS_FDOPSS (1 << 13)
+#define SPIBAR_HSFSTS_PRR34_LOCKDN (1 << 12)
#define SPIBAR_HSFSTS_WRSDIS (1 << 11)
#define SPIBAR_HSFSTS_SAF_CE (1 << 8)
#define SPIBAR_HSFSTS_SAF_ACTIVE (1 << 7)
diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c
index 1ac0961..8f2542a 100644
--- a/src/soc/intel/denverton_ns/lpc.c
+++ b/src/soc/intel/denverton_ns/lpc.c
@@ -2,6 +2,7 @@
* This file is part of the coreboot project.
*
* Copyright (C) 2014 - 2017 Intel Corporation.
+ * Copyright (C) 2018 Online SAS
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -25,6 +26,7 @@
#include <cpu/x86/smm.h>
#include <bootstate.h>
+#include <fsp/api.h>
#include <soc/lpc.h>
#include <soc/pci_devs.h>
#include <soc/ramstage.h>
@@ -32,6 +34,10 @@
#include <soc/pcr.h>
#include <soc/p2sb.h>
#include <soc/acpi.h>
+#include <fast_spi_def.h>
+#include <intelblocks/fast_spi.h>
+#include <spi_flash.h>
+#include <spi-generic.h>
#include "chip.h"
@@ -326,8 +332,58 @@
.device = LPC_DEVID,
};
+static void spi_lock_bar(bool relax_security)
+{
+ void *spibar = fast_spi_get_bar();
+ uint32_t reg32, hsfs;
+ /* Check SPIBAR */
+ hsfs = read32(spibar + SPIBAR_HSFSTS_CTL);
+ if (!(hsfs & SPIBAR_HSFSTS_FDOPSS)) {
+ /* When the flash security override strap is set, allow flashrom
+ to update the flash, this is done by clearing the protection
+ and locking the configuration to ensure FSP notify will not
+ change it again */
+ int i;
+ struct device *dev;
+ printk(BIOS_CRIT, "FLASH SECURITY OVERRIDE SET:"
+ "DISABLE FLASH PROTECTIONS!\n");
+
+ /* disable protections FPR0-4 + GPR0 */
+ for (i = 0; i < 6; i++)
+ write32(spibar + SPIBAR_FPR(i), 0);
+
+ /* Disable WPD and EISS */
+ dev = dev_find_slot(0, PCI_DEVFN(SPI_DEV, SPI_FUNC));
+ if (dev != NULL) {
+ reg32 = pci_read_config32(dev, SPIBAR_BIOS_CONTROL);
+ reg32 &= ~(SPIBAR_BIOS_CONTROL_EISS |
+ SPIBAR_BIOS_CONTROL_WPD);
+ /* lock to ensure FSP cannot change it */
+ if (!relax_security)
+ reg32 |= SPIBAR_BIOS_CONTROL_LOCK_ENABLE |
+ SPIBAR_BIOS_CONTROL_BILD;
+ pci_write_config32(dev, SPIBAR_BIOS_CONTROL, reg32);
+ }
+ }
+
+ if (!relax_security) {
+ /* Lock SPIBAR */
+ hsfs |= SPIBAR_HSFSTS_FLOCKDN | SPIBAR_HSFSTS_PRR34_LOCKDN;
+ reg32 = read32(spibar + SPIBAR_DLOCK);
+ reg32 |= 0x11f0f;
+ write32(spibar + SPIBAR_DLOCK, reg32);
+
+ write32(spibar + SPIBAR_HSFSTS_CTL, hsfs);
+ }
+
+}
+
static void finalize_chipset(void *unused)
{
+ bool relax_security = fsp_relax_security();
+
+ spi_lock_bar(relax_security);
+
printk(BIOS_DEBUG, "Finalizing SMM.\n");
outb(APM_CNT_FINALIZE, APM_CNT);
}
To view, visit change 25441. To unsubscribe, or for help writing mail filters, visit settings.