Attention is currently required from: Patrick Rudolph. Benjamin Doron has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/40830 )
Change subject: [WIP]security/intel: Add option to eanble SMM flash access only ......................................................................
Patch Set 1:
(2 comments)
Patchset:
PS1:
On the LPC (and therefore, is it perhaps not relevant?), the EISS bit is cleared by `lpc_soc_init` i […]
By patching "src/soc/intel/common/block/smm/smihandler.c" with the below, the system (Skylake-U) will boot. However, it hangs when attempting to write to SPI using flashrom. I'm not certain why, but the bits we might want to set there (prefetch and caching enabled) are set.
Perhaps write protect status must only be modified (done by `smihandler_soc_check_illegal_access()`) along with "Synchronous SMI Status" bit. See https://github.com/tianocore/edk2-platforms/blob/master/Silicon/Intel/Kabyla....
--- a/src/soc/intel/common/block/smm/smihandler.c +++ b/src/soc/intel/common/block/smm/smihandler.c @@ -318,7 +318,7 @@ static void finalize(void) } finalize_done = 1;
- if (CONFIG(SPI_FLASH_SMM)) + if (CONFIG(SPI_FLASH_SMM) && !CONFIG(BOOTMEDIA_SMM_BWP)) /* Re-init SPI driver to handle locked BAR */ fast_spi_init();
File src/soc/intel/common/pch/lockdown/lockdown.c:
https://review.coreboot.org/c/coreboot/+/40830/comment/16d8aede_a059f8f9 PS1, Line 66: if (CONFIG(BOOTMEDIA_SMM_BWP)) {
I was using the SPI flashconsole. […]
While various coreboot features are incompatible with SPI lockdown, this clearly works. Marking as done.