Tristan Corrick has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/29977

Change subject: sb/intel/lynxpoint: Allow the flash chip to be write-protected ......................................................................

sb/intel/lynxpoint: Allow the flash chip to be write-protected

This patch is based on the bd82x6x code. Lynx Point uses the same register locations and layout for flash protection.

Tested on an ASRock H81M-HDS. When write-protection is configured, flashrom reports all flash regions as read-only, and does not manage to alter the contents of the flash chip.

Change-Id: I781082b1ed507b00815d1e85aec3e56ae5a4bef2 Signed-off-by: Tristan Corrick tristan@corrick.kiwi --- M src/southbridge/intel/lynxpoint/Kconfig M src/southbridge/intel/lynxpoint/finalize.c 2 files changed, 21 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/29977/1

diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig index 5b06c4b..0690972 100644 --- a/src/southbridge/intel/lynxpoint/Kconfig +++ b/src/southbridge/intel/lynxpoint/Kconfig @@ -59,6 +59,20 @@ If you set this option to y, the serial IRQ machine will be operated in continuous mode.

+config SPI_FLASH_WRITE_PROTECT + bool "Write-protect the SPI flash during chipset lockdown" + help + Select this if you want the entire firmware flash chip to be + write-protected during chipset lockdown. This can provide a + security benefit, as malware will not be able to write to the + flash chip. However, it is important to note that ALL writes + and erases are blocked, so you will not be able to update + coreboot using flashrom's internal programmer. + + If you have configured coreboot not to run the chipset lockdown + (see `INTEL_CHIPSET_LOCKDOWN`), then the payload must initiate + the lockdown in order for this setting to take effect. + config ME_MBP_CLEAR_LATE bool "Defer wait for ME MBP Cleared" default y diff --git a/src/southbridge/intel/lynxpoint/finalize.c b/src/southbridge/intel/lynxpoint/finalize.c index 590a245..3971874 100644 --- a/src/southbridge/intel/lynxpoint/finalize.c +++ b/src/southbridge/intel/lynxpoint/finalize.c @@ -32,6 +32,13 @@ RCBA32(0x3898) = SPI_OPMENU_LOWER; RCBA32(0x389c) = SPI_OPMENU_UPPER;

+ if (IS_ENABLED(CONFIG_SPI_FLASH_WRITE_PROTECT)) { + int i; + for (i = 0; i <= 4; i++) + SPIBAR32(0x74 + i * 4) = + SPIBAR32(0x54 + i * 4) | (1UL << 31); + } + /* Lock SPIBAR */ RCBA32_OR(0x3804, (1 << 15));