Change in coreboot[master]: util/ifdtool: Enable CPU read for ME region - coreboot-gerrit

22 Oct 2020


      Rizwan Qureshi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46441 )
Change subject: util/ifdtool: Enable CPU read for ME region
......................................................................
Patch Set 7:
(2 comments)
https://review.coreboot.org/c/coreboot/+/46441/7//COMMIT_MSG 
Commit Message:
https://review.coreboot.org/c/coreboot/+/46441/7//COMMIT_MSG@8 
PS7, Line 8: 
           : We are implementing a mechanism in coreboot to update CSME firmware,
           : this requires coreboot to be able to read CSME region.
...
Do you have a pointer to this? The current mechanism relies on querying the CSE to provide its versi […]
The current mechanism is not relying on determining the version by reading CSE region, however we are exploring another way to determine the version either by reading a fixed offset (like the OEM Build version field) or parsing the CSE region. For that purpose we need a mechanism to enable the read on ME after it is locked.
There is internal test case which uses ifdtool to lock ME region using and test write protection on that. When running this tests with the new CSE update implementation we run into problem since the CSE region is not readable.
Providing an option in IFD tool to enable CPU read of CSME, will enable the test case to validate the new approach.
https://review.coreboot.org/c/coreboot/+/46441/7//COMMIT_MSG@13 
PS7, Line 13: This patch will enable read access to CSME region when locking.
...
Should ifdtool honor the settings that are already present in the descriptor if it is not all ffs? I […]
A check in ifdtool to see if there is already a non-default region access applied can be implemented. However, during the development phase where the ME is not locked and the automated test cases use ifdtool to lock ME, we will need an option to skip disabling read.
I agree that when ifdtool is used for locking it has to honor non-default region access values if already present. And we can add a -f (force) option to override the existing settings. May be another patch for that.
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/46441
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I1d9a8e17fba19b717453476fbcb7bcf95b278abe
Gerrit-Change-Number: 46441
Gerrit-PatchSet: 7
Gerrit-Owner: Usha P usha.p@intel.com
Gerrit-Reviewer: Furquan Shaikh furquan@google.com
Gerrit-Reviewer: Jamie Ryu jamie.m.ryu@intel.com
Gerrit-Reviewer: Karthik Ramasubramanian kramasub@google.com
Gerrit-Reviewer: Maulik V Vaghela maulik.v.vaghela@intel.com
Gerrit-Reviewer: Rizwan Qureshi rizwan.qureshi@intel.com
Gerrit-Reviewer: Stefan Reinauer stefan.reinauer@coreboot.org
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Angel Pons th3fanbus@gmail.com
Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-Comment-Date: Thu, 22 Oct 2020 12:09:00 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Furquan Shaikh furquan@google.com
Gerrit-MessageType: comment