Vladimir Serbinenko (phcoder@gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10191

-gerrit

commit 86212528247060d45b46f6f2bb10ad784a4baa3c Author: Vladimir Serbinenko phcoder@gmail.com Date: Tue May 12 12:39:53 2015 +0200

bd82x6x, ibexpeak: Support fully locking ROM on S3 resume.

Currently only RO-lock is supported. Make full lock available as an option.

Change-Id: Ib68a1e82733a51053a9adc80ac501b6205c6b8a7 Signed-off-by: Vladimir Serbinenko phcoder@gmail.com --- src/southbridge/intel/bd82x6x/Kconfig | 25 +++++++++++++++++++++++-- src/southbridge/intel/bd82x6x/finalize.c | 17 ++++++++++------- 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 8c51520..8a832aa 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -151,9 +151,19 @@ config LOCK_MANAGEMENT_ENGINE

If unsure, say N.

-config LOCK_SPI_ON_RESUME +endif + +if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK + +choice + prompt "Flash ROM locking on S3 resume" + default LOCK_SPI_ON_RESUME_NONE + +config LOCK_SPI_ON_RESUME_NONE + bool "Don't lock ROM sections on S3 resume" + +config LOCK_SPI_ON_RESUME_RO bool "Lock all flash ROM sections on S3 resume" - default n help If the flash ROM shall be protected against write accesses from the operating system (OS), the locking procedure has to be repeated after @@ -161,4 +171,15 @@ config LOCK_SPI_ON_RESUME ROM from within your OS. Notice: Even with this option, the write lock has still to be enabled on the normal boot path (e.g. by the payload).

+config LOCK_SPI_ON_RESUME_NO_ACCESS + bool "Lock and disable reads all flash ROM sections on S3 resume" + help + If the flash ROM shall be protected against all accesses from the + operating system (OS), the locking procedure has to be repeated after + each resume from S3. Select this if you never want to update the flash + ROM from within your OS. Notice: Even with this option, the lock + has still to be enabled on the normal boot path (e.g. by the payload). + +endchoice + endif diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c index ad2586c..df7b070 100644 --- a/src/southbridge/intel/bd82x6x/finalize.c +++ b/src/southbridge/intel/bd82x6x/finalize.c @@ -25,13 +25,16 @@

void intel_pch_finalize_smm(void) { -#if CONFIG_LOCK_SPI_ON_RESUME - /* Copy flash regions from FREG0-4 to PR0-4 - and enable write protection bit31 */ - int i; - for (i = 0; i < 20; i += 4) - RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31); -#endif + if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) { + /* Copy flash regions from FREG0-4 to PR0-4 + and enable write protection bit31 */ + int i; + u32 lockmask = (1 << 31); + if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) + lockmask |= (1 << 15); + for (i = 0; i < 20; i += 4) + RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask; + }

/* Set SPI opcode menu */ RCBA16(0x3894) = SPI_OPPREFIX;