Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/25196
Change subject: security/flash: Add SPI flash protection ......................................................................
security/flash: Add SPI flash protection
* get/set write protection for SPI flash. * GPIO weak function for WP pin lookup (VBOOT).
Change-Id: I12656d7c111ed3622fab5578f6e0c462fe5d4796 Signed-off-by: zaolin zaolin@das-labor.org --- M src/security/Kconfig M src/security/Makefile.inc A src/security/flash/Kconfig A src/security/flash/Makefile.inc A src/security/flash/flash.c A src/security/flash/flash.h 6 files changed, 229 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/96/25196/1
diff --git a/src/security/Kconfig b/src/security/Kconfig index 6a334ac..006d089 100644 --- a/src/security/Kconfig +++ b/src/security/Kconfig @@ -14,3 +14,4 @@
source "src/security/vboot/Kconfig" source "src/security/tpm/Kconfig" +source "src/security/flash/Kconfig" diff --git a/src/security/Makefile.inc b/src/security/Makefile.inc index a940b82..413f7d0 100644 --- a/src/security/Makefile.inc +++ b/src/security/Makefile.inc @@ -1,2 +1,3 @@ subdirs-y += vboot subdirs-y += tpm +subdirs-y += flash diff --git a/src/security/flash/Kconfig b/src/security/flash/Kconfig new file mode 100644 index 0000000..67e62c7 --- /dev/null +++ b/src/security/flash/Kconfig @@ -0,0 +1,102 @@ +## This file is part of the coreboot project. +## +## Copyright (C) 2017 Philipp Deppenwiese, Facebook, Inc. +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; version 2 of the License. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## + +menu "Flash write protection" + +config FLASH_SPI_PROTECTIONS + bool + default y if MAINBOARD_HAS_FLASH_SPI_PROTECTIONS || USER_FLASH_SPI_PROTECTIONS + depends on SPI_FLASH + +config FLASH_PCH_PROTECTIONS + bool + default y if MAINBOARD_HAS_FLASH_PCH_PROTECTIONS || USER_FLASH_PCH_PROTECTIONS + +config MAINBOARD_HAS_FLASH_PCH_PROTECTIONS + bool + +config MAINBOARD_HAS_FLASH_SPI_PROTECTIONS + bool + +if !MAINBOARD_HAS_FLASH_SPI_PROTECTIONS && !MAINBOARD_HAS_FLASH_PCH_PROTECTIONS + +choice + prompt "Type" + default USER_FLASH_PCH_PROTECTIONS + +config USER_FLASH_SPI_PROTECTIONS + bool "SPI flash" + help + Enable this option to enable SPI flash write protection. + +config USER_FLASH_PCH_PROTECTIONS + bool "Platform PCH" + help + Enable this option to enable PCH flash write protection. + +endchoice + +endif + +config FLASH_MODE_VBOOT + bool + default y if MAINBOARD_HAS_FLASH_MODE_VBOOT || USER_FLASH_SPI_PROTECTIONS + depends on VBOOT + +config FLASH_MODE_BIOS + bool + default y if MAINBOARD_HAS_FLASH_MODE_BIOS || USER_FLASH_PCH_PROTECTIONS + +config FLASH_MODE_EVERYTHING + bool + default y if MAINBOARD_HAS_FLASH_MODE_EVERYTHING || USER_FLASH_PCH_PROTECTIONS + +config MAINBOARD_HAS_FLASH_MODE_VBOOT + bool + +config MAINBOARD_HAS_FLASH_MODE_BIOS + bool + +config MAINBOARD_HAS_FLASH_MODE_EVERYTHING + bool + +if !MAINBOARD_HAS_FLASH_MODE_VBOOT && !MAINBOARD_HAS_FLASH_MODE_BIOS && !MAINBOARD_HAS_FLASH_MODE_EVERYTHING + +choice + prompt "Mode" + default USER_NO_FLASH_PROTECTION + +config USER_NO_FLASH_PROTECTION + bool "disabled" + +config USER_FLASH_MODE_VBOOT + bool "Verified Boot" + help + Enable this option to enable VBoot mode. + +config USER_FLASH_MODE_BIOS + bool "BIOS region" + help + Enable this option to enable BIOS region write protection. + +config USER_FLASH_MODE_EVERYTHING + bool "Entire SPI flash" + help + Enable this option to enable entire flash write protection. + +endchoice + +endif + +endmenu diff --git a/src/security/flash/Makefile.inc b/src/security/flash/Makefile.inc new file mode 100644 index 0000000..50d4a7a --- /dev/null +++ b/src/security/flash/Makefile.inc @@ -0,0 +1,5 @@ +## flash + +verstage-y += flash.c +romstage-y += flash.c +ramstage-y += flash.c diff --git a/src/security/flash/flash.c b/src/security/flash/flash.c new file mode 100644 index 0000000..b103909 --- /dev/null +++ b/src/security/flash/flash.c @@ -0,0 +1,96 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <commonlib/region.h> +#include <fmap.h> +#include <security/flash/flash.h> +#include <spi_flash.h> + +#define FMAP_VBOOT_RO_REGION "WP_RO" +#define FMAP_BIOS_REGION "BIOS" +#define FMAP_FLASH_REGION "FLASH" + +__attribute__((weak)) int gpio_get_wp_state(void) { return 0; } + +int set_write_protect_enabled(void) +{ + int result = -1; + struct region region; + + if (IS_ENABLED(CONFIG_FLASH_SPI_PROTECTIONS)) { + struct spi_flash flash; + + spi_init(); + if (spi_flash_probe(0, 0, &flash)) + return result; + + if (IS_ENABLED(CONFIG_FLASH_MODE_VBOOT)) { + if (fmap_locate_area(FMAP_VBOOT_RO_REGION, ®ion) == + 0) { + result = spi_flash_set_write_protected(&flash, + ®ion); + } + } else if (IS_ENABLED(CONFIG_FLASH_MODE_BIOS)) { + if (fmap_locate_area(FMAP_BIOS_REGION, ®ion) == 0) { + result = spi_flash_set_write_protected(&flash, + ®ion); + } + } else if (IS_ENABLED(CONFIG_FLASH_MODE_EVERYTHING)) { + if (fmap_locate_area(FMAP_FLASH_REGION, ®ion) == 0) { + result = spi_flash_set_write_protected(&flash, + ®ion); + } + } + } else if (IS_ENABLED(CONFIG_FLASH_PCH_PROTECTIONS)) { + } + + return result; +} + +int get_write_protect_state(void) +{ + int result = -1; + struct region region; + + if (IS_ENABLED(CONFIG_FLASH_SPI_PROTECTIONS)) { + struct spi_flash flash; + + spi_init(); + if (spi_flash_probe(0, 0, &flash)) + return result; + + if (IS_ENABLED(CONFIG_FLASH_MODE_VBOOT)) { + if (fmap_locate_area(FMAP_VBOOT_RO_REGION, ®ion) == + 0) { + result = spi_flash_is_write_protected(&flash, + ®ion); + result &= gpio_get_wp_state(); + } + } else if (IS_ENABLED(CONFIG_FLASH_MODE_BIOS)) { + if (fmap_locate_area(FMAP_BIOS_REGION, ®ion) == 0) { + result = spi_flash_is_write_protected(&flash, + ®ion); + } + } else if (IS_ENABLED(CONFIG_FLASH_MODE_EVERYTHING)) { + if (fmap_locate_area(FMAP_FLASH_REGION, ®ion) == 0) { + result = spi_flash_is_write_protected(&flash, + ®ion); + } + } + } else if (IS_ENABLED(CONFIG_FLASH_PCH_PROTECTIONS)) { + } + + return result; +} diff --git a/src/security/flash/flash.h b/src/security/flash/flash.h new file mode 100644 index 0000000..bbd60df --- /dev/null +++ b/src/security/flash/flash.h @@ -0,0 +1,24 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2018 Facebook Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef FLASH_H_ +#define FLASH_H_ + +int gpio_get_wp_state(void); + +int set_write_protect_enabled(void); +int get_write_protect_state(void); + +#endif /* FLASH_H_ */
-
Philipp Deppenwiese (Code Review)