Bill XIE has uploaded this change for review. ( https://review.coreboot.org/21607

Change subject: ifdtool: Port the feature to jail ME from me_cleaner ......................................................................

ifdtool: Port the feature to jail ME from me_cleaner

port the feature to "remove the ME/TXE Read/Write permissions to the other regions (-d)" of me_cleaner (https://github.com/corna/me_cleaner/) here.

Change-Id: I00533f4e2569c4763fbfc302bb460db1e60e5564 Signed-off-by: Bill XIE persmule@gmail.com --- M util/ifdtool/ifdtool.c 1 file changed, 31 insertions(+), 9 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/07/21607/1

diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c index dfdf547..86094b3 100644 --- a/util/ifdtool/ifdtool.c +++ b/util/ifdtool/ifdtool.c @@ -787,7 +787,7 @@ write_image(filename, image, size); }

-static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd) +static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd, bool jail_me) { int wr_shift, rd_shift; /* TODO: Dynamically take Platform Data Region and GbE Region @@ -850,15 +850,25 @@ */ fmba->flmstr1 = 0xffffff00 | (fmba->flmstr1 & 0xff); - - fmba->flmstr2 = 0xffffff00 | - (fmba->flmstr2 & 0xff); - + if (jail_me) { + fmba->flmstr2 &= 0xff; + /* ME can read ME. */ + fmba->flmstr2 |= 0x4 << rd_shift; + /* ME can write ME. */ + fmba->flmstr2 |= 0x4 << wr_shift; + } else { + fmba->flmstr2 = 0xffffff00 | + (fmba->flmstr2 & 0xff); + } fmba->flmstr3 = 0xffffff00 | (fmba->flmstr3 & 0xff); } else { fmba->flmstr1 = 0xffff0000; - fmba->flmstr2 = 0xffff0000; + if (jail_me) { + fmba->flmstr2 = 0x04040000; + } else { + fmba->flmstr2 = 0xffff0000; + } /* Keep chipset specific Requester ID */ fmba->flmstr3 = 0x08080000 | (fmba->flmstr3 & 0xffff); @@ -1133,6 +1143,9 @@ " Dual Output Fast Read Support\n" " -l | --lock Lock firmware descriptor and ME region\n" " -u | --unlock Unlock firmware descriptor and ME region\n" + " -j | --jail Unlock firmware descriptor and ME region,\n" + " and remove the ME/TXE's Read/Write permissions\n" + " to the other regions\n" " -p | --platform Add platform-specific quirks\n" " aplk - Apollo Lake\n" " -v | --version: print the version\n" @@ -1145,7 +1158,7 @@ { int opt, option_index = 0; int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0; - int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0; + int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0, mode_jail = 0; int mode_layout = 0, mode_newlayout = 0, mode_density = 0; char *region_type_string = NULL, *region_fname = NULL; const char *layout_fname = NULL; @@ -1165,13 +1178,14 @@ {"em100", 0, NULL, 'e'}, {"lock", 0, NULL, 'l'}, {"unlock", 0, NULL, 'u'}, + {"jail", 0, NULL, 'j'}, {"version", 0, NULL, 'v'}, {"help", 0, NULL, 'h'}, {"platform", 0, NULL, 'p'}, {0, 0, 0, 0} };

- while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:eluvh?", + while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:elujvh?", long_options, &option_index)) != EOF) { switch (opt) { case 'd': @@ -1322,6 +1336,14 @@ exit(EXIT_FAILURE); } break; + case 'j': + mode_unlocked = 1; + mode_jail = 1; + if (mode_locked == 1) { + fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n"); + exit(EXIT_FAILURE); + } + break; case 'p': if (!strcmp(optarg, "aplk")) { platform = PLATFORM_APOLLOLAKE; @@ -1422,7 +1444,7 @@

if (mode_locked || mode_unlocked) { fmba_t *fmba = find_fmba(image, size); - fmba_toggle_permission(fmba, mode_locked); + fmba_toggle_permission(fmba, mode_locked, mode_jail); write_image(filename, image, size); }