Author: quozl Date: Thu Sep 15 08:08:18 2011 New Revision: 2510 URL: http://tracker.coreboot.org/trac/openfirmware/changeset/2510
Log: OLPC XO-1.75 - enforce SPI FLASH write protect during security startup, #11228
Modified: cpu/arm/olpc/1.75/fw.bth dev/olpc/spiflash/flashif.fth dev/olpc/spiflash/spiflash.fth
Modified: cpu/arm/olpc/1.75/fw.bth ============================================================================== --- cpu/arm/olpc/1.75/fw.bth Thu Sep 15 07:39:43 2011 (r2509) +++ cpu/arm/olpc/1.75/fw.bth Thu Sep 15 08:08:18 2011 (r2510) @@ -82,9 +82,16 @@ false to stand-init-debug? \ true to stand-init-debug?
+: sec-trg ( -- ) d# 73 gpio-set ; \ rising edge latches SPI_WP# low +: sec-trg? ( -- bit ) d# 73 gpio-pin@ ; + +alias ec-indexed-io-off sec-trg +alias ec-indexed-io-off? sec-trg? +alias ec-ixio-reboot ec-power-cycle \ clears latch, brings SPI_WP# high + false value secure?
-: protect-fw ( -- ) ; +: protect-fw ( -- ) secure? if flash-protect sec-trg then ;
hex : i-key-wait ( ms -- pressed? ) @@ -280,9 +287,6 @@ defer rm-go-hook \ Not used, but makes security happy : tsc@ ( -- d.ticks ) timer0@ u>d ; d# 6500 constant ms-factor -0 value ec-indexed-io-off? \ !!! -: ec-indexed-io-off ( -- ) ; \ !!! -: ec-ixio-reboot ( -- ) ; \ !!!
\ idt1338 rtc and ram address map \ 00 -> 0f rtc
Modified: dev/olpc/spiflash/flashif.fth ============================================================================== --- dev/olpc/spiflash/flashif.fth Thu Sep 15 07:39:43 2011 (r2509) +++ dev/olpc/spiflash/flashif.fth Thu Sep 15 08:08:18 2011 (r2510) @@ -9,6 +9,7 @@ defer flash-read ( adr len offset -- ) defer flash-verify ( adr len offset -- mismatch? ) defer flash-erase-block ( offset -- ) +defer flash-protect ( -- ) h# 10.0000 value /flash h# 10000 value /flash-block
Modified: dev/olpc/spiflash/spiflash.fth ============================================================================== --- dev/olpc/spiflash/spiflash.fth Thu Sep 15 07:39:43 2011 (r2509) +++ dev/olpc/spiflash/spiflash.fth Thu Sep 15 08:08:18 2011 (r2510) @@ -91,6 +91,38 @@ 1 spi-cmd ( b ) spi-out stop-writing ;
+\ Protect the device from further writes, by setting the Status +\ Register Protect (SRP) bit, and the Block Protect (BP2 BP1 BP0) +\ bits. + +\ Caller must then lower /WP pin, which prevents further write access +\ to the status register until the /WP pin is raised. + +: spi-protect ( -- ) h# 9c spi-write-status ; + +\ Turn off the protection bits. + +\ Is only permitted by the device if the /WP pin is high, otherwise it +\ is ignored and the status register protection bits are unchanged. + +: spi-unprotect ( -- ) h# 0 spi-write-status ; + +\ Check if the device is protected from further writes, by testing for +\ a set SRP, and if so trying to clear it, and checking if it remained +\ clear. + +: spi-protected? ( -- flag ) + spi-read-status h# 80 and if + spi-read-status ( status ) + spi-unprotect ( status ) + spi-read-status h# 80 and if ( status ) + drop true exit ( status ) + then ( status ) + spi-write-status + then + false +; + \ Erase a 64k block : erase-spi-block ( offset -- ) h# d8 setup-spi-write stop-writing ;
@@ -282,7 +314,7 @@ ( default ) true abort" Unsupported SPI FLASH ID" endcase to write-spi-flash - 0 spi-write-status \ Turn off write protect bits + spi-unprotect ;
\ Display a message telling what kind of part was found @@ -299,14 +331,17 @@ then ;
- : spi-flash-open ( -- ) \ One retry spi-start ['] spi-identify catch if spi-start spi-identify then ; -: spi-flash-write-enable ( -- ) flash-open .spi-id cr ; + +: spi-flash-write-enable ( -- ) + flash-open .spi-id cr + spi-protected? abort" Write Protected SPI FLASH" +;
: use-spi-flash-read ( -- ) ['] read-spi-flash to flash-read ;
@@ -319,6 +354,7 @@ ['] write-spi-flash to flash-write ['] verify-spi-flash to flash-verify ['] erase-spi-block to flash-erase-block + ['] spi-protect to flash-protect use-spi-flash-read \ Might be overridden h# 10.0000 to /flash /spi-eblock to /flash-block