[coreboot-gerrit] Patch set updated for coreboot: c75079e southbridge/intel/common/spi: Add Flash lockdown option

Thu Jun 4 20:49:04 CEST 2015

Timothy Pearson (tpearson at raptorengineeringinc.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/9370

-gerrit

commit c75079eb6bc9b8f2c3d546b142e890ac1909395a
Author: Timothy Pearson <tpearson at raptorengineeringinc.com>
Date:   Tue Apr 7 13:45:06 2015 -0500

    southbridge/intel/common/spi: Add Flash lockdown option
    
    Under certain circumstances it is desirable to prevent
    software from altering the contents of the Flash device.
    
    This Expert-mode option allows the hardware write protect
    to be set on bootup.
    
    Change-Id: I92d3c60a69f1688579d954d0476e30a6892cf4d5
    Signed-off-by: Timothy Pearson <tpearson at raptorengineeringinc.com>
---
 src/southbridge/intel/common/Kconfig |  9 +++++++++
 src/southbridge/intel/common/spi.c   | 20 ++++++++++++++------
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig
index 949310b..52ada30 100644
--- a/src/southbridge/intel/common/Kconfig
+++ b/src/southbridge/intel/common/Kconfig
@@ -1,2 +1,11 @@
 config SOUTHBRIDGE_INTEL_COMMON
 	def_bool n
+
+config LOCK_DOWN_BIOS
+	bool "Lock down the Flash"
+	default n
+	depends on EXPERT
+	help
+	  Lock down the Flash chip to prevent further modification by software.
+	  WARNING: Altering the contents of the Flash chip further WILL require
+	  a hardware programmer AND physical access to the Flash device!
\ No newline at end of file
diff --git a/src/southbridge/intel/common/spi.c b/src/southbridge/intel/common/spi.c
index 1d3ebf6..04f05ed 100644
--- a/src/southbridge/intel/common/spi.c
+++ b/src/southbridge/intel/common/spi.c
@@ -2,6 +2,7 @@
  * Copyright (c) 2011 The Chromium OS Authors.
  * Copyright (C) 2009, 2010 Carl-Daniel Hailfinger
  * Copyright (C) 2011 Stefan Tauner
+ * Copyright (C) 2015 Timothy Pearson <tpearson at raptorengineeringinc.com>, Raptor Engineering
  *
  * See file CREDITS for list of people who contributed to this
  * project.
@@ -353,11 +354,19 @@ void spi_init(void)
 
 	ich_set_bbar(0);
 
-	/* Disable the BIOS write protect so write commands are allowed. */
-	pci_read_config_byte(dev, 0xdc, &bios_cntl);
-	/* Deassert SMM BIOS Write Protect Disable. */
-	bios_cntl &= ~(1 << 5);
-	pci_write_config_byte(dev, 0xdc, bios_cntl | 0x1);
+	if (IS_ENABLED(CONFIG_LOCK_DOWN_BIOS)) {
+		/* Engage lockdown */
+		hsfs = readw_(&ich9_spi->hsfs);
+		hsfs = hsfs | HSFS_FLOCKDN;
+		writew_(hsfs, &ich9_spi->hsfs);
+	}
+	else {
+		/* Disable the BIOS write protect so write commands are allowed. */
+		pci_read_config_byte(dev, 0xdc, &bios_cntl);
+		/* Deassert SMM BIOS Write Protect Disable. */
+		bios_cntl &= ~(1 << 5);
+		pci_write_config_byte(dev, 0xdc, bios_cntl | 0x1);
+	}
 }
 #ifndef __SMM__
 static void spi_init_cb(void *unused)
@@ -927,7 +936,6 @@ static int ich_hwseq_write(struct spi_flash *flash,
 	return 0;
 }
 
-
 static struct spi_flash *spi_flash_hwseq(struct spi_slave *spi)
 {
 	struct spi_flash *flash = NULL;

