[coreboot-gerrit] Patch set updated for coreboot: 8621252 bd82x6x, ibexpeak: Support fully locking ROM on S3 resume.

Vladimir Serbinenko (phcoder@gmail.com) gerrit at coreboot.org
Thu May 14 10:00:19 CEST 2015 

Vladimir Serbinenko (phcoder at gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10191

-gerrit

commit 86212528247060d45b46f6f2bb10ad784a4baa3c
Author: Vladimir Serbinenko <phcoder at gmail.com>
Date:   Tue May 12 12:39:53 2015 +0200

    bd82x6x, ibexpeak: Support fully locking ROM on S3 resume.
    
    Currently only RO-lock is supported. Make full lock available as an option.
    
    Change-Id: Ib68a1e82733a51053a9adc80ac501b6205c6b8a7
    Signed-off-by: Vladimir Serbinenko <phcoder at gmail.com>
---
 src/southbridge/intel/bd82x6x/Kconfig    | 25 +++++++++++++++++++++++--
 src/southbridge/intel/bd82x6x/finalize.c | 17 ++++++++++-------
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 8c51520..8a832aa 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -151,9 +151,19 @@ config LOCK_MANAGEMENT_ENGINE
 
 	  If unsure, say N.
 
-config LOCK_SPI_ON_RESUME
+endif
+
+if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
+
+choice
+	prompt "Flash ROM locking on S3 resume"
+	default LOCK_SPI_ON_RESUME_NONE
+
+config LOCK_SPI_ON_RESUME_NONE
+	bool "Don't lock ROM sections on S3 resume"
+
+config LOCK_SPI_ON_RESUME_RO
 	bool "Lock all flash ROM sections on S3 resume"
-	default n
 	help
 	  If the flash ROM shall be protected against write accesses from the
 	  operating system (OS), the locking procedure has to be repeated after
@@ -161,4 +171,15 @@ config LOCK_SPI_ON_RESUME
 	  ROM from within your OS. Notice: Even with this option, the write lock
 	  has still to be enabled on the normal boot path (e.g. by the payload).
 
+config LOCK_SPI_ON_RESUME_NO_ACCESS
+	bool "Lock and disable reads all flash ROM sections on S3 resume"
+	help
+	  If the flash ROM shall be protected against all accesses from the
+	  operating system (OS), the locking procedure has to be repeated after
+	  each resume from S3. Select this if you never want to update the flash
+	  ROM from within your OS. Notice: Even with this option, the lock
+	  has still to be enabled on the normal boot path (e.g. by the payload).
+
+endchoice
+
 endif
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index ad2586c..df7b070 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -25,13 +25,16 @@
 
 void intel_pch_finalize_smm(void)
 {
-#if CONFIG_LOCK_SPI_ON_RESUME
-	/* Copy flash regions from FREG0-4 to PR0-4
-	   and enable write protection bit31 */
-	int i;
-	for (i = 0; i < 20; i += 4)
-		RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31);
-#endif
+	if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+		/* Copy flash regions from FREG0-4 to PR0-4
+		   and enable write protection bit31 */
+		int i;
+		u32 lockmask = (1 << 31);
+		if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+			lockmask |= (1 << 15);
+		for (i = 0; i < 20; i += 4)
+			RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;
+	}
 
 	/* Set SPI opcode menu */
 	RCBA16(0x3894) = SPI_OPPREFIX;

More information about the coreboot-gerrit mailing list