[coreboot-gerrit] Patch set updated for coreboot: 8621252 bd82x6x, ibexpeak: Support fully locking ROM on S3 resume.
Vladimir Serbinenko (phcoder@gmail.com)
gerrit at coreboot.org
Thu May 14 10:00:19 CEST 2015
Vladimir Serbinenko (phcoder at gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10191
-gerrit
commit 86212528247060d45b46f6f2bb10ad784a4baa3c
Author: Vladimir Serbinenko <phcoder at gmail.com>
Date: Tue May 12 12:39:53 2015 +0200
bd82x6x, ibexpeak: Support fully locking ROM on S3 resume.
Currently only RO-lock is supported. Make full lock available as an option.
Change-Id: Ib68a1e82733a51053a9adc80ac501b6205c6b8a7
Signed-off-by: Vladimir Serbinenko <phcoder at gmail.com>
---
src/southbridge/intel/bd82x6x/Kconfig | 25 +++++++++++++++++++++++--
src/southbridge/intel/bd82x6x/finalize.c | 17 ++++++++++-------
2 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 8c51520..8a832aa 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -151,9 +151,19 @@ config LOCK_MANAGEMENT_ENGINE
If unsure, say N.
-config LOCK_SPI_ON_RESUME
+endif
+
+if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
+
+choice
+ prompt "Flash ROM locking on S3 resume"
+ default LOCK_SPI_ON_RESUME_NONE
+
+config LOCK_SPI_ON_RESUME_NONE
+ bool "Don't lock ROM sections on S3 resume"
+
+config LOCK_SPI_ON_RESUME_RO
bool "Lock all flash ROM sections on S3 resume"
- default n
help
If the flash ROM shall be protected against write accesses from the
operating system (OS), the locking procedure has to be repeated after
@@ -161,4 +171,15 @@ config LOCK_SPI_ON_RESUME
ROM from within your OS. Notice: Even with this option, the write lock
has still to be enabled on the normal boot path (e.g. by the payload).
+config LOCK_SPI_ON_RESUME_NO_ACCESS
+ bool "Lock and disable reads all flash ROM sections on S3 resume"
+ help
+ If the flash ROM shall be protected against all accesses from the
+ operating system (OS), the locking procedure has to be repeated after
+ each resume from S3. Select this if you never want to update the flash
+ ROM from within your OS. Notice: Even with this option, the lock
+ has still to be enabled on the normal boot path (e.g. by the payload).
+
+endchoice
+
endif
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index ad2586c..df7b070 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -25,13 +25,16 @@
void intel_pch_finalize_smm(void)
{
-#if CONFIG_LOCK_SPI_ON_RESUME
- /* Copy flash regions from FREG0-4 to PR0-4
- and enable write protection bit31 */
- int i;
- for (i = 0; i < 20; i += 4)
- RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31);
-#endif
+ if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+ /* Copy flash regions from FREG0-4 to PR0-4
+ and enable write protection bit31 */
+ int i;
+ u32 lockmask = (1 << 31);
+ if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+ lockmask |= (1 << 15);
+ for (i = 0; i < 20; i += 4)
+ RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;
+ }
/* Set SPI opcode menu */
RCBA16(0x3894) = SPI_OPPREFIX;
More information about the coreboot-gerrit
mailing list