[coreboot-gerrit] Change in coreboot[master]: soc/intel/skylake: Skip Spi Flash Lockdown from FSP

Barnali Sarkar (Code Review) gerrit at coreboot.org
Fri Jul 21 11:59:27 CEST 2017 

Barnali Sarkar has uploaded this change for review. ( https://review.coreboot.org/20645


Change subject: soc/intel/skylake: Skip Spi Flash Lockdown from FSP
......................................................................

soc/intel/skylake: Skip Spi Flash Lockdown from FSP

Coreboot was setting SPI FPR register to protect the
mrc_cache data range stored in flash. This programming was being done
after FSP Notify 1.
But, FSP was Locking the SPI by setting FLOCKDN Bit during Notify
phase 1, due to which coreboot was unable to protect that range.

As solution, FSP introduced a new UPD "SpiFlashCfgLockDown" to skip
the Lockdown of flash on interest of bootloader.
Set that UPD to "0" to skip the Lockdown of FAST_SPI flash from FSP.

The same is being done from Coreboot after End of Post at finalize.c
file.

BUG=63049493
BRANCH=none
TEST=FPR can be set properly to protect the mrc_cache range. The
issue reported in the bug doesn't come when both software and
hardware WP is enabled with this patch.

Change-Id: I3ffca2f1b05ab2e4ef631275ef7c3a6e23e393aa
Signed-off-by: Barnali Sarkar <barnali.sarkar at intel.com>
---
M src/soc/intel/skylake/chip_fsp20.c
1 file changed, 8 insertions(+), 0 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/45/20645/1

diff --git a/src/soc/intel/skylake/chip_fsp20.c b/src/soc/intel/skylake/chip_fsp20.c
index 8a7cb21..f66046f 100644
--- a/src/soc/intel/skylake/chip_fsp20.c
+++ b/src/soc/intel/skylake/chip_fsp20.c
@@ -239,6 +239,14 @@
 	dev = dev_find_slot(0, PCH_DEVFN_SPI);
 	params->ShowSpiController = dev->enabled;
 
+	/* Skip Spi Flash Lockdown from inside FSP.
+	 * Making this config "0" means FSP wont set the FLOCKDN bit of
+	 * SPIBAR + 0x04 (i.e., Bit 15 of BIOS_HSFSTS_CTL).
+	 * So, it becomes Coreboot's responsibility to set this bit before
+	 * End of POST for security concerns.
+	 */
+	params->SpiFlashCfgLockDown = 0;
+
 	/*
 	 * Send VR specific mailbox commands:
 	 * 000b - no VR specific command sent

-- 
To view, visit https://review.coreboot.org/20645
To unsubscribe, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3ffca2f1b05ab2e4ef631275ef7c3a6e23e393aa
Gerrit-Change-Number: 20645
Gerrit-PatchSet: 1
Gerrit-Owner: Barnali Sarkar <barnali.sarkar at intel.com>
Gerrit-Reviewer: Balaji Manigandan <balaji.manigandan at intel.com>
Gerrit-Reviewer: Subrata Banik <subrata.banik at intel.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20170721/57f69fdc/attachment-0001.html>

More information about the coreboot-gerrit mailing list