[coreboot-gerrit] Change in coreboot[master]: sb/intel/bd82x6x: Revise flash ROM lockdown options

Nico Huber (Code Review) gerrit at coreboot.org
Fri Sep 1 23:32:20 CEST 2017 

Nico Huber has uploaded this change for review. ( https://review.coreboot.org/21327


Change subject: sb/intel/bd82x6x: Revise flash ROM lockdown options
......................................................................

sb/intel/bd82x6x: Revise flash ROM lockdown options

The original options were named and described under the false assumption
that the chipset lockdown would only be executed during S3 resume. Fix
that.

Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95
Signed-off-by: Nico Huber <nico.h at gmx.de>
---
M src/southbridge/intel/bd82x6x/Kconfig
M src/southbridge/intel/bd82x6x/finalize.c
2 files changed, 33 insertions(+), 20 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/21327/1

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 9eb3111..fcaa139 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -75,29 +75,41 @@
 if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
 
 choice
-	prompt "Flash ROM locking on S3 resume"
-	default LOCK_SPI_ON_RESUME_NONE
+	prompt "Flash ROM locking during chipset lockdown"
+	default LOCK_SPI_FLASH_NONE
 
-config LOCK_SPI_ON_RESUME_NONE
-	bool "Don't lock ROM sections on S3 resume"
+config LOCK_SPI_FLASH_NONE
+	bool "Don't lock ROM sections"
 
-config LOCK_SPI_ON_RESUME_RO
-	bool "Lock all flash ROM sections on S3 resume"
+config LOCK_SPI_FLASH_RO
+	bool "Lock all flash ROM sections"
 	help
-	  If the flash ROM shall be protected against write accesses from the
-	  operating system (OS), the locking procedure has to be repeated after
-	  each resume from S3. Select this if you never want to update the flash
-	  ROM from within your OS. Notice: Even with this option, the write lock
-	  has still to be enabled on the normal boot path (e.g. by the payload).
+	  Select this if you want to write-protect the whole firmware flash
+	  chip. The locking will take place during the chipset lockdown, which
+	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
+	  or has to be triggered later (e.g. by the payload or the OS).
 
-config LOCK_SPI_ON_RESUME_NO_ACCESS
-	bool "Lock and disable reads all flash ROM sections on S3 resume"
+		NOTE: If you trigger the chipset lockdown unconditionally,
+		you won't be able to write to the flash chip using the
+		internal programmer any more.
+
+#' fix syntax highlighting
+
+config LOCK_SPI_FLASH_NO_ACCESS
+	bool "Lock and disable reads for all flash ROM sections"
 	help
-	  If the flash ROM shall be protected against all accesses from the
-	  operating system (OS), the locking procedure has to be repeated after
-	  each resume from S3. Select this if you never want to update the flash
-	  ROM from within your OS. Notice: Even with this option, the lock
-	  has still to be enabled on the normal boot path (e.g. by the payload).
+	  Select this if you want to protect the firmware flash against all
+	  further accesses (with the exception of the memory mapped BIOS re-
+	  gion which is always readable). The locking will take place during
+	  the chipset lockdown, which is either triggered by coreboot (when
+	  INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
+	  by the payload or the OS).
+
+		NOTE: If you trigger the chipset lockdown unconditionally,
+		you won't be able to write to the flash chip using the
+		internal programmer any more.
+
+#' fix syntax highlighting
 
 endchoice
 
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index a9cfa38..fe28af0 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -25,12 +25,13 @@
 	u16 tco1_cnt;
 	u16 pmbase;
 
-	if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+	if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) ||
+	    IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) {
 		/* Copy flash regions from FREG0-4 to PR0-4
 		   and enable write protection bit31 */
 		int i;
 		u32 lockmask = (1 << 31);
-		if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+		if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS))
 			lockmask |= (1 << 15);
 		for (i = 0; i < 20; i += 4)
 			RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;

-- 
To view, visit https://review.coreboot.org/21327
To unsubscribe, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95
Gerrit-Change-Number: 21327
Gerrit-PatchSet: 1
Gerrit-Owner: Nico Huber <nico.h at gmx.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20170901/cf401cfc/attachment.html>

More information about the coreboot-gerrit mailing list