[coreboot-gerrit] Change in coreboot[master]: sb/intel/bd82x6x: Revise flash ROM lockdown options
Nico Huber (Code Review)
gerrit at coreboot.org
Fri Sep 1 23:32:20 CEST 2017
Nico Huber has uploaded this change for review. ( https://review.coreboot.org/21327
Change subject: sb/intel/bd82x6x: Revise flash ROM lockdown options
......................................................................
sb/intel/bd82x6x: Revise flash ROM lockdown options
The original options were named and described under the false assumption
that the chipset lockdown would only be executed during S3 resume. Fix
that.
Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95
Signed-off-by: Nico Huber <nico.h at gmx.de>
---
M src/southbridge/intel/bd82x6x/Kconfig
M src/southbridge/intel/bd82x6x/finalize.c
2 files changed, 33 insertions(+), 20 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/27/21327/1
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 9eb3111..fcaa139 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -75,29 +75,41 @@
if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
choice
- prompt "Flash ROM locking on S3 resume"
- default LOCK_SPI_ON_RESUME_NONE
+ prompt "Flash ROM locking during chipset lockdown"
+ default LOCK_SPI_FLASH_NONE
-config LOCK_SPI_ON_RESUME_NONE
- bool "Don't lock ROM sections on S3 resume"
+config LOCK_SPI_FLASH_NONE
+ bool "Don't lock ROM sections"
-config LOCK_SPI_ON_RESUME_RO
- bool "Lock all flash ROM sections on S3 resume"
+config LOCK_SPI_FLASH_RO
+ bool "Lock all flash ROM sections"
help
- If the flash ROM shall be protected against write accesses from the
- operating system (OS), the locking procedure has to be repeated after
- each resume from S3. Select this if you never want to update the flash
- ROM from within your OS. Notice: Even with this option, the write lock
- has still to be enabled on the normal boot path (e.g. by the payload).
+ Select this if you want to write-protect the whole firmware flash
+ chip. The locking will take place during the chipset lockdown, which
+ is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
+ or has to be triggered later (e.g. by the payload or the OS).
-config LOCK_SPI_ON_RESUME_NO_ACCESS
- bool "Lock and disable reads all flash ROM sections on S3 resume"
+ NOTE: If you trigger the chipset lockdown unconditionally,
+ you won't be able to write to the flash chip using the
+ internal programmer any more.
+
+#' fix syntax highlighting
+
+config LOCK_SPI_FLASH_NO_ACCESS
+ bool "Lock and disable reads for all flash ROM sections"
help
- If the flash ROM shall be protected against all accesses from the
- operating system (OS), the locking procedure has to be repeated after
- each resume from S3. Select this if you never want to update the flash
- ROM from within your OS. Notice: Even with this option, the lock
- has still to be enabled on the normal boot path (e.g. by the payload).
+ Select this if you want to protect the firmware flash against all
+ further accesses (with the exception of the memory mapped BIOS re-
+ gion which is always readable). The locking will take place during
+ the chipset lockdown, which is either triggered by coreboot (when
+ INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
+ by the payload or the OS).
+
+ NOTE: If you trigger the chipset lockdown unconditionally,
+ you won't be able to write to the flash chip using the
+ internal programmer any more.
+
+#' fix syntax highlighting
endchoice
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index a9cfa38..fe28af0 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -25,12 +25,13 @@
u16 tco1_cnt;
u16 pmbase;
- if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) ||
+ IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) {
/* Copy flash regions from FREG0-4 to PR0-4
and enable write protection bit31 */
int i;
u32 lockmask = (1 << 31);
- if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS))
lockmask |= (1 << 15);
for (i = 0; i < 20; i += 4)
RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;
--
To view, visit https://review.coreboot.org/21327
To unsubscribe, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95
Gerrit-Change-Number: 21327
Gerrit-PatchSet: 1
Gerrit-Owner: Nico Huber <nico.h at gmx.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20170901/cf401cfc/attachment.html>
More information about the coreboot-gerrit
mailing list