[coreboot-gerrit] Change in coreboot[master]: ifdtool: Port the feature to jail ME from me_cleaner

Bill XIE (Code Review) gerrit at coreboot.org
Wed Sep 20 03:54:29 CEST 2017 

Bill XIE has uploaded this change for review. ( https://review.coreboot.org/21607


Change subject: ifdtool: Port the feature to jail ME from me_cleaner
......................................................................

ifdtool: Port the feature to jail ME from me_cleaner

port the feature to "remove the ME/TXE Read/Write permissions
 to the other regions (-d)" of
 me_cleaner (https://github.com/corna/me_cleaner/) here.

Change-Id: I00533f4e2569c4763fbfc302bb460db1e60e5564
Signed-off-by: Bill XIE <persmule at gmail.com>
---
M util/ifdtool/ifdtool.c
1 file changed, 31 insertions(+), 9 deletions(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/07/21607/1

diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c
index dfdf547..86094b3 100644
--- a/util/ifdtool/ifdtool.c
+++ b/util/ifdtool/ifdtool.c
@@ -787,7 +787,7 @@
 	write_image(filename, image, size);
 }
 
-static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd)
+static void fmba_toggle_permission(fmba_t *fmba, bool lock_fd, bool jail_me)
 {
 	int wr_shift, rd_shift;
 	/* TODO: Dynamically take Platform Data Region and GbE Region
@@ -850,15 +850,25 @@
 			 */
 			fmba->flmstr1 = 0xffffff00 |
 				(fmba->flmstr1 & 0xff);
-
-			fmba->flmstr2 = 0xffffff00 |
-				(fmba->flmstr2 & 0xff);
-
+			if (jail_me) {
+				fmba->flmstr2 &= 0xff;
+				/* ME can read ME. */
+				fmba->flmstr2 |= 0x4 << rd_shift;
+				/* ME can write ME. */
+				fmba->flmstr2 |= 0x4 << wr_shift;
+			} else {
+				fmba->flmstr2 = 0xffffff00 |
+					(fmba->flmstr2 & 0xff);
+			}
 			fmba->flmstr3 = 0xffffff00 |
 				(fmba->flmstr3 & 0xff);
 		} else {
 			fmba->flmstr1 = 0xffff0000;
-			fmba->flmstr2 = 0xffff0000;
+			if (jail_me) {
+				fmba->flmstr2 = 0x04040000;
+			} else {
+				fmba->flmstr2 = 0xffff0000;
+			}
 			/* Keep chipset specific Requester ID */
 			fmba->flmstr3 = 0x08080000 |
 				(fmba->flmstr3 & 0xffff);
@@ -1133,6 +1143,9 @@
 	       "                                      Dual Output Fast Read Support\n"
 	       "   -l | --lock                        Lock firmware descriptor and ME region\n"
 	       "   -u | --unlock                      Unlock firmware descriptor and ME region\n"
+	       "   -j | --jail                        Unlock firmware descriptor and ME region,\n"
+	       "                                      and remove the ME/TXE's Read/Write permissions\n"
+	       "                                      to the other regions\n"
 	       "   -p | --platform                    Add platform-specific quirks\n"
 	       "                                      aplk - Apollo Lake\n"
 	       "   -v | --version:                    print the version\n"
@@ -1145,7 +1158,7 @@
 {
 	int opt, option_index = 0;
 	int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;
-	int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0;
+	int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0, mode_jail = 0;
 	int mode_layout = 0, mode_newlayout = 0, mode_density = 0;
 	char *region_type_string = NULL, *region_fname = NULL;
 	const char *layout_fname = NULL;
@@ -1165,13 +1178,14 @@
 		{"em100", 0, NULL, 'e'},
 		{"lock", 0, NULL, 'l'},
 		{"unlock", 0, NULL, 'u'},
+		{"jail", 0, NULL, 'j'},
 		{"version", 0, NULL, 'v'},
 		{"help", 0, NULL, 'h'},
 		{"platform", 0, NULL, 'p'},
 		{0, 0, 0, 0}
 	};
 
-	while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:eluvh?",
+	while ((opt = getopt_long(argc, argv, "df:D:C:xi:n:s:p:elujvh?",
 				  long_options, &option_index)) != EOF) {
 		switch (opt) {
 		case 'd':
@@ -1322,6 +1336,14 @@
 				exit(EXIT_FAILURE);
 			}
 			break;
+		case 'j':
+			mode_unlocked = 1;
+			mode_jail = 1;
+			if (mode_locked == 1) {
+				fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");
+				exit(EXIT_FAILURE);
+			}
+			break;
 		case 'p':
 			if (!strcmp(optarg, "aplk")) {
 				platform = PLATFORM_APOLLOLAKE;
@@ -1422,7 +1444,7 @@
 
 	if (mode_locked || mode_unlocked) {
 		fmba_t *fmba = find_fmba(image, size);
-		fmba_toggle_permission(fmba, mode_locked);
+		fmba_toggle_permission(fmba, mode_locked, mode_jail);
 		write_image(filename, image, size);
 	}
 

-- 
To view, visit https://review.coreboot.org/21607
To unsubscribe, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I00533f4e2569c4763fbfc302bb460db1e60e5564
Gerrit-Change-Number: 21607
Gerrit-PatchSet: 1
Gerrit-Owner: Bill XIE <persmule at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20170920/9d44e9af/attachment.html>

More information about the coreboot-gerrit mailing list