[coreboot-gerrit] Change in coreboot[master]: soc/intel/denverton_ns: Lock SPIBAR

Julien Viard de Galbert (Code Review) gerrit at coreboot.org
Thu Mar 29 15:08:03 CEST 2018 

Julien Viard de Galbert has uploaded this change for review. ( https://review.coreboot.org/25441


Change subject: soc/intel/denverton_ns: Lock SPIBAR
......................................................................

soc/intel/denverton_ns: Lock SPIBAR

Allow flash access when "Security Override" is set.
Don't lock when relax_security is set.

Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9
Signed-off-by: Julien Viard de Galbert <jviarddegalbert at online.net>
---
M src/soc/intel/common/block/fast_spi/fast_spi_def.h
M src/soc/intel/denverton_ns/lpc.c
2 files changed, 58 insertions(+), 1 deletion(-)



  git pull ssh://review.coreboot.org:29418/coreboot refs/changes/41/25441/1

diff --git a/src/soc/intel/common/block/fast_spi/fast_spi_def.h b/src/soc/intel/common/block/fast_spi/fast_spi_def.h
index a389e34..324006d 100644
--- a/src/soc/intel/common/block/fast_spi/fast_spi_def.h
+++ b/src/soc/intel/common/block/fast_spi/fast_spi_def.h
@@ -37,7 +37,7 @@
 #define SPIBAR_DLOCK			0x0c
 #define SPIBAR_FDATA(n)			(0x10 + ((n) & 0xf) * 4)
 #define SPIBAR_FPR_BASE			0x84
-#define SPIBAR_FPR(n)			0x84 + (4 * n))
+#define SPIBAR_FPR(n)			(0x84 + (4 * n))
 #define SPIBAR_PREOP			0xA4
 #define SPIBAR_OPTYPE			0xA6
 #define SPIBAR_OPMENU_LOWER		0xA8
@@ -71,6 +71,7 @@
 #define SPIBAR_HSFSTS_FLOCKDN		(1 << 15)
 #define SPIBAR_HSFSTS_FDV		(1 << 14)
 #define SPIBAR_HSFSTS_FDOPSS		(1 << 13)
+#define SPIBAR_HSFSTS_PRR34_LOCKDN	(1 << 12)
 #define SPIBAR_HSFSTS_WRSDIS		(1 << 11)
 #define SPIBAR_HSFSTS_SAF_CE		(1 << 8)
 #define SPIBAR_HSFSTS_SAF_ACTIVE	(1 << 7)
diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c
index 1ac0961..8f2542a 100644
--- a/src/soc/intel/denverton_ns/lpc.c
+++ b/src/soc/intel/denverton_ns/lpc.c
@@ -2,6 +2,7 @@
  * This file is part of the coreboot project.
  *
  * Copyright (C) 2014 - 2017 Intel Corporation.
+ * Copyright (C) 2018 Online SAS
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -25,6 +26,7 @@
 #include <cpu/x86/smm.h>
 #include <bootstate.h>
 
+#include <fsp/api.h>
 #include <soc/lpc.h>
 #include <soc/pci_devs.h>
 #include <soc/ramstage.h>
@@ -32,6 +34,10 @@
 #include <soc/pcr.h>
 #include <soc/p2sb.h>
 #include <soc/acpi.h>
+#include <fast_spi_def.h>
+#include <intelblocks/fast_spi.h>
+#include <spi_flash.h>
+#include <spi-generic.h>
 
 #include "chip.h"
 
@@ -326,8 +332,58 @@
 	.device = LPC_DEVID,
 };
 
+static void spi_lock_bar(bool relax_security)
+{
+	void *spibar = fast_spi_get_bar();
+	uint32_t reg32, hsfs;
+	/* Check SPIBAR */
+	hsfs = read32(spibar + SPIBAR_HSFSTS_CTL);
+	if (!(hsfs & SPIBAR_HSFSTS_FDOPSS)) {
+		/* When the flash security override strap is set, allow flashrom
+		   to update the flash, this is done by clearing the protection
+		   and locking the configuration to ensure FSP notify will not
+		   change it again */
+		int i;
+		struct device *dev;
+		printk(BIOS_CRIT, "FLASH SECURITY OVERRIDE SET:"
+				  "DISABLE FLASH PROTECTIONS!\n");
+
+		/* disable protections FPR0-4 + GPR0 */
+		for (i = 0; i < 6; i++)
+			write32(spibar + SPIBAR_FPR(i), 0);
+
+		/* Disable WPD and EISS */
+		dev = dev_find_slot(0, PCI_DEVFN(SPI_DEV, SPI_FUNC));
+		if (dev != NULL) {
+			reg32 = pci_read_config32(dev, SPIBAR_BIOS_CONTROL);
+			reg32 &= ~(SPIBAR_BIOS_CONTROL_EISS |
+				   SPIBAR_BIOS_CONTROL_WPD);
+			/* lock to ensure FSP cannot change it */
+			if (!relax_security)
+				reg32 |= SPIBAR_BIOS_CONTROL_LOCK_ENABLE |
+					 SPIBAR_BIOS_CONTROL_BILD;
+			pci_write_config32(dev, SPIBAR_BIOS_CONTROL, reg32);
+		}
+	}
+
+	if (!relax_security) {
+		/* Lock SPIBAR */
+		hsfs |= SPIBAR_HSFSTS_FLOCKDN | SPIBAR_HSFSTS_PRR34_LOCKDN;
+		reg32 = read32(spibar + SPIBAR_DLOCK);
+		reg32 |= 0x11f0f;
+		write32(spibar + SPIBAR_DLOCK, reg32);
+
+		write32(spibar + SPIBAR_HSFSTS_CTL, hsfs);
+	}
+
+}
+
 static void finalize_chipset(void *unused)
 {
+	bool relax_security = fsp_relax_security();
+
+	spi_lock_bar(relax_security);
+
 	printk(BIOS_DEBUG, "Finalizing SMM.\n");
 	outb(APM_CNT_FINALIZE, APM_CNT);
 }

-- 
To view, visit https://review.coreboot.org/25441
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I6934918d0c70245f03a1642f9a05e0110a205bc9
Gerrit-Change-Number: 25441
Gerrit-PatchSet: 1
Gerrit-Owner: Julien Viard de Galbert <jviarddegalbert at online.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180329/7697c7a3/attachment-0001.html>

More information about the coreboot-gerrit mailing list