[coreboot-gerrit] Change in ...coreboot[master]: sb/intel/lynxpoint: Allow the flash chip to be write-protected
Tristan Corrick (Code Review)
gerrit at coreboot.org
Fri Nov 30 11:14:36 CET 2018
Tristan Corrick has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/29977
Change subject: sb/intel/lynxpoint: Allow the flash chip to be write-protected
......................................................................
sb/intel/lynxpoint: Allow the flash chip to be write-protected
This patch is based on the bd82x6x code. Lynx Point uses the same
register locations and layout for flash protection.
Tested on an ASRock H81M-HDS. When write-protection is configured,
flashrom reports all flash regions as read-only, and does not manage
to alter the contents of the flash chip.
Change-Id: I781082b1ed507b00815d1e85aec3e56ae5a4bef2
Signed-off-by: Tristan Corrick <tristan at corrick.kiwi>
---
M src/southbridge/intel/lynxpoint/Kconfig
M src/southbridge/intel/lynxpoint/finalize.c
2 files changed, 21 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/29977/1
diff --git a/src/southbridge/intel/lynxpoint/Kconfig b/src/southbridge/intel/lynxpoint/Kconfig
index 5b06c4b..0690972 100644
--- a/src/southbridge/intel/lynxpoint/Kconfig
+++ b/src/southbridge/intel/lynxpoint/Kconfig
@@ -59,6 +59,20 @@
If you set this option to y, the serial IRQ machine will be
operated in continuous mode.
+config SPI_FLASH_WRITE_PROTECT
+ bool "Write-protect the SPI flash during chipset lockdown"
+ help
+ Select this if you want the entire firmware flash chip to be
+ write-protected during chipset lockdown. This can provide a
+ security benefit, as malware will not be able to write to the
+ flash chip. However, it is important to note that ALL writes
+ and erases are blocked, so you will not be able to update
+ coreboot using flashrom's internal programmer.
+
+ If you have configured coreboot not to run the chipset lockdown
+ (see `INTEL_CHIPSET_LOCKDOWN`), then the payload must initiate
+ the lockdown in order for this setting to take effect.
+
config ME_MBP_CLEAR_LATE
bool "Defer wait for ME MBP Cleared"
default y
diff --git a/src/southbridge/intel/lynxpoint/finalize.c b/src/southbridge/intel/lynxpoint/finalize.c
index 590a245..3971874 100644
--- a/src/southbridge/intel/lynxpoint/finalize.c
+++ b/src/southbridge/intel/lynxpoint/finalize.c
@@ -32,6 +32,13 @@
RCBA32(0x3898) = SPI_OPMENU_LOWER;
RCBA32(0x389c) = SPI_OPMENU_UPPER;
+ if (IS_ENABLED(CONFIG_SPI_FLASH_WRITE_PROTECT)) {
+ int i;
+ for (i = 0; i <= 4; i++)
+ SPIBAR32(0x74 + i * 4) =
+ SPIBAR32(0x54 + i * 4) | (1UL << 31);
+ }
+
/* Lock SPIBAR */
RCBA32_OR(0x3804, (1 << 15));
--
To view, visit https://review.coreboot.org/c/coreboot/+/29977
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I781082b1ed507b00815d1e85aec3e56ae5a4bef2
Gerrit-Change-Number: 29977
Gerrit-PatchSet: 1
Gerrit-Owner: Tristan Corrick <tristan at corrick.kiwi>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20181130/b52f23f4/attachment-0001.html>
More information about the coreboot-gerrit
mailing list