[coreboot] Patch set updated for coreboot: 2937b8e ifdtool: Add locking/unlocking and dumping of access permissions

Stefan Reinauer (stefan.reinauer@coreboot.org) gerrit at coreboot.org
Wed Nov 7 20:04:25 CET 2012


Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/1755

-gerrit

commit 2937b8e8c08c5e37921916ae6a2deadff2c06c68
Author: Stefan Reinauer <reinauer at chromium.org>
Date:   Wed Sep 26 17:33:39 2012 -0700

    ifdtool: Add locking/unlocking and dumping of access permissions
    
    ifdtool will now dump access permissions of system comonents to
    certain IFD sections:
    
    Found Master Section
    FLMSTR1:   0xffff0000 (Host CPU/BIOS)
      Platform Data Region Write Access: enabled
      GbE Region Write Access:           enabled
      Intel ME Region Write Access:      enabled
      Host CPU/BIOS Region Write Access: enabled
      Flash Descriptor Write Access:     enabled
      Platform Data Region Read Access:  enabled
      GbE Region Read Access:            enabled
      Intel ME Region Read Access:       enabled
      Host CPU/BIOS Region Read Access:  enabled
      Flash Descriptor Read Access:      enabled
      Requester ID:                      0x0000
    
    FLMSTR2:   0x0c0d0000 (Intel ME)
      Platform Data Region Write Access: disabled
      GbE Region Write Access:           enabled
      Intel ME Region Write Access:      enabled
      Host CPU/BIOS Region Write Access: disabled
      Flash Descriptor Write Access:     disabled
      Platform Data Region Read Access:  disabled
      GbE Region Read Access:            enabled
      Intel ME Region Read Access:       enabled
      Host CPU/BIOS Region Read Access:  disabled
      Flash Descriptor Read Access:      enabled
      Requester ID:                      0x0000
    
    FLMSTR3:   0x08080118 (GbE)
      Platform Data Region Write Access: disabled
      GbE Region Write Access:           enabled
      Intel ME Region Write Access:      disabled
      Host CPU/BIOS Region Write Access: disabled
      Flash Descriptor Write Access:     disabled
      Platform Data Region Read Access:  disabled
      GbE Region Read Access:            enabled
      Intel ME Region Read Access:       disabled
      Host CPU/BIOS Region Read Access:  disabled
      Flash Descriptor Read Access:      disabled
      Requester ID:                      0x0118
    
    Also, ifdtool -u /path/to/image will unlock the host's
    access to the firmware descriptor and ME region.
    ifdtool -l /path/to/image will lock down the host's
    access to the firmware descriptor and ME region.
    
    Change-Id: I3e081b80a9bcb398772416f143b794bf307b1c36
    Signed-off-by: Stefan Reinauer <reinauer at google.com>
---
 util/ifdtool/ifdtool.c | 108 +++++++++++++++++++++++++++++++++++++++++++------
 util/ifdtool/ifdtool.h |   2 +-
 2 files changed, 96 insertions(+), 14 deletions(-)

diff --git a/util/ifdtool/ifdtool.c b/util/ifdtool/ifdtool.c
index 1a8bf85..7655fd4 100644
--- a/util/ifdtool/ifdtool.c
+++ b/util/ifdtool/ifdtool.c
@@ -200,12 +200,12 @@ static void dump_fcba(fcba_t * fcba)
 	decode_component_density(fcba->flcomp & 7);
 	printf("\n");
 	printf("FLILL      0x%08x\n", fcba->flill);
-	printf("FLPB       0x%08x\n", fcba->flpb);
+	printf("FLPB       0x%08x\n\n", fcba->flpb);
 }
 
 static void dump_fpsba(fpsba_t * fpsba)
 {
-	printf("\nFound PCH Strap Section\n");
+	printf("Found PCH Strap Section\n");
 	printf("PCHSTRP0:  0x%08x\n", fpsba->pchstrp0);
 	printf("PCHSTRP1:  0x%08x\n", fpsba->pchstrp1);
 	printf("PCHSTRP2:  0x%08x\n", fpsba->pchstrp2);
@@ -221,20 +221,51 @@ static void dump_fpsba(fpsba_t * fpsba)
 	printf("PCHSTRP12: 0x%08x\n", fpsba->pchstrp12);
 	printf("PCHSTRP13: 0x%08x\n", fpsba->pchstrp13);
 	printf("PCHSTRP14: 0x%08x\n", fpsba->pchstrp14);
-	printf("PCHSTRP15: 0x%08x\n", fpsba->pchstrp15);
+	printf("PCHSTRP15: 0x%08x\n\n", fpsba->pchstrp15);
+}
+
+static void decode_flmstr(uint32_t flmstr)
+{
+	printf("  Platform Data Region Write Access: %s\n",
+		(flmstr & (1 << 28)) ? "enabled" : "disabled");
+	printf("  GbE Region Write Access:           %s\n",
+		(flmstr & (1 << 27)) ? "enabled" : "disabled");
+	printf("  Intel ME Region Write Access:      %s\n",
+		(flmstr & (1 << 26)) ? "enabled" : "disabled");
+	printf("  Host CPU/BIOS Region Write Access: %s\n",
+		(flmstr & (1 << 25)) ? "enabled" : "disabled");
+	printf("  Flash Descriptor Write Access:     %s\n",
+		(flmstr & (1 << 24)) ? "enabled" : "disabled");
+
+	printf("  Platform Data Region Read Access:  %s\n",
+		(flmstr & (1 << 20)) ? "enabled" : "disabled");
+	printf("  GbE Region Read Access:            %s\n",
+		(flmstr & (1 << 19)) ? "enabled" : "disabled");
+	printf("  Intel ME Region Read Access:       %s\n",
+		(flmstr & (1 << 18)) ? "enabled" : "disabled");
+	printf("  Host CPU/BIOS Region Read Access:  %s\n",
+		(flmstr & (1 << 17)) ? "enabled" : "disabled");
+	printf("  Flash Descriptor Read Access:      %s\n",
+		(flmstr & (1 << 16)) ? "enabled" : "disabled");
+
+	printf("  Requester ID:                      0x%04x\n\n",
+		flmstr & 0xffff);
 }
 
 static void dump_fmba(fmba_t * fmba)
 {
-	printf("\nFound Master Section\n");
-	printf("FLMSTR1:   0x%08x\n", fmba->flmstr1);
-	printf("FLMSTR2:   0x%08x\n", fmba->flmstr2);
-	printf("FLMSTR3:   0x%08x\n", fmba->flmstr3);
+	printf("Found Master Section\n");
+	printf("FLMSTR1:   0x%08x (Host CPU/BIOS)\n", fmba->flmstr1);
+	decode_flmstr(fmba->flmstr1);
+	printf("FLMSTR2:   0x%08x (Intel ME)\n", fmba->flmstr2);
+	decode_flmstr(fmba->flmstr2);
+	printf("FLMSTR3:   0x%08x (GbE)\n", fmba->flmstr3);
+	decode_flmstr(fmba->flmstr3);
 }
 
 static void dump_fmsba(fmsba_t * fmsba)
 {
-	printf("\nFound Processor Strap Section\n");
+	printf("Found Processor Strap Section\n");
 	printf("????:      0x%08x\n", fmsba->data[0]);
 	printf("????:      0x%08x\n", fmsba->data[1]);
 	printf("????:      0x%08x\n", fmsba->data[2]);
@@ -348,6 +379,31 @@ static void set_em100_mode(char *filename, char *image, int size)
 	set_spi_frequency(filename, image, size, SPI_FREQUENCY_20MHZ);
 }
 
+static void lock_descriptor(char *filename, char *image, int size)
+{
+	fdbar_t *fdb = find_fd(image, size);
+	fmba_t *fmba = (fmba_t *) (image + (((fdb->flmap1) & 0xff) << 4));
+	/* TODO: Dynamically take Platform Data Region and GbE Region
+	 * into regard.
+	 */
+	fmba->flmstr1 = 0x0a0b0000;
+	fmba->flmstr2 = 0x0c0d0000;
+	fmba->flmstr3 = 0x08080118;
+
+	write_image(filename, image, size);
+}
+
+static void unlock_descriptor(char *filename, char *image, int size)
+{
+	fdbar_t *fdb = find_fd(image, size);
+	fmba_t *fmba = (fmba_t *) (image + (((fdb->flmap1) & 0xff) << 4));
+	fmba->flmstr1 = 0xffff0000;
+	fmba->flmstr2 = 0xffff0000;
+	fmba->flmstr3 = 0x08080118;
+
+	write_image(filename, image, size);
+}
+
 void inject_region(char *filename, char *image, int size, int region_type,
 		   char *region_fname)
 {
@@ -442,6 +498,8 @@ static void print_usage(const char *name)
 	       "   -s | --spifreq <20|33|50>         set the SPI frequency\n"
 	       "   -e | --em100                      set SPI frequency to 20MHz and disable\n"
 	       "                                     Dual Output Fast Read Support\n"
+	       "   -l | --lock                       Lock firmware descriptor and ME region\n"
+	       "   -u | --unlock                     Unlock firmware descriptor and ME region\n"
 	       "   -v | --version:                   print the version\n"
 	       "   -h | --help:                      print this help\n\n"
 	       "<region> is one of Descriptor, BIOS, ME, GbE, Platform\n"
@@ -452,7 +510,7 @@ int main(int argc, char *argv[])
 {
 	int opt, option_index = 0;
 	int mode_dump = 0, mode_extract = 0, mode_inject = 0, mode_spifreq = 0;
-	int mode_em100 = 0;
+	int mode_em100 = 0, mode_locked = 0, mode_unlocked = 0;
 	char *region_type_string = NULL, *region_fname = NULL;
 	int region_type = -1, inputfreq = 0;
 	enum spi_frequency spifreq = SPI_FREQUENCY_20MHZ;
@@ -463,12 +521,14 @@ int main(int argc, char *argv[])
 		{"inject", 1, NULL, 'i'},
 		{"spifreq", 1, NULL, 's'},
 		{"em100", 0, NULL, 'e'},
+		{"lock", 0, NULL, 'l'},
+		{"unlock", 0, NULL, 'u'},
 		{"version", 0, NULL, 'v'},
 		{"help", 0, NULL, 'h'},
 		{0, 0, 0, 0}
 	};
 
-	while ((opt = getopt_long(argc, argv, "dxi:s:evh?",
+	while ((opt = getopt_long(argc, argv, "dxi:s:eluvh?",
 				  long_options, &option_index)) != EOF) {
 		switch (opt) {
 		case 'd':
@@ -531,6 +591,20 @@ int main(int argc, char *argv[])
 		case 'e':
 			mode_em100 = 1;
 			break;
+		case 'l':
+			mode_locked = 1;
+			if (mode_unlocked == 1) {
+				fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");
+				exit(EXIT_FAILURE);
+			}
+			break;
+		case 'u':
+			mode_unlocked = 1;
+			if (mode_locked == 1) {
+				fprintf(stderr, "Locking/Unlocking FD and ME are mutually exclusive\n");
+				exit(EXIT_FAILURE);
+			}
+			break;
 		case 'v':
 			print_version();
 			exit(EXIT_SUCCESS);
@@ -544,14 +618,16 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if ((mode_dump + mode_extract + mode_inject + mode_spifreq) > 1) {
-		fprintf(stderr, "Only one mode allowed.\n\n");
+	if ((mode_dump + mode_extract + mode_inject +
+		(mode_spifreq | mode_em100 | mode_unlocked |
+		 mode_locked)) > 1) {
+		fprintf(stderr, "You may not specify more than one mode.\n\n");
 		print_usage(argv[0]);
 		exit(EXIT_FAILURE);
 	}
 
 	if ((mode_dump + mode_extract + mode_inject + mode_spifreq +
-	     mode_em100) == 0) {
+	     mode_em100 + mode_locked + mode_unlocked) == 0) {
 		fprintf(stderr, "You need to specify a mode.\n\n");
 		print_usage(argv[0]);
 		exit(EXIT_FAILURE);
@@ -607,6 +683,12 @@ int main(int argc, char *argv[])
 	if (mode_em100)
 		set_em100_mode(filename, image, size);
 
+	if(mode_locked)
+		lock_descriptor(filename, image, size);
+
+	if (mode_unlocked)
+		unlock_descriptor(filename, image, size);
+
 	free(image);
 
 	return 0;
diff --git a/util/ifdtool/ifdtool.h b/util/ifdtool/ifdtool.h
index 31361df..db237a3 100644
--- a/util/ifdtool/ifdtool.h
+++ b/util/ifdtool/ifdtool.h
@@ -18,7 +18,7 @@
  */
 
 #include <stdint.h>
-#define IFDTOOL_VERSION "1.0"
+#define IFDTOOL_VERSION "1.1"
 
 enum spi_frequency {
 	SPI_FREQUENCY_20MHZ = 0,




More information about the coreboot mailing list