[coreboot] New patch to review for filo: a9ae416 FlashROM write protection feature added.

Patrick Georgi (patrick@georgi-clan.de) gerrit at coreboot.org
Tue Feb 12 10:36:53 CET 2013 

Patrick Georgi (patrick at georgi-clan.de) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/2366

-gerrit

commit a9ae4169b4bf670cdf93df4d73978d2c523b239f
Author: Mathias Krause <mathias.krause at secunet.com>
Date:   Thu Jun 3 15:07:00 2010 +0200

    FlashROM write protection feature added.
    
    When you enable the config option FLASHROM_LOCKDOWN the FlashROM will be
    write protected and locked down prior starting the kernel using
    intel_lockdown_flash() per default.
    
    You can disable this behaviour per menu entry by specifying the new
    command 'flashrom_unlock'.
    
    Change-Id: I921c23b348b9bd74c22fa22f4afe75ed728159ce
    Signed-off-by: Patrick Georgi <patrick.georgi at secunet.com>
---
 Config.in             |  9 +++++++++
 include/grub/shared.h |  2 ++
 main/grub/builtins.c  | 22 ++++++++++++++++++++++
 main/grub/grub.c      |  9 +++++++++
 x86/linux_load.c      | 13 +++++++++++++
 5 files changed, 55 insertions(+)

diff --git a/Config.in b/Config.in
index f164ad4..9c165c4 100644
--- a/Config.in
+++ b/Config.in
@@ -184,6 +184,15 @@ config VIA_SOUND
 	default n
 	depends on SUPPORT_SOUND
 
+config FLASHROM_LOCKDOWN
+	bool "FlashROM lockdown"
+	default n
+	help
+	  Enable FlashROM write protections and lock them down prior starting the
+	  kernel. FlashROM lockdown can be disabled per boot entry with the new
+	  command 'flashrom_unlock'.
+	  NOTE: Only supported on selected Intel hardware, ICH7 so far.
+
 endmenu
 
 menu "Filesystems"
diff --git a/include/grub/shared.h b/include/grub/shared.h
index b293f3f..6b97c5a 100644
--- a/include/grub/shared.h
+++ b/include/grub/shared.h
@@ -160,6 +160,8 @@ extern int max_lines;
 extern int count_lines;
 extern int use_pager;
 
+extern int flashrom_lockdown;
+
 /*
  *  Error variables.
  */
diff --git a/main/grub/builtins.c b/main/grub/builtins.c
index e40663b..acb5bf3 100644
--- a/main/grub/builtins.c
+++ b/main/grub/builtins.c
@@ -549,6 +549,25 @@ static struct builtin builtin_find = {
 };
 #endif
 
+#ifdef CONFIG_FLASHROM_LOCKDOWN
+/* flashrom_unlock */
+/* Disable lockdown of flash ROM on boot */
+static int flashrom_unlock_func(char *arg, int flags)
+{
+	flashrom_lockdown = 0;
+
+	return 0;
+}
+
+static struct builtin builtin_flashrom_unlock = {
+	"flashrom_unlock",
+	flashrom_unlock_func,
+	BUILTIN_CMDLINE | BUILTIN_HELP_LIST,
+	"flashrom_unlock"
+	"Disable lockdown of flash ROM on boot."
+};
+#endif
+
 /* help */
 #define MAX_SHORT_DOC_LEN       39
 #define MAX_LONG_DOC_LEN        66
@@ -1905,6 +1924,9 @@ struct builtin *builtin_table[] = {
 #ifdef CONFIG_EXPERIMENTAL
 	&builtin_find,
 #endif
+#ifdef CONFIG_FLASHROM_LOCKDOWN
+	&builtin_flashrom_unlock,
+#endif
 	&builtin_help,
 	&builtin_hiddenmenu,
 	&builtin_initrd,
diff --git a/main/grub/grub.c b/main/grub/grub.c
index b629435..0a86cd4 100644
--- a/main/grub/grub.c
+++ b/main/grub/grub.c
@@ -43,6 +43,10 @@ char KILL_BUF[KILL_BUFLEN]; /* The kill buffer for the command-line.  */
 char MENU_BUF[MENU_BUFLEN]; /* The buffer for the menu entries.  */
 static char configs[16384];
 
+#ifdef CONFIG_FLASHROM_LOCKDOWN
+int flashrom_lockdown = 1;
+#endif
+
 int using_grub_interface = 0;
 
 #define ENTER '\r'
@@ -837,6 +841,11 @@ static void run_menu(char *menu_entries, char *config_entries, int num_entries,
 		if (!cur_entry)
 			cur_entry = get_entry(config_entries, first_entry + entryno, 1);
 
+#ifdef CONFIG_FLASHROM_LOCKDOWN
+		/* per default we want flash ROM lockdown */
+		flashrom_lockdown = 1;
+#endif
+  
 		/* Set CURRENT_ENTRYNO for the command "savedefault".  */
 		current_entryno = first_entry + entryno;
 		if (run_script(cur_entry, heap)) {
diff --git a/x86/linux_load.c b/x86/linux_load.c
index aa2f27e..01e185e 100644
--- a/x86/linux_load.c
+++ b/x86/linux_load.c
@@ -676,6 +676,19 @@ static void hardware_setup(void)
 
 	outb(0xFF, 0xA1);	/* mask off all interrupts for now */
 	outb(0xFB, 0x21);	/* mask all irq's but irq2 which is cascaded */
+
+#ifdef CONFIG_FLASHROM_LOCKDOWN
+	/* lockdown flashROM */
+	extern int flashrom_lockdown;
+	extern void intel_lockdown_flash();
+
+	if (flashrom_lockdown) {
+		printf("Locking FlashROM...\n");
+		intel_lockdown_flash();
+	} else {
+		printf("Leaving FlashROM unlocked...\n");
+	}
+#endif
 }
 
 /* Start Linux */

More information about the coreboot mailing list