summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNico Huber <nico.h@gmx.de>2017-09-01 23:28:14 +0200
committerNico Huber <nico.h@gmx.de>2017-09-22 19:17:49 +0000
commit2ac149d294af795710eb4bb20f093e9920604abd (patch)
tree23f9b07ad2e5e8b2af14aaef8570e999e89a599e
parent7eb0157fca33865783c1cc3c8e5cb2e327e551d7 (diff)
downloadcoreboot-2ac149d294af795710eb4bb20f093e9920604abd.tar.xz
sb/intel/bd82x6x: Revise flash ROM lockdown options
The original options were named and described under the false assumption that the chipset lockdown would only be executed during S3 resume. Fix that. Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95 Signed-off-by: Nico Huber <nico.h@gmx.de> Reviewed-on: https://review.coreboot.org/21327 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Rudolph <siro@das-labor.org>
-rw-r--r--src/southbridge/intel/bd82x6x/Kconfig46
-rw-r--r--src/southbridge/intel/bd82x6x/finalize.c5
2 files changed, 30 insertions, 21 deletions
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 9eb3111661..e3772bab01 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -75,29 +75,37 @@ endif
if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
choice
- prompt "Flash ROM locking on S3 resume"
- default LOCK_SPI_ON_RESUME_NONE
+ prompt "Flash locking during chipset lockdown"
+ default LOCK_SPI_FLASH_NONE
-config LOCK_SPI_ON_RESUME_NONE
- bool "Don't lock ROM sections on S3 resume"
+config LOCK_SPI_FLASH_NONE
+ bool "Don't lock flash sections"
-config LOCK_SPI_ON_RESUME_RO
- bool "Lock all flash ROM sections on S3 resume"
+config LOCK_SPI_FLASH_RO
+ bool "Write-protect all flash sections"
help
- If the flash ROM shall be protected against write accesses from the
- operating system (OS), the locking procedure has to be repeated after
- each resume from S3. Select this if you never want to update the flash
- ROM from within your OS. Notice: Even with this option, the write lock
- has still to be enabled on the normal boot path (e.g. by the payload).
-
-config LOCK_SPI_ON_RESUME_NO_ACCESS
- bool "Lock and disable reads all flash ROM sections on S3 resume"
+ Select this if you want to write-protect the whole firmware flash
+ chip. The locking will take place during the chipset lockdown, which
+ is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
+ or has to be triggered later (e.g. by the payload or the OS).
+
+ NOTE: If you trigger the chipset lockdown unconditionally,
+ you won't be able to write to the flash chip using the
+ internal programmer any more.
+
+config LOCK_SPI_FLASH_NO_ACCESS
+ bool "Write-protect all flash sections and read-protect non-BIOS sections"
help
- If the flash ROM shall be protected against all accesses from the
- operating system (OS), the locking procedure has to be repeated after
- each resume from S3. Select this if you never want to update the flash
- ROM from within your OS. Notice: Even with this option, the lock
- has still to be enabled on the normal boot path (e.g. by the payload).
+ Select this if you want to protect the firmware flash against all
+ further accesses (with the exception of the memory mapped BIOS re-
+ gion which is always readable). The locking will take place during
+ the chipset lockdown, which is either triggered by coreboot (when
+ INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
+ by the payload or the OS).
+
+ NOTE: If you trigger the chipset lockdown unconditionally,
+ you won't be able to write to the flash chip using the
+ internal programmer any more.
endchoice
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index a9cfa38c63..fe28af0385 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -25,12 +25,13 @@ void intel_pch_finalize_smm(void)
u16 tco1_cnt;
u16 pmbase;
- if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) ||
+ IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) {
/* Copy flash regions from FREG0-4 to PR0-4
and enable write protection bit31 */
int i;
u32 lockmask = (1 << 31);
- if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+ if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS))
lockmask |= (1 << 15);
for (i = 0; i < 20; i += 4)
RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;