diff options
| author | Nico Huber <nico.huber@secunet.com> | 2013-07-01 16:02:36 +0200 |
|---|---|---|
| committer | Stefan Reinauer <stefan.reinauer@coreboot.org> | 2013-07-10 00:48:33 +0200 |
| commit | d1fb5641b6ae3710b7d6c444000a6cbbe0cb6f74 (patch) | |
| tree | 5217d776e6b58cdcdf2ccedd7210630626119aef | |
| parent | 4f78b187499d8e1f4a2fe3dad8e0997c91f15762 (diff) | |
| download | coreboot-d1fb5641b6ae3710b7d6c444000a6cbbe0cb6f74.tar.xz | |
sandybridge: Add option to lock SPI regions on resume
Add an option to mark all SPI regions write protected on each S3 resume.
We were used to lock the SPI interface in the payload which isn't run on
the resume path. So we have to do it here.
For the write protection to be effective, all write opcodes in the
opmenu have to be marked correctly (as write operations) and the whole
SPI interface has to be locked. Both is already done.
Change-Id: I5c268ae8850642f5e82f18c28c71cf1ae248dbff
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: http://review.coreboot.org/3594
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
Reviewed-by: Patrick Georgi <patrick@georgi-clan.de>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
| -rw-r--r-- | src/southbridge/intel/bd82x6x/Kconfig | 10 | ||||
| -rw-r--r-- | src/southbridge/intel/bd82x6x/finalize.c | 8 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 0be875e886..e6a4fc8324 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -148,4 +148,14 @@ config LOCK_MANAGEMENT_ENGINE If unsure, say N. +config LOCK_SPI_ON_RESUME + bool "Lock all flash ROM sections on S3 resume" + default n + help + If the flash ROM shall be protected against write accesses from the + operating system (OS), the locking procedure has to be repeated after + each resume from S3. Select this if you never want to update the flash + ROM from within your OS. Notice: Even with this option, the write lock + has still to be enabled on the normal boot path (e.g. by the payload). + endif diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c index bcc2f3dad9..331e26cab1 100644 --- a/src/southbridge/intel/bd82x6x/finalize.c +++ b/src/southbridge/intel/bd82x6x/finalize.c @@ -26,6 +26,14 @@ void intel_pch_finalize_smm(void) { +#if CONFIG_LOCK_SPI_ON_RESUME + /* Copy flash regions from FREG0-4 to PR0-4 + and enable write protection bit31 */ + int i; + for (i = 0; i < 20; i += 4) + RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31); +#endif + /* Set SPI opcode menu */ RCBA16(0x3894) = SPI_OPPREFIX; RCBA16(0x3896) = SPI_OPTYPE; |