summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDuncan Laurie <dlaurie@chromium.org>2015-01-15 15:49:07 -0800
committerPatrick Georgi <pgeorgi@google.com>2015-04-18 08:43:43 +0200
commita32b6b9471696951b99d577882508eb9e526eadc (patch)
tree7ed663008c1308fdf73a87d83298a5956e362bf0 /src
parent1006b1020663e5f42d47401bfdf25417793c94b4 (diff)
downloadcoreboot-a32b6b9471696951b99d577882508eb9e526eadc.tar.xz
soc/intel/common: Add function to protect MRC cache
Add support for applying write protection to the MRC cache region in SPI flash. This is only enabled if there is write protect GPIO that is set, and the flash status register reports that the flash chip is currently write protected. Then it will call out to a SOC specific function that will enable write protection on the RW_MRC_CACHE region of flash. The implementation is not quite as clean as I would like because there is not a common flash protect interface across SOCs so instead it relies on a new Kconfig variable to be set that will indicate a SOC implements the function to protect a region of SPI flash. BUG=chrome-os-partner:28234 BRANCH=broadwell TEST=build and boot on samus 1) with either WPSW=0 or SRP0=0 the PRR is not applied 2) with both WPSW=1 and SRP0=1 the PRR is applied Change-Id: If5907b7ddf3f966c546ae32dc99aa815beb27587 Signed-off-by: Stefan Reinauer <reinauer@chromium.org> Original-Commit-Id: a3e0e71dfd7339aab171a26b67aec465a3f332d6 Original-Change-Id: I94e54e4723b1dcdacbb6a05f047d0c0ebc7d8711 Original-Signed-off-by: Duncan Laurie <dlaurie@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/241170 Original-Reviewed-by: Shawn N <shawnn@chromium.org> Reviewed-on: http://review.coreboot.org/9494 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Diffstat (limited to 'src')
-rw-r--r--src/soc/intel/common/Kconfig4
-rw-r--r--src/soc/intel/common/mrc_cache.c21
-rw-r--r--src/soc/intel/common/nvm.c44
-rw-r--r--src/soc/intel/common/nvm.h6
4 files changed, 75 insertions, 0 deletions
diff --git a/src/soc/intel/common/Kconfig b/src/soc/intel/common/Kconfig
index 8b02a4a905..aadd64d0b5 100644
--- a/src/soc/intel/common/Kconfig
+++ b/src/soc/intel/common/Kconfig
@@ -14,6 +14,10 @@ config MRC_SETTINGS_CACHE_SIZE
hex
default 0x10000
+config MRC_SETTINGS_PROTECT
+ bool "Enable protection on MRC settings"
+ default n
+
endif # CACHE_MRC_SETTINGS
endif # HAVE_MRC
diff --git a/src/soc/intel/common/mrc_cache.c b/src/soc/intel/common/mrc_cache.c
index 5860201477..f854046459 100644
--- a/src/soc/intel/common/mrc_cache.c
+++ b/src/soc/intel/common/mrc_cache.c
@@ -247,6 +247,25 @@ mrc_cache_next_slot(const struct mrc_data_region *region,
return next_slot;
}
+/* Protect RW_MRC_CACHE region with a Protected Range Register */
+static int protect_mrc_cache(const struct mrc_data_region *region)
+{
+#if IS_ENABLED(CONFIG_MRC_SETTINGS_PROTECT)
+ if (nvm_is_write_protected() <= 0) {
+ printk(BIOS_INFO, "NOT enabling PRR for RW_MRC_CACHE region\n");
+ return 1;
+ }
+
+ if (nvm_protect(region->base, region->size) < 0) {
+ printk(BIOS_ERR, "ERROR setting PRR for RW_MRC_CACHE region\n");
+ return -1;
+ }
+
+ printk(BIOS_INFO, "Enabled Protected Range on RW_MRC_CACHE region\n");
+#endif
+ return 0;
+}
+
static void update_mrc_cache(void *unused)
{
const struct mrc_saved_data *current_boot;
@@ -279,6 +298,7 @@ static void update_mrc_cache(void *unused)
!memcmp(&current_saved->data[0], &current_boot->data[0],
current_saved->size)) {
printk(BIOS_DEBUG, "MRC cache up to date.\n");
+ protect_mrc_cache(&region);
return;
}
}
@@ -301,6 +321,7 @@ static void update_mrc_cache(void *unused)
printk(BIOS_DEBUG, "Failure writing MRC cache to %p.\n",
next_slot);
}
+ protect_mrc_cache(&region);
}
BOOT_STATE_INIT_ENTRY(BS_WRITE_TABLES, BS_ON_ENTRY, update_mrc_cache, NULL);
diff --git a/src/soc/intel/common/nvm.c b/src/soc/intel/common/nvm.c
index 791422fe30..01138da0a6 100644
--- a/src/soc/intel/common/nvm.c
+++ b/src/soc/intel/common/nvm.c
@@ -23,6 +23,10 @@
#include <string.h>
#include <spi-generic.h>
#include <spi_flash.h>
+#include <soc/spi.h>
+#if CONFIG_CHROMEOS
+#include <vendorcode/google/chromeos/chromeos.h>
+#endif
#include "nvm.h"
/* This module assumes the flash is memory mapped just below 4GiB in the
@@ -80,3 +84,43 @@ int nvm_write(void *start, const void *data, size_t size)
return -1;
return flash->write(flash, to_flash_offset(start), size, data);
}
+
+/* Read flash status register to determine if write protect is active */
+int nvm_is_write_protected(void)
+{
+ u8 sr1;
+ u8 wp_gpio = 0;
+ u8 wp_spi;
+
+ if (nvm_init() < 0)
+ return -1;
+
+#if IS_ENABLED(CONFIG_CHROMEOS)
+ /* Read Write Protect GPIO if available */
+ wp_gpio = get_write_protect_state();
+#endif
+
+ /* Read Status Register 1 */
+ if (flash->status(flash, &sr1) < 0) {
+ printk(BIOS_ERR, "Failed to read SPI status register 1\n");
+ return -1;
+ }
+ wp_spi = !!(sr1 & 0x80);
+
+ printk(BIOS_DEBUG, "SPI flash protection: WPSW=%d SRP0=%d\n",
+ wp_gpio, wp_spi);
+
+ return wp_gpio && wp_spi;
+}
+
+/* Apply protection to a range of flash */
+int nvm_protect(void *start, size_t size)
+{
+#if IS_ENABLED(CONFIG_MRC_SETTINGS_PROTECT)
+ if (nvm_init() < 0)
+ return -1;
+ return spi_flash_protect(to_flash_offset(start), size);
+#else
+ return -1;
+#endif
+}
diff --git a/src/soc/intel/common/nvm.h b/src/soc/intel/common/nvm.h
index d332d831f7..2e6b364c9f 100644
--- a/src/soc/intel/common/nvm.h
+++ b/src/soc/intel/common/nvm.h
@@ -31,4 +31,10 @@ int nvm_erase(void *start, size_t size);
/* Write data to NVM. Returns 0 on success < 0 on error. */
int nvm_write(void *start, const void *data, size_t size);
+/* Determine if flash device is write protected */
+int nvm_is_write_protected(void);
+
+/* Apply protection to a range of flash */
+int nvm_protect(void *start, size_t size);
+
#endif /* _COMMON_NVM_H_ */