security/intel: Add option to enable SMM flash access only

On platforms where the boot media can be updated externally, e.g.
using a BMC, add the possibility to enable writes in SMM only. This
allows to protect the BIOS region even without the use of vboot, but
keeps SMMSTORE working for use in payloads. Note that this breaks
flashconsole, since the flash becomes read-only.

Tested on Asrock B85M Pro4 and HP 280 G2, SMM BIOS write protection
works as expected, and SMMSTORE can still be used.

Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/40830
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/soc/intel/common/block/fast_spi/fast_spi.c b/src/soc/intel/common/block/fast_spi/fast_spi.c
index 15cd26e2e2..843071e2a8 100644
--- a/src/soc/intel/common/block/fast_spi/fast_spi.c
+++ b/src/soc/intel/common/block/fast_spi/fast_spi.c
@@ -418,3 +418,14 @@ void fast_spi_enable_wp(void)
 	bios_cntl &= ~SPI_BIOS_CONTROL_WPD;
 	pci_write_config8(dev, SPI_BIOS_CONTROL, bios_cntl);
 }
+
+/* Disable SPI Write Protect. */
+void fast_spi_disable_wp(void)
+{
+	const pci_devfn_t dev = PCH_DEV_SPI;
+	uint8_t bios_cntl;
+
+	bios_cntl = pci_read_config8(dev, SPI_BIOS_CONTROL);
+	bios_cntl |= SPI_BIOS_CONTROL_WPD;
+	pci_write_config8(dev, SPI_BIOS_CONTROL, bios_cntl);
+}