summaryrefslogtreecommitdiff
path: root/src/southbridge
diff options
context:
space:
mode:
authorPatrick Rudolph <siro@das-labor.org>2019-12-03 19:43:06 +0100
committerPhilipp Deppenwiese <zaolin.daisuki@gmail.com>2020-04-28 01:19:32 +0000
commit78feacc44057916161365d079ae92aa0baa679f8 (patch)
treed909045f563bc0a9534a81be4cc6b0e5e3cf8aa0 /src/southbridge
parent7bcd9a1d91f10c6c58cd4c2b4e0583eec221810c (diff)
security: Add common boot media write protection
Introduce boot media protection settings and use the existing boot_device_wp_region() function to apply settings on all platforms that supports it yet. Also remove the Intel southbridge code, which is now obsolete. Every platform locks the SPIBAR in a different stage. For align up with the common mrc cache driver and lock after it has been written to. Tested on Supermicro X11SSH-TF. The whole address space is write-protected. Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-by: Julius Werner <jwerner@chromium.org>
Diffstat (limited to 'src/southbridge')
-rw-r--r--src/southbridge/intel/common/Kconfig39
-rw-r--r--src/southbridge/intel/common/finalize.c10
2 files changed, 0 insertions, 49 deletions
diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig
index d1b6bf6024..9356a2be16 100644
--- a/src/southbridge/intel/common/Kconfig
+++ b/src/southbridge/intel/common/Kconfig
@@ -97,42 +97,3 @@ config INTEL_CHIPSET_LOCKDOWN
config SOUTHBRIDGE_INTEL_COMMON_WATCHDOG
bool
depends on SOUTHBRIDGE_INTEL_COMMON_PMBASE
-
-if SOUTHBRIDGE_INTEL_COMMON_FINALIZE
-
-choice
- prompt "Flash locking during chipset lockdown"
- default LOCK_SPI_FLASH_NONE
-
-config LOCK_SPI_FLASH_NONE
- bool "Don't lock flash sections"
-
-config LOCK_SPI_FLASH_RO
- bool "Write-protect all flash sections"
- help
- Select this if you want to write-protect the whole firmware flash
- chip. The locking will take place during the chipset lockdown, which
- is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
- or has to be triggered later (e.g. by the payload or the OS).
-
- NOTE: If you trigger the chipset lockdown unconditionally,
- you won't be able to write to the flash chip using the
- internal programmer any more.
-
-config LOCK_SPI_FLASH_NO_ACCESS
- bool "Write-protect all flash sections and read-protect non-BIOS sections"
- help
- Select this if you want to protect the firmware flash against all
- further accesses (with the exception of the memory mapped BIOS re-
- gion which is always readable). The locking will take place during
- the chipset lockdown, which is either triggered by coreboot (when
- INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
- by the payload or the OS).
-
- NOTE: If you trigger the chipset lockdown unconditionally,
- you won't be able to write to the flash chip using the
- internal programmer any more.
-
-endchoice
-
-endif
diff --git a/src/southbridge/intel/common/finalize.c b/src/southbridge/intel/common/finalize.c
index 4c6cc63466..2d66cad89c 100644
--- a/src/southbridge/intel/common/finalize.c
+++ b/src/southbridge/intel/common/finalize.c
@@ -15,16 +15,6 @@ void intel_pch_finalize_smm(void)
{
const pci_devfn_t lpc_dev = PCI_DEV(0, 0x1f, 0);
- if (CONFIG(LOCK_SPI_FLASH_RO) ||
- CONFIG(LOCK_SPI_FLASH_NO_ACCESS)) {
- int i;
- u32 lockmask = 1UL << 31;
- if (CONFIG(LOCK_SPI_FLASH_NO_ACCESS))
- lockmask |= 1 << 15;
- for (i = 0; i < 20; i += 4)
- RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;
- }
-
/* Lock SPIBAR */
RCBA32_OR(0x3804, (1 << 15));