1 files changed, 43 insertions, 1 deletions

diff --git a/src/soc/intel/common/mrc_cache.c b/src/soc/intel/common/mrc_cache.c
index 8720c9df05..3a9689645f 100644
--- a/src/soc/intel/common/mrc_cache.c
+++ b/src/soc/intel/common/mrc_cache.c
@@ -17,6 +17,7 @@
 #include <string.h>
 #include <boot_device.h>
 #include <bootstate.h>
+#include <bootmode.h>
 #include <console/console.h>
 #include <cbmem.h>
 #include <elog.h>
@@ -24,9 +25,9 @@
 #include <ip_checksum.h>
 #include <region_file.h>
 #include <security/vboot/vboot_common.h>
+#include <spi_flash.h>
 
 #include "mrc_cache.h"
-#include "nvm.h"
 
 #define DEFAULT_MRC_CACHE	"RW_MRC_CACHE"
 #define VARIABLE_MRC_CACHE	"RW_VAR_MRC_CACHE"
@@ -441,6 +442,47 @@ static void update_mrc_cache_by_type(int type)
 		log_event_cache_update(cr->elog_slot, UPDATE_SUCCESS);
 }
 
+/* Read flash status register to determine if write protect is active */
+static int nvm_is_write_protected(void)
+{
+	u8 sr1;
+	u8 wp_gpio;
+	u8 wp_spi;
+
+	if (!IS_ENABLED(CONFIG_CHROMEOS))
+		return 0;
+
+	if (!IS_ENABLED(CONFIG_BOOT_DEVICE_SPI_FLASH))
+		return 0;
+
+	/* Read Write Protect GPIO if available */
+	wp_gpio = get_write_protect_state();
+
+	/* Read Status Register 1 */
+	if (spi_flash_status(boot_device_spi_flash(), &sr1) < 0) {
+		printk(BIOS_ERR, "Failed to read SPI status register 1\n");
+		return -1;
+	}
+	wp_spi = !!(sr1 & 0x80);
+
+	printk(BIOS_DEBUG, "SPI flash protection: WPSW=%d SRP0=%d\n",
+		wp_gpio, wp_spi);
+
+	return wp_gpio && wp_spi;
+}
+
+/* Apply protection to a range of flash */
+static int nvm_protect(const struct region *r)
+{
+	if (!IS_ENABLED(CONFIG_MRC_SETTINGS_PROTECT))
+		return 0;
+
+	if (!IS_ENABLED(CONFIG_BOOT_DEVICE_SPI_FLASH))
+		return 0;
+
+	return spi_flash_ctrlr_protect_region(boot_device_spi_flash(), r);
+}
+
 /* Protect mrc region with a Protected Range Register */
 static int protect_mrc_cache(const char *name)
 {