From d3b194e6fe0a9d2d730ca9520f9883ce3fa763d7 Mon Sep 17 00:00:00 2001 From: Vladimir Serbinenko Date: Tue, 12 May 2015 12:39:53 +0200 Subject: bd82x6x, ibexpeak: Support fully locking ROM on S3 resume. Currently only RO-lock is supported. Make full lock available as an option. Change-Id: Ib68a1e82733a51053a9adc80ac501b6205c6b8a7 Signed-off-by: Vladimir Serbinenko Reviewed-on: http://review.coreboot.org/10191 Tested-by: build bot (Jenkins) Reviewed-by: Edward O'Callaghan --- src/southbridge/intel/bd82x6x/Kconfig | 25 +++++++++++++++++++++++-- src/southbridge/intel/bd82x6x/finalize.c | 17 ++++++++++------- 2 files changed, 33 insertions(+), 9 deletions(-) (limited to 'src/southbridge/intel/bd82x6x') diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig index 8c515200b0..8a832aa4cf 100644 --- a/src/southbridge/intel/bd82x6x/Kconfig +++ b/src/southbridge/intel/bd82x6x/Kconfig @@ -151,9 +151,19 @@ config LOCK_MANAGEMENT_ENGINE If unsure, say N. -config LOCK_SPI_ON_RESUME +endif + +if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK + +choice + prompt "Flash ROM locking on S3 resume" + default LOCK_SPI_ON_RESUME_NONE + +config LOCK_SPI_ON_RESUME_NONE + bool "Don't lock ROM sections on S3 resume" + +config LOCK_SPI_ON_RESUME_RO bool "Lock all flash ROM sections on S3 resume" - default n help If the flash ROM shall be protected against write accesses from the operating system (OS), the locking procedure has to be repeated after @@ -161,4 +171,15 @@ config LOCK_SPI_ON_RESUME ROM from within your OS. Notice: Even with this option, the write lock has still to be enabled on the normal boot path (e.g. by the payload). +config LOCK_SPI_ON_RESUME_NO_ACCESS + bool "Lock and disable reads all flash ROM sections on S3 resume" + help + If the flash ROM shall be protected against all accesses from the + operating system (OS), the locking procedure has to be repeated after + each resume from S3. Select this if you never want to update the flash + ROM from within your OS. Notice: Even with this option, the lock + has still to be enabled on the normal boot path (e.g. by the payload). + +endchoice + endif diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c index ad2586cc5d..df7b070adb 100644 --- a/src/southbridge/intel/bd82x6x/finalize.c +++ b/src/southbridge/intel/bd82x6x/finalize.c @@ -25,13 +25,16 @@ void intel_pch_finalize_smm(void) { -#if CONFIG_LOCK_SPI_ON_RESUME - /* Copy flash regions from FREG0-4 to PR0-4 - and enable write protection bit31 */ - int i; - for (i = 0; i < 20; i += 4) - RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31); -#endif + if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) { + /* Copy flash regions from FREG0-4 to PR0-4 + and enable write protection bit31 */ + int i; + u32 lockmask = (1 << 31); + if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) + lockmask |= (1 << 15); + for (i = 0; i < 20; i += 4) + RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask; + } /* Set SPI opcode menu */ RCBA16(0x3894) = SPI_OPPREFIX; -- cgit v1.2.3