From 78feacc44057916161365d079ae92aa0baa679f8 Mon Sep 17 00:00:00 2001 From: Patrick Rudolph Date: Tue, 3 Dec 2019 19:43:06 +0100 Subject: security: Add common boot media write protection Introduce boot media protection settings and use the existing boot_device_wp_region() function to apply settings on all platforms that supports it yet. Also remove the Intel southbridge code, which is now obsolete. Every platform locks the SPIBAR in a different stage. For align up with the common mrc cache driver and lock after it has been written to. Tested on Supermicro X11SSH-TF. The whole address space is write-protected. Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183 Signed-off-by: Patrick Rudolph Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704 Tested-by: build bot (Jenkins) Reviewed-by: Philipp Deppenwiese Reviewed-by: Julius Werner --- src/southbridge/intel/common/Kconfig | 39 --------------------------------- src/southbridge/intel/common/finalize.c | 10 --------- 2 files changed, 49 deletions(-) (limited to 'src/southbridge') diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig index d1b6bf6024..9356a2be16 100644 --- a/src/southbridge/intel/common/Kconfig +++ b/src/southbridge/intel/common/Kconfig @@ -97,42 +97,3 @@ config INTEL_CHIPSET_LOCKDOWN config SOUTHBRIDGE_INTEL_COMMON_WATCHDOG bool depends on SOUTHBRIDGE_INTEL_COMMON_PMBASE - -if SOUTHBRIDGE_INTEL_COMMON_FINALIZE - -choice - prompt "Flash locking during chipset lockdown" - default LOCK_SPI_FLASH_NONE - -config LOCK_SPI_FLASH_NONE - bool "Don't lock flash sections" - -config LOCK_SPI_FLASH_RO - bool "Write-protect all flash sections" - help - Select this if you want to write-protect the whole firmware flash - chip. The locking will take place during the chipset lockdown, which - is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) - or has to be triggered later (e.g. by the payload or the OS). - - NOTE: If you trigger the chipset lockdown unconditionally, - you won't be able to write to the flash chip using the - internal programmer any more. - -config LOCK_SPI_FLASH_NO_ACCESS - bool "Write-protect all flash sections and read-protect non-BIOS sections" - help - Select this if you want to protect the firmware flash against all - further accesses (with the exception of the memory mapped BIOS re- - gion which is always readable). The locking will take place during - the chipset lockdown, which is either triggered by coreboot (when - INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. - by the payload or the OS). - - NOTE: If you trigger the chipset lockdown unconditionally, - you won't be able to write to the flash chip using the - internal programmer any more. - -endchoice - -endif diff --git a/src/southbridge/intel/common/finalize.c b/src/southbridge/intel/common/finalize.c index 4c6cc63466..2d66cad89c 100644 --- a/src/southbridge/intel/common/finalize.c +++ b/src/southbridge/intel/common/finalize.c @@ -15,16 +15,6 @@ void intel_pch_finalize_smm(void) { const pci_devfn_t lpc_dev = PCI_DEV(0, 0x1f, 0); - if (CONFIG(LOCK_SPI_FLASH_RO) || - CONFIG(LOCK_SPI_FLASH_NO_ACCESS)) { - int i; - u32 lockmask = 1UL << 31; - if (CONFIG(LOCK_SPI_FLASH_NO_ACCESS)) - lockmask |= 1 << 15; - for (i = 0; i < 20; i += 4) - RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask; - } - /* Lock SPIBAR */ RCBA32_OR(0x3804, (1 << 15)); -- cgit v1.2.3