[coreboot-gerrit] New patch to review for coreboot: 2b73722 sandybridge: Add option to lock SPI regions on resume

Nico Huber (nico.huber@secunet.com) gerrit at coreboot.org
Wed Jul 3 16:16:08 CEST 2013 

Nico Huber (nico.huber at secunet.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/3594

-gerrit

commit 2b73722bf3071c2d01d099e5a7cc488b5bf17ece
Author: Nico Huber <nico.huber at secunet.com>
Date:   Mon Jul 1 16:02:36 2013 +0200

    sandybridge: Add option to lock SPI regions on resume
    
    Add an option to mark all SPI regions write protected on each S3 resume.
    We were used to lock the SPI interface in the payload which isn't run on
    the resume path. So we have to do it here.
    
    For the write protection to be effective, all write opcodes in the
    opmenu have to be marked correctly (as write operations) and the whole
    SPI interface has to be locked. Both is already done.
    
    Change-Id: I5c268ae8850642f5e82f18c28c71cf1ae248dbff
    Signed-off-by: Nico Huber <nico.huber at secunet.com>
---
 src/southbridge/intel/bd82x6x/Kconfig    | 10 ++++++++++
 src/southbridge/intel/bd82x6x/finalize.c |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/southbridge/intel/bd82x6x/Kconfig b/src/southbridge/intel/bd82x6x/Kconfig
index 0be875e..e6a4fc8 100644
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@@ -148,4 +148,14 @@ config LOCK_MANAGEMENT_ENGINE
 
 	  If unsure, say N.
 
+config LOCK_SPI_ON_RESUME
+	bool "Lock all flash ROM sections on S3 resume"
+	default n
+	help
+	  If the flash ROM shall be protected against write accesses from the
+	  operating system (OS), the locking procedure has to be repeated after
+	  each resume from S3. Select this if you never want to update the flash
+	  ROM from within your OS. Notice: Even with this option, the write lock
+	  has still to be enabled on the normal boot path (e.g. by the payload).
+
 endif
diff --git a/src/southbridge/intel/bd82x6x/finalize.c b/src/southbridge/intel/bd82x6x/finalize.c
index bcc2f3d..331e26c 100644
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@@ -26,6 +26,14 @@
 
 void intel_pch_finalize_smm(void)
 {
+#if CONFIG_LOCK_SPI_ON_RESUME
+	/* Copy flash regions from FREG0-4 to PR0-4
+	   and enable write protection bit31 */
+	int i;
+	for (i = 0; i < 20; i += 4)
+		RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | (1 << 31);
+#endif
+
 	/* Set SPI opcode menu */
 	RCBA16(0x3894) = SPI_OPPREFIX;
 	RCBA16(0x3896) = SPI_OPTYPE;

More information about the coreboot-gerrit mailing list