Patrick Georgi ([email protected]) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/2366
-gerrit commit a9ae4169b4bf670cdf93df4d73978d2c523b239f Author: Mathias Krause <[email protected]> Date: Thu Jun 3 15:07:00 2010 +0200 FlashROM write protection feature added. When you enable the config option FLASHROM_LOCKDOWN the FlashROM will be write protected and locked down prior starting the kernel using intel_lockdown_flash() per default. You can disable this behaviour per menu entry by specifying the new command 'flashrom_unlock'. Change-Id: I921c23b348b9bd74c22fa22f4afe75ed728159ce Signed-off-by: Patrick Georgi <[email protected]> --- Config.in | 9 +++++++++ include/grub/shared.h | 2 ++ main/grub/builtins.c | 22 ++++++++++++++++++++++ main/grub/grub.c | 9 +++++++++ x86/linux_load.c | 13 +++++++++++++ 5 files changed, 55 insertions(+) diff --git a/Config.in b/Config.in index f164ad4..9c165c4 100644 --- a/Config.in +++ b/Config.in @@ -184,6 +184,15 @@ config VIA_SOUND default n depends on SUPPORT_SOUND +config FLASHROM_LOCKDOWN + bool "FlashROM lockdown" + default n + help + Enable FlashROM write protections and lock them down prior starting the + kernel. FlashROM lockdown can be disabled per boot entry with the new + command 'flashrom_unlock'. + NOTE: Only supported on selected Intel hardware, ICH7 so far. + endmenu menu "Filesystems" diff --git a/include/grub/shared.h b/include/grub/shared.h index b293f3f..6b97c5a 100644 --- a/include/grub/shared.h +++ b/include/grub/shared.h @@ -160,6 +160,8 @@ extern int max_lines; extern int count_lines; extern int use_pager; +extern int flashrom_lockdown; + /* * Error variables. */ diff --git a/main/grub/builtins.c b/main/grub/builtins.c index e40663b..acb5bf3 100644 --- a/main/grub/builtins.c +++ b/main/grub/builtins.c @@ -549,6 +549,25 @@ static struct builtin builtin_find = { }; #endif +#ifdef CONFIG_FLASHROM_LOCKDOWN +/* flashrom_unlock */ +/* Disable lockdown of flash ROM on boot */ +static int flashrom_unlock_func(char *arg, int flags) +{ + flashrom_lockdown = 0; + + return 0; +} + +static struct builtin builtin_flashrom_unlock = { + "flashrom_unlock", + flashrom_unlock_func, + BUILTIN_CMDLINE | BUILTIN_HELP_LIST, + "flashrom_unlock" + "Disable lockdown of flash ROM on boot." +}; +#endif + /* help */ #define MAX_SHORT_DOC_LEN 39 #define MAX_LONG_DOC_LEN 66 @@ -1905,6 +1924,9 @@ struct builtin *builtin_table[] = { #ifdef CONFIG_EXPERIMENTAL &builtin_find, #endif +#ifdef CONFIG_FLASHROM_LOCKDOWN + &builtin_flashrom_unlock, +#endif &builtin_help, &builtin_hiddenmenu, &builtin_initrd, diff --git a/main/grub/grub.c b/main/grub/grub.c index b629435..0a86cd4 100644 --- a/main/grub/grub.c +++ b/main/grub/grub.c @@ -43,6 +43,10 @@ char KILL_BUF[KILL_BUFLEN]; /* The kill buffer for the command-line. */ char MENU_BUF[MENU_BUFLEN]; /* The buffer for the menu entries. */ static char configs[16384]; +#ifdef CONFIG_FLASHROM_LOCKDOWN +int flashrom_lockdown = 1; +#endif + int using_grub_interface = 0; #define ENTER '\r' @@ -837,6 +841,11 @@ static void run_menu(char *menu_entries, char *config_entries, int num_entries, if (!cur_entry) cur_entry = get_entry(config_entries, first_entry + entryno, 1); +#ifdef CONFIG_FLASHROM_LOCKDOWN + /* per default we want flash ROM lockdown */ + flashrom_lockdown = 1; +#endif + /* Set CURRENT_ENTRYNO for the command "savedefault". */ current_entryno = first_entry + entryno; if (run_script(cur_entry, heap)) { diff --git a/x86/linux_load.c b/x86/linux_load.c index aa2f27e..01e185e 100644 --- a/x86/linux_load.c +++ b/x86/linux_load.c @@ -676,6 +676,19 @@ static void hardware_setup(void) outb(0xFF, 0xA1); /* mask off all interrupts for now */ outb(0xFB, 0x21); /* mask all irq's but irq2 which is cascaded */ + +#ifdef CONFIG_FLASHROM_LOCKDOWN + /* lockdown flashROM */ + extern int flashrom_lockdown; + extern void intel_lockdown_flash(); + + if (flashrom_lockdown) { + printf("Locking FlashROM...\n"); + intel_lockdown_flash(); + } else { + printf("Leaving FlashROM unlocked...\n"); + } +#endif } /* Start Linux */ -- coreboot mailing list: [email protected] http://www.coreboot.org/mailman/listinfo/coreboot
