#!/bin/sh
# For this to work:
#  - io386 module needs to be enabled in board config
#  - <Skylake: coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
#  - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y)
#  - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.

#include ash shell functions (TRACE requires it)
. /etc/ash_functions

TRACE "Under /bin/lock_chip"
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
	APM_CNT=0xb2
	FIN_CODE=0xcb
fi

if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
	# PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
	# which prevents further changes to the SPI controller configuration. The flash
	# will become write protected in the range specified in the PR0 register. Once
	# the protection is set and locked, it cannot be disabled 
	# until the next system reset.
	echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
	io386 -o b -b x $APM_CNT $FIN_CODE
else
	echo "NOT Finalizing chipset"
	echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
fi