ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a36aa2562d
heads/initrd/bin/lock_chip
Thierry Laurion 40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug 
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00

45 lines
2.1 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/sh
# For this to work:
# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work)
# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly
#include ash shell functions (TRACE requires it)
. /etc/ash_functions
TRACE "Under /bin/lock_chip"
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
APM_CNT=0xb2
FIN_CODE=0xcb
fi
if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
# SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature.
# SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper
# for SMM access.
#
# It uses the processors memory protection and paging mechanisms to restrict what
# SMM code can read and write. SMM Supervisor marks critical pages, such as its
# own code, data, and page tables, as supervisor pages, which are only accessible
# from the most privileged level (CPL0).
#
# It also marks the rest of the SMM memory as user pages, which are accessible
# from any privilege level.
#
# This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy
# that states what resources the SMI handlers (the interrupt handlers that run in SMM)
# require access to.
#
# SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
# which prevents further changes to the SMM memory and configuration.
# Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset.
# This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers
# after the system boots.
echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
io386 -o b -b x $APM_CNT $FIN_CODE
else
echo "NOT Finalizing chipset"
echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
fi
Reference in New Issue View Git Blame Copy Permalink