mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-18 02:39:59 +00:00
e999c90a16
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
29 lines
1.2 KiB
Bash
Executable File
29 lines
1.2 KiB
Bash
Executable File
#!/bin/sh
|
|
# For this to work:
|
|
# - io386 module needs to be enabled in board config
|
|
# - <Skylake: coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
|
|
# - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y)
|
|
# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
|
|
|
|
#include ash shell functions (TRACE requires it)
|
|
. /etc/ash_functions
|
|
|
|
TRACE "Under /bin/lock_chip"
|
|
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then
|
|
APM_CNT=0xb2
|
|
FIN_CODE=0xcb
|
|
fi
|
|
|
|
if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
|
|
# PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
|
|
# which prevents further changes to the SPI controller configuration. The flash
|
|
# will become write protected in the range specified in the PR0 register. Once
|
|
# the protection is set and locked, it cannot be disabled
|
|
# until the next system reset.
|
|
echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
|
|
io386 -o b -b x $APM_CNT $FIN_CODE
|
|
else
|
|
echo "NOT Finalizing chipset"
|
|
echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip."
|
|
fi
|