-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WiP: PR0 (SPI write prevention through chipset locking) for nv4x_adl, setting base for other platforms/downstream forks supporting >=Skylake+ #1818
Conversation
@miczyg1 false alarm, it was again my external programmer's fault. Tigard doesn't work well but again I have a leg of wson8 probe broken. This is good to go! |
Question here is what do we want prior of merging @miczyg1 @JonathonHall-Purism. All Skylake+ platforms implementing PR0? |
0ede1e6
to
0cff229
Compare
@macpijan @JonathonHall-Purism let me know if something else needs to be done prior of #1821 deadline. Could be in or not: I would prefer this to be in. |
Rebasing on master. |
0cff229
to
08f2176
Compare
@tlaurion @miczyg1 Nice work here, I'm thrilled to see this. I hope we can get it to work 🤞 What SoCs has this been tested on so far? I applied the coreboot patch to Purism's coreboot fork and built this for the Librem 14; the OS is still able to write to the firmware. The coreboot patch is implemented for cannonlake but I don't know if that was tested. I did see The OS was still able to write to flash (in this case I changed the serial number using our coreboot utility: that reads flash, uses cbfstool to change the serial, then writes flash). I haven't looked into it any further. What SoCs have you all tested? I'd be happy to help get this working for CNL and other SoCs but I probably will not be able to do it prior to the feature freeze.
I'd suggest:
|
It's already there as per original PR0 PR: as of now, user can turn it off for one boot under config settings toggle. Per OP workflow screenshots: |
Rebasing on master |
…boot config bits Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…which enables CONFIG_SPI_FLASH_SMM=y (skylake+ requirements) Signed-off-by: Thierry Laurion <[email protected]>
…IZE_PLATFORM_LOCKING Signed-off-by: Thierry Laurion <[email protected]>
…ot config Signed-off-by: Thierry Laurion <[email protected]>
I would focus on testing the boards using upstream coreboot in heads. When we reach the final shape of the patch on gerrit and get it merged, I can cherry-pick it to Dasharo and test the remaining boards based on Dasharo fork. |
nv41 is not part of upstream, if you mean to use upstream for this board |
I meant all boards that do not use coreboot forks in heads. |
@miczyg1 : there is no >=skylake boards under Heads not depending on coreboot forks.... Boards depending on coreboot master (<skyake):
Boards >=skylake depending on coreboot forks:
so @miczyg1 @macpijan @JonathonHall-Purism following this reasoning, Purism and Dasharo forks need to include the patch, adapted to coreboot base they depend on under TLDR: @macpijan @miczyg1 @pietrushnic: if you want PR0 to be part of the features of next release, the upstream patch needs to either be adapted to Dasahro fork(s): nv41/ns50/v540TU/v560TU( ideally: one dasharo coreboot port containing what is needed for all dasharo firmware supported boards, not many) I repeat: Next coreboot version bump for all boards mentioned above bump to something newer than 24.02.01 won't affect Pr0 for skylake+, simply because none of the boards under Heads using coreboot releases are skylake+: all skylake+ boards are supported under forks |
@miczyg1 (dasharo) @JonathonHall-Purism (purism) forks: A reminder that Heads is a user of downstream/upstream coreboot forks. Not a coreboot fork maintainer. |
@JonathonHall-Purism @miczyg1 As far as I'm concerned, this PR is ready to merge as it is (patch against nv4x_adl currently used dasharo coreboot fork+unrealeased patch), is in a functional state, until downstream adapts the patch in their downstream fork. This is not my fight. Updated OP. Waiting for comments otherwise merging once this builds.
|
PR0 needs porting of upstream patch to downstream forks @nestire @daringer @jans23: Removing ns50 lock_chip because I cannot test. Simple to add, just revert next commit in a PR after testing it and I will merge. @JonathonHall-Purism patch needed on coreboot purism fork All downstream coreboot forks: Please refer to #1818 for how to enable PR0 from board config and config/coreboot* config files if not using upstream, adapt https://review.coreboot.org/c/coreboot/+/85278 and create PR upstream (under https://github.com/linuxboot/heads) prior of #1821 if you intend to have the feature before freeze for your platforms. |
Signed-off-by: Thierry Laurion <[email protected]>
Ugh... I was not aware of that. Allright. Then I will focus on getting the patch merged upstream, then cherry-pick to dasharo. |
Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI controller with PR0 flash protection for pre-Skylake platforms. Add new option to skip LPC and FAST SPI lock down in coreboot and move it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path, like it was done on pre-Skylake platforms. As the locking on modern SOCs became more complicated, separate the SPI and LPC locking into new modules to make linking to SMM easier. The expected configuration to leverage the feautre is to unselect INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM. Testing various microarchitectures happens on heads repository: linuxboot/heads#1818 TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake (Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check if flash is unlocked in the heads recovery console. Check if flash is locked in the kexec'ed OS. Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838 Signed-off-by: Michał Żygowski <[email protected]>
@miczyg1 it has been awhile, any update on coreboot patch? |
@miczyg1 there is merge conflict https://review.coreboot.org/c/coreboot/+/85278 Ideally, links to downstream commits and versions of coreboot should be clarified under that upstream merge request I guess for repro? Not sure how to make this merged upstream here. The number of forks of coreboot is problematic to say the least @LeanSheng Under heads and as merged for this PR:
|
@tlaurion yes you are right. thats y we always ask people to upstream to coreboot directly and not to create another fork and keep things there. coreboot is not the same as linux kernel which has big ecosystem; but rather niche and need more support for growth, especially for companies that using coreboot for business should be uphold bigger responsibilities for upstreaming and maintaining. for many years we have been working hard to promote coreboot, have to work together. |
I will try to find some time to push new patchset. |
@miczyg1 Merry Christmas and Happy New Year! Any update? What is the plan to update it? |
This is important.
Originally posted by @tlaurion in #1659 (comment) |
Heads payload uses APM_CNT_FINALIZE SMI to set and lock down the SPI controller with PR0 flash protection for pre-Skylake platforms. Add new option to skip LPC and FAST SPI lock down in coreboot and move it to APM_CNT_FINALIZE SMI handler. Reuse the INTEL_CHIPSET_LOCKDOWN option to prevent issuing APM_CNT_FINALIZE SMI on normal boot path, like it was done on pre-Skylake platforms. As the locking on modern SOCs became more complicated, separate the SPI and LPC locking into new modules to make linking to SMM easier. The expected configuration to leverage the feautre is to unselect INTEL_CHIPSET_LOCKDOWN and select SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM. Testing various microarchitectures happens on heads repository: linuxboot/heads#1818 TEST=Lock the SPI flash using APM_CNT_FINALIZE in heads on Alder Lake (Protectli VP66xx) and Comet Lake (Protectli VP46xx) platforms. Check if flash is unlocked in the heads recovery console. Check if flash is locked in the kexec'ed OS. Change-Id: Icbcc6fcde90e5b0a999aacb720e2e3dc2748c838 Signed-off-by: Michał Żygowski <[email protected]>
PRIOR OF MERGE: only nv4x_adl as a >=Skylake platform has PR0 enabled as per this PR. This PR enables future enablement of PR0 once downstream forks cherry-pick+adapt https://review.coreboot.org/c/coreboot/+/85278
Politics (I will let downstream coreboot forks opt-in, this is not my fight, draining) at #1818 (comment)
Hows:
patches/coreboot-dasharo-unreleased
)Notes: ns50 is prepared on coreboot side, but board doesn't include io386 nor enables PR0 in board config:
For ns50 enablement in next PR, see #1818 (comment)
TLDR
NEXT: Librems/ v540TU #1846 / V560TU #1835 : will need to have https://review.coreboot.org/c/coreboot/+/85278 adapted patch to their coreboot fork if not coreboot upstream
@miczyg1 pushed some changes in dasharo coreboot fork to enable SMM PR0:
This cherry-pick this commit Dasharo/coreboot@ff22122
To test this PR for nv41 users (EC needs to be up to date otherwise problems might occur):
At term, this PR will bring coreboot Skylake+ equivalent of <=Skylake for PR0 chipset locking of SPI WP (SPI RW protection from OS: OS cannot write to SPI, only Heads can flash internally when enabled per board config + coreboot config on tested platforms).
@MrChromebox you might take a look at #1659, which this PR will fix when working on all Skylake+ based boards merged for <Skyylake at #1373
NOTE: if for whatever reason, you would love to disable PR0 locking on a single boot option, you can do so through configuration settings menu under heads as screenshots show under #1373 (comment) :
At term, this will fix #1659
TODO:
--
@JonathonHall-Purism patch doesn't apply cleanly on purism fork