Add code to protect the whole BIOS region on SPI flash, except UEFI Variable region.

Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Shifei Lu <shifeix.a.lu@intel.com> Reviewed-by: David Wei <david.wei@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17618 6f19259b-4bc3-4df7-8a09-765794883524
2025-07-25 06:34:30 +02:00 · 2015-06-11 02:17:06 +00:00 · 2015-06-11 02:17:06 +00:00 · fb1a4e361e
commit fb1a4e361e
parent 5374d621c5
2 changed files with 43 additions and 6 deletions
--- a/Vlv2TbltDevicePkg/PlatformDxe/Platform.c
+++ b/Vlv2TbltDevicePkg/PlatformDxe/Platform.c
@ -353,12 +353,23 @@ SpiBiosProtectionFunction(
 {
  UINTN                             mPciD31F0RegBase;
-  UINTN                             BiosFlaLower = 0;
+  UINTN                             BiosFlaLower0;
-  UINTN                             BiosFlaLimit = 0x7fffff;
+  UINTN                             BiosFlaLimit0;
-
+  UINTN                             BiosFlaLower1;
-  BiosFlaLower = PcdGet32(PcdFlashMicroCodeAddress)-PcdGet32(PcdFlashAreaBaseAddress);
+  UINTN                             BiosFlaLimit1;  
  BiosFlaLower0 = PcdGet32(PcdFlashMicroCodeAddress)-PcdGet32(PcdFlashAreaBaseAddress);
  BiosFlaLimit0 = PcdGet32(PcdFlashMicroCodeSize)-1;  
  #ifdef MINNOW2_FSP_BUILD
  BiosFlaLower1 = PcdGet32(PcdFlashFvFspBase)-PcdGet32(PcdFlashAreaBaseAddress);
  BiosFlaLimit1 = (PcdGet32(PcdFlashFvRecoveryBase)-PcdGet32(PcdFlashFvFspBase)+PcdGet32(PcdFlashFvRecoverySize))-1;
  #else
  BiosFlaLower1 = PcdGet32(PcdFlashFvMainBase)-PcdGet32(PcdFlashAreaBaseAddress);
  BiosFlaLimit1 = (PcdGet32(PcdFlashFvRecoveryBase)-PcdGet32(PcdFlashFvMainBase)+PcdGet32(PcdFlashFvRecoverySize))-1;
  #endif
  mPciD31F0RegBase = MmPciAddress (0,
                         DEFAULT_PCI_BUS_NUMBER_PCH,
                         PCI_DEVICE_NUMBER_PCH_LPC,
@ -391,7 +402,7 @@ SpiBiosProtectionFunction(
  //
  MmioOr32((UINTN)(SpiBase + R_PCH_SPI_PR0),
    B_PCH_SPI_PR0_RPE|B_PCH_SPI_PR0_WPE|\
-    (B_PCH_SPI_PR0_PRB_MASK&(BiosFlaLower>>12))|(B_PCH_SPI_PR0_PRL_MASK&(BiosFlaLimit>>12)<<16));
+    (B_PCH_SPI_PR0_PRB_MASK&(BiosFlaLower0>>12))|(B_PCH_SPI_PR0_PRL_MASK&(BiosFlaLimit0>>12)<<16));
  //
  //Lock down PR0
@ -405,6 +416,25 @@ SpiBiosProtectionFunction(
    DEBUG((EFI_D_ERROR, "Failed to lock down PR0.\n"));
  }
  //
  //Set PR1
  //
  MmioOr32((UINTN)(SpiBase + R_PCH_SPI_PR1),
    B_PCH_SPI_PR1_RPE|B_PCH_SPI_PR1_WPE|\
    (B_PCH_SPI_PR1_PRB_MASK&(BiosFlaLower1>>12))|(B_PCH_SPI_PR1_PRL_MASK&(BiosFlaLimit1>>12)<<16));
  //
  //Lock down PR1
  //
  MmioOr16 ((UINTN) (SpiBase + R_PCH_SPI_HSFS), (UINT16) (B_PCH_SPI_HSFS_FLOCKDN));
  //
  // Verify if it's really locked.
  //
  if ((MmioRead16 (SpiBase + R_PCH_SPI_HSFS) & B_PCH_SPI_HSFS_FLOCKDN) == 0) {
    DEBUG((EFI_D_ERROR, "Failed to lock down PR1.\n"));
  }
  return;
 }
@ -690,7 +720,7 @@ InitializePlatform (
             &mReadyToBootEvent
             );
  //
-  // Create a ReadyToBoot Event to run enable PR0 and lock down
+  // Create a ReadyToBoot Event to run enable PR0/PR1 and lock down,unlock variable region
  //
  if(mSystemConfiguration.SpiRwProtect==1) {
    Status = EfiCreateEventReadyToBootEx (
--- a/Vlv2TbltDevicePkg/PlatformDxe/PlatformDxe.inf
+++ b/Vlv2TbltDevicePkg/PlatformDxe/PlatformDxe.inf
@ -62,6 +62,7 @@
  Vlv2DeviceRefCodePkg/Vlv2DeviceRefCodePkg.dec
  SecurityPkg/SecurityPkg.dec
  CryptoPkg/CryptoPkg.dec
  IntelFspWrapperPkg/IntelFspWrapperPkg.dec
 [LibraryClasses]
  BaseLib
@ -133,7 +134,13 @@
  gEfiMdePkgTokenSpaceGuid.PcdPciExpressBaseAddress
  gPlatformModuleTokenSpaceGuid.PcdFlashAreaBaseAddress
  gPlatformModuleTokenSpaceGuid.PcdFlashMicroCodeAddress
  gPlatformModuleTokenSpaceGuid.PcdFlashMicroCodeSize
  gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdFastPS2Detection
  gPlatformModuleTokenSpaceGuid.PcdFlashFvMainBase
  gPlatformModuleTokenSpaceGuid.PcdFlashFvRecoveryBase
  gPlatformModuleTokenSpaceGuid.PcdFlashFvRecoverySize
  gFspWrapperTokenSpaceGuid.PcdFlashFvFspBase
 [Depex]
  gEfiPciRootBridgeIoProtocolGuid     AND