-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WiP: PR0 (SPI write prevention through chipset locking) for Skylake+ #1818
base: master
Are you sure you want to change the base?
Conversation
@miczyg1 false alarm, it was again my external programmer's fault. Tigard doesn't work well but again I have a leg of wson8 probe broken. This is good to go! |
Question here is what do we want prior of merging @miczyg1 @JonathonHall-Purism. All Skylake+ platforms implementing PR0? |
0ede1e6
to
0cff229
Compare
@macpijan @JonathonHall-Purism let me know if something else needs to be done prior of #1821 deadline. Could be in or not: I would prefer this to be in. |
Rebasing on master. |
0cff229
to
08f2176
Compare
@tlaurion @miczyg1 Nice work here, I'm thrilled to see this. I hope we can get it to work 🤞 What SoCs has this been tested on so far? I applied the coreboot patch to Purism's coreboot fork and built this for the Librem 14; the OS is still able to write to the firmware. The coreboot patch is implemented for cannonlake but I don't know if that was tested. I did see The OS was still able to write to flash (in this case I changed the serial number using our coreboot utility: that reads flash, uses cbfstool to change the serial, then writes flash). I haven't looked into it any further. What SoCs have you all tested? I'd be happy to help get this working for CNL and other SoCs but I probably will not be able to do it prior to the feature freeze.
I'd suggest:
|
It's already there as per original PR0 PR: as of now, user can turn it off for one boot under config settings toggle. Per OP workflow screenshots: |
Rebasing on master |
…boot config bits Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…which enables CONFIG_SPI_FLASH_SMM=y (skylake+ requirements) Signed-off-by: Thierry Laurion <[email protected]>
…IZE_PLATFORM_LOCKING Signed-off-by: Thierry Laurion <[email protected]>
…ot config Signed-off-by: Thierry Laurion <[email protected]>
08f2176
to
ef0b70a
Compare
@JonathonHall-Purism: I checked it on Alder Lake and Comet Lake (so using coreboot's soc/cannonlake) and it worked. tlaurion Edited: tagged Jonathon |
@JonathonHall-Purism ping |
@miczyg1 is Dasharo/coreboot@ff22122 linked to an upstream patchset I've missed for upstream review? Maybe this would make this go faster? (issue thought unfixable for ~3y even though under vaultboot for skylake, see #326 (comment)) It would also be nice to see traction upstream on this for all platforms, including up to meteor lake. This is really good security feature, and tested working for some, but apparently not all for the same family as reported by @JonathonHall-Purism |
Not yet. Sorry about that. It completely slipped my mind. Will push ASAP. |
@miczyg1 pushed some changes in dasharo coreboot fork to enable SMM PR0:
This cherry-pick this commit Dasharo/coreboot@ff22122
To test this PR for nv41 users (EC needs to be up to date otherwise problems might occur):
At term, this PR will bring coreboot Skylake+ equivalent of <=Shylake for PR0 chipset locking of SPI WP (single boot protection from OS).
@MrChromebox you might take a look at #1659, which this PR will fix when working on all Skylake+ based boards merged for <Skyylake at #1373
NOTE: if for whatever reason, you would love to disable PR0 locking on a single boot option, you can do so through configuration settings menu under heads as screenshots show under #1373 (comment) :
At term, this will fix #1659
TODO:
--
@JonathonHall-Purism patch doesn't apply cleanly on purism fork