1 /** @file
2 Bios Lock library.
3
4 All function in this library is available for PEI, DXE, and SMM,
5 But do not support UEFI RUNTIME environment call.
6
7 Copyright (c) 2019 Intel Corporation. All rights reserved. <BR>
8
9 SPDX-License-Identifier: BSD-2-Clause-Patent
10 **/
11
12 #include <Base.h>
13 #include <Uefi/UefiBaseType.h>
14 #include <Library/IoLib.h>
15 #include <Library/BaseLib.h>
16 #include <Library/DebugLib.h>
17 #include <Library/PcdLib.h>
18 #include <Library/PciSegmentLib.h>
19 #include <Library/S3BootScriptLib.h>
20 #include <Register/PchRegs.h>
21 #include <Register/PchRegsLpc.h>
22 #include <Register/PchRegsSpi.h>
23
24 /**
25 Enable BIOS lock. This will set the LE (Lock Enable) and EISS (Enable In SMM.STS).
26 When this is set, attempts to write the WPD (Write Protect Disable) bit in PCH
27 will cause a SMI which will allow the BIOS to verify that the write is from a valid source.
28
29 Bios should always enable LockDownConfig.BiosLock policy to set Bios Lock bit in FRC.
30 If capsule udpate is enabled, it's expected to not do BiosLock by setting BiosLock policy disable
31 so it can udpate BIOS region.
32 After flash update, it should utilize this lib to do BiosLock for security.
33 **/
34 VOID
BiosLockEnable(VOID)35 BiosLockEnable (
36 VOID
37 )
38 {
39 UINT64 LpcBaseAddress;
40 UINT64 SpiBaseAddress;
41
42 LpcBaseAddress = PCI_SEGMENT_LIB_ADDRESS (
43 DEFAULT_PCI_SEGMENT_NUMBER_PCH,
44 DEFAULT_PCI_BUS_NUMBER_PCH,
45 PCI_DEVICE_NUMBER_PCH_LPC,
46 PCI_FUNCTION_NUMBER_PCH_LPC,
47 0
48 );
49 SpiBaseAddress = PCI_SEGMENT_LIB_ADDRESS (
50 DEFAULT_PCI_SEGMENT_NUMBER_PCH,
51 DEFAULT_PCI_BUS_NUMBER_PCH,
52 PCI_DEVICE_NUMBER_PCH_SPI,
53 PCI_FUNCTION_NUMBER_PCH_SPI,
54 0
55 );
56
57 ///
58 /// PCH BIOS Spec Flash Security Recommendation
59 ///
60 /// BIOS needs to enable the BIOS Lock Enable (BLE) feature of the PCH by setting
61 /// SPI/eSPI/LPC PCI offset DCh[1] = 1b.
62 /// When this bit is set, attempts to write the Write Protect Disable (WPD) bit
63 /// in PCH will cause a SMI which will allow the BIOS to verify that the write is
64 /// from a valid source.
65 /// Remember that BIOS needs to set SPI/LPC/eSPI PCI Offset DC [0] = 0b to enable
66 /// BIOS region protection before exiting the SMI handler.
67 /// Also, TCO_EN bit needs to be set (SMI_EN Register, ABASE + 30h[13] = 1b) to keep
68 /// BLE feature enabled after booting to the OS.
69 /// Intel requires that BIOS enables the Lock Enable (LE) feature of the PCH to
70 /// ensure SMM protection of flash.
71 /// RC installs a default SMI handler that clears WPD.
72 /// There could be additional SMI handler to log such attempt if desired.
73 ///
74 /// BIOS needs to enable the "Enable in SMM.STS" (EISS) feature of the PCH by setting
75 /// SPI PCI offset DCh[5] = 1b for SPI or setting eSPI PCI offset DCh[5] = 1b for eSPI.
76 /// When this bit is set, the BIOS region is not writable until SMM sets the InSMM.STS bit,
77 /// to ensure BIOS can only be modified from SMM. Please refer to CPU BWG for more details
78 /// on InSMM.STS bit.
79 /// Intel requires that BIOS enables the Lock Enable (LE) feature of the PCH to ensure
80 /// SMM protection of flash.
81 /// SPI PCI offset DCh[1] = 1b for SPI or setting eSPI PCI offset DCh[1] = 1b for eSPI.
82 /// When this bit is set, EISS is locked down.
83 ///
84 PciSegmentOr8 (SpiBaseAddress + R_SPI_CFG_BC, B_SPI_CFG_BC_EISS | B_SPI_CFG_BC_LE);
85 S3BootScriptSaveMemWrite (
86 S3BootScriptWidthUint8,
87 PcdGet64 (PcdPciExpressBaseAddress) + SpiBaseAddress + R_SPI_CFG_BC,
88 1,
89 (VOID *) (UINTN) (PcdGet64 (PcdPciExpressBaseAddress) + SpiBaseAddress + R_SPI_CFG_BC)
90 );
91 PciSegmentOr8 (LpcBaseAddress + R_LPC_CFG_BC, B_LPC_CFG_BC_EISS | B_LPC_CFG_BC_LE);
92 S3BootScriptSaveMemWrite (
93 S3BootScriptWidthUint8,
94 PcdGet64 (PcdPciExpressBaseAddress) + LpcBaseAddress + R_LPC_CFG_BC,
95 1,
96 (VOID *) (UINTN) (PcdGet64 (PcdPciExpressBaseAddress) + LpcBaseAddress + R_LPC_CFG_BC)
97 );
98 }
99