Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DTS/Flashrom] Refuse flashing protected SPI flash ranges #952

Open
mkopec opened this issue Jul 15, 2024 · 3 comments
Open

[DTS/Flashrom] Refuse flashing protected SPI flash ranges #952

mkopec opened this issue Jul 15, 2024 · 3 comments
Assignees
@m-iwanicki
Labels
DasharoToolsSuite enhancement New feature or request RFC Request For Comments
Milestone
Dasharo Tools Sui...

Comments

@mkopec
Copy link
Member

mkopec commented Jul 15, 2024
edited
Loading

The problem you're addressing (if any)

Right now flashrom will print a warning if a protected range is set, but attempt to flash anyway. This may lead to issues when updating firmware.

Describe the solution you'd like

We know for a fact that flashing a protected range will fail. Flashrom should see that we're attempting to flash a region that overlaps with a protected range and refuse to flash.

Where is the value to a user, and who might that user be?

Fewer bricks and easier updates.

Describe alternatives you've considered

No response

Additional context

I'm referring specifically to Intel chipset Protected Range Registers. Handling of this on different platforms may be different.

We should allow flashing if:

  • A protected range does not overlap with any of the regions we're trying to flash

We may also want to allow flashing if:

  • a force flag is passed to flashrom
  • if the protected range has the same contents as the binary we're flashing
@mkopec mkopec added enhancement New feature or request DasharoToolsSuite needs review RFC Request For Comments and removed needs review labels Jul 15, 2024
@mkopec mkopec changed the title Refuse flashing of SPI flash protected range [DTS/Flashrom] Refuse flashing protected SPI flash ranges Jul 15, 2024
@dancios
Copy link

dancios commented Aug 22, 2024
edited
Loading

@mkopec Regarding the series of seemingly trivial questions, Dasharo uses a retroversion of FlashROM, likely version 1.2, with some custom patches. How does this compare to the official release, which presumably supports this out-of-the-box starting from version 1.4? I might not fully understand the purpose of this task, as this is my first encounter with DTS."

Changelog from main repo 1.4 flashroma
Write-protect updates

Support reading security register
Support reading/writing configuration register
More range functions (with different block sizes and handling of CMP bit)

Protected regions support
Support to allow programmers to handle protected regions on the flash.
get_region() function is added so that programmers can expose access permissions for multiple regions within the flash.
A get_region() implementation is added for the ichspi driver

flashrom.c: Replace ‘exit(1)’ leaks with return codes on err paths
flashrom: Check for flash access restricitons in read_flash()
flashrom: Check for flash access restricitons in verify_range()
flashrom: Check for flash access restricitons in write_flash()
flashrom: Check for flash access restrictions in erase path
flashrom: Use WP-based unlocking on opaque masters

@DaniilKl
Copy link
Contributor

@dancios, this is a public issue, please write in English.

@m-iwanicki
Copy link

@mkopec could you review Dasharo/flashrom#17?
I branched out from @PLangowski upstream sync branch as newer flashrom version had function that helped me to implement this check (mainly get_flash_region)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@m-iwanicki m-iwanicki

Labels
DasharoToolsSuite enhancement New feature or request RFC Request For Comments
Projects
None yet
Milestone
Dasharo Tools Suite Release v2.2.0
Development

No branches or pull requests
5 participants
@dancios @mkopec @artur-rs @DaniilKl @m-iwanicki