c0d3z3r0
commented
4 years ago @nate-desimone ping!
Closed n-huber closed 4 years ago
c0d3z3r0
commented
4 years ago @nate-desimone ping!
c0d3z3r0
commented
4 years ago @nate-desimone ping!
c0d3z3r0
commented
4 years ago @nate-desimone ping!
nate-desimone
commented
4 years ago @n-huber, this UPD has been removed in Coffee Lake and newer platforms. FLOCKDN is done later, specifically during the FspNotifyPhase(EnumInitPhaseAfterPciEnumeration). The boot-loader should make sure that any non-SMM writes to SPI are done before invoking this NotifyPhase().
nate-desimone
commented
4 years ago I guess I'll assume no news is good news and my comment above answered this question. Closing, if something more is needed please open a new issue.
In the later Kaby Lake FSP releases, there used to be a SpiFlashCfgLockDown UPD. Is there any option with similar effect for newer platforms?
Without this option, it seems impossible to let FSP finish its silicon initialization, and use peripherals like the AHCI or xHCI controllers before FLOCKDN (or PRR34_LOCKDN) is set. A bootloader using FSP is then forced to either perform firmware updates in early stages which significantly increases attack surface there, or to implement different boot modes with different locked SPI settings. In any case it seems to increase complexity of the security concept and thus makes it more error-prone.