Flash descriptor and read/write permissions

pietrushnic · ‎02-07-2018

I'm trying to understand flash descriptor and read/write permissions that can be configured using master region. I'm using MinnowBoard Turbot B and trying to change flash descriptor so it will have any effect in my Linux system, but apparently I have problem with that. I read IFD with chipsec. I was able to modify IFD in below way:

+ 0x0060 Master Section:

========================================================

+ 0x0060 FLMSTR0 : 0xFDFF0000

+ 0x0064 FLMSTR1 : 0xFFFF0000

Master Read/Write Access to Flash Regions

--------------------------------------------------------

Region | CPU | ME

--------------------------------------------------------

0 Flash Descriptor | RW | RW

1 BIOS | R | RW

2 Intel ME | RW | RW

Despite that I'm still able to use flashrom to write BIOS region. Why it is still possible ? Who enforce this access rights ?

Description in Bay Trail datasheet IMO is not clear or I miss some fundamental knowledge about IFD.

CarlosAM_INTEL · ‎02-07-2018

Hello, pietrushnic:

Thank you for contacting Intel Embedded Community.

We would like to help you with the third-party board mentioned in your previous communication but they should be addressed as a reference at the following channel:

https://github.com/MinnowBoard-org/bugs-and-help https://github.com/MinnowBoard-org/bugs-and-help

We hope that this information may help you.

Best regards,

Carlos_A.

pietrushnic · ‎02-07-2018

Carlos_A,

As far as I know flash descriptor is not platform specific concept it is Intel specific concept. Can get answer for Bay Trail SoC ?

CarlosAM_INTEL · ‎02-07-2018

Hello, pietrushnic:

Thanks for your reply.

We suggest you review with the assistance of your BIOS vendor and verify with the developer of the cited third-party design if the following information applies to their project.

Please refer to the information stated in section 3.2.2, on page 19 of the https://edc.intel.com/Link.aspx?id=7011 Bay Trail I SoC BIOS Writers Guide Addendum document # 526998; and in sections 26.1, 26.2, and 26.7, on pages 96, 97, 98, 101, and 102 of the https://edc.intel.com/Link.aspx?id=7010 Intel Pentium Processor N3500 Series J2850 J2900 and Intel Celeron Processor Series N2900 N2800 1800 J1900 J1750 BIOS Writers Guide Volume 2 of 2 document # 514148.https://edc.intel.com/Link.aspx?id=7011

We hope that it will be useful to you.

Best regards,

Carlos_A.

pietrushnic · ‎02-07-2018

Hi Carlos_A,

most interesting IMO is 26.8 in BWG vol 2 which describe steps to secure firmware, but none of this documents describe read/write permissions that can be set in Intel Flash Descriptor. There is also no word about who or what enforce those permissions. I would like to at least get information if those bits are useful ? If yes, then how I can leverage that mechanism to protect my platform and tests if this is really secure ?

CarlosAM_INTEL · ‎02-08-2018

Hello, pietrushnic:

Thanks for your reply.

The Master region contains the hardware security settings for the flash, granting read/write permissions for each region and identifying each master. In case that you can modify this section to secure any region and still you are able to flash it, it seems that you are doing it improperly, or it might have implemented some overriding region access strap. Please refer to the information stated in section 4.3.2 of the https://cdrd.intel.com/v1/dl/getContent/514482 Bay Trail-T/I SoC SPI Flash Programming Guide Application Note document # 514482, where is stated this information and more details.

This document is accessible to you using the Resource & Design Center (RDC) privileged account.

In case that you want an RDC account, please request it by filling out the https://www.intel.com/content/www/us/en/forms/design/contact-support.html Resource & Design Center Account Support form.

We hope that this information may help you.

Best regards,

Carlos_A.