Fail immediately when trying to write/erase wp regions

This patch introduces chipset-level protections and adds checks that abort writing to flash if any of the requested regions are write-protected by chip, dynamically by a chipset, or are defined as read-only. This change is done so it's harder for user to brick his own platform. Information about read-only regions can easily be missed as flashrom can output a lot of information on screen. Even if you notice you might not know if one of the regions you requested falls inside read-only range, especially if using different names for those regions. If you are flashing multiple regions or ones that partially overlap with read-only parts then that could result in flashrom failing in the middle leaving you in unknown state. This patch was tested with multiple combinations of unprotected/protected regions: - dummy programmer ```sh flashrom -p dummy:hwwp=yes,emulate=S25FL128L --wp-enable \ --wp-range 0x00040000,0x00fc0000 \ -l <(echo '00000000:0004ffff part1') -i part1 -E ``` - internal programmer on Protectli VP6670 with Dasharo UEFI firmware with locked BIOS boot medium (PR0, part of bios region) ```sh flashrom -p internal --ifd -i me -i bios -w test.rom ``` Normal reads and flashing non-protected regions was also tested. Change-Id: Ia0dd847923e20ff0081ceae68984369e98952c2f Signed-off-by: Michał Iwanicki <michal.iwanicki@3mdeb.com> Reviewed-on: https://review.coreboot.org/c/flashrom/+/89222 Reviewed-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Anastasia Klimchuk <aklm@chromium.org>
2025-10-13 22:10:23 +02:00 · 2025-09-17 14:14:42 +02:00
parent 45fc49e99b
commit 2a092bbef7
5 changed files with 154 additions and 12 deletions
--- a/include/layout.h
+++ b/include/layout.h
@@ -57,6 +57,11 @@ struct romentry {
 	struct flash_region region;
 };

+struct protected_ranges {
+	int count;
+	struct flash_region *ranges;
+};
+
 struct flashrom_layout;

 struct layout_include_args;
@@ -80,5 +85,11 @@ void prepare_layout_for_extraction(struct flashrom_flashctx *);
 int layout_sanity_checks(const struct flashrom_flashctx *);
 int check_for_unwritable_regions(const struct flashrom_flashctx *flash, unsigned int start, unsigned int len);
 void get_flash_region(const struct flashrom_flashctx *flash, int addr, struct flash_region *region);
+/*
+ * Return chipset-level protections.
+ * ranges parameter has to be freed by the caller with release_protected_ranges
+ */
+void get_protected_ranges(const struct flashrom_flashctx *flash, struct protected_ranges *ranges);
+void release_protected_ranges(const struct flashrom_flashctx *flash, struct protected_ranges *ranges);

 #endif /* !__LAYOUT_H__ */
--- a/include/programmer.h
+++ b/include/programmer.h
@@ -397,6 +397,12 @@ struct opaque_master {
 	enum flashrom_wp_result (*wp_read_cfg)(struct flashrom_wp_cfg *, struct flashctx *);
 	enum flashrom_wp_result (*wp_get_ranges)(struct flashrom_wp_ranges **, struct flashctx *);
 	void (*get_region)(const struct flashctx *flash, unsigned int addr, struct flash_region *region);
+	/*
+	 * Returns chipset-level protections (e.g., when SPI controller refuses
+	 * to pass read/write commands to the flash chip based on chipset's
+	 * configuration)
+	 */
+	void (*get_protected_ranges)(struct protected_ranges *);
 	int (*shutdown)(void *data);
 	void (*delay) (const struct flashctx *flash, unsigned int usecs);
 	void *data;