[U-Boot] [PATCH v2 2/2] spi: Add SPI NOR protection mechanism

Jagan Teki jteki at openedev.com
Tue Sep 29 23:12:24 CEST 2015


On 29 September 2015 at 17:37, Fabio Estevam
<fabio.estevam at freescale.com> wrote:
> Many SPI flashes have protection bits (BP2, BP1 and BP0) in the
> status register that can protect selected regions of the SPI NOR.
>
> Take these bits into account when performing erase operations,
> making sure that the protected areas are skipped.
>
> Introduce the CONFIG_SPI_FLASH_STM_PROTECT option that can be
> selectedby systems that want to protect regions of SPI NOR flash
> using the same programming model as in the ST Micro SPI NOR flashes,
> like for example the M25P32.
>
> Based on the implementation from Brian Norris <computersforpeace at gmail.com>
> for the Linux kernel:
> https://patchwork.ozlabs.org/patch/513041/
>
> Tested on a mx6qsabresd:
>
> => sf probe
> SF: Detected M25P32 with page size 256 Bytes, erase size 64 KiB, total 4 MiB
> => sf protect on  0x3f0000 0x10000
> => sf erase 0x3f0000 0x10000
> offset 0x3f0000 is protected and cannot be erased
> SF: 65536 bytes @ 0x3f0000 Erased: ERROR
> => sf protect off  0x3f0000 0x10000
> => sf erase 0x3f0000 0x10000
> SF: 65536 bytes @ 0x3f0000 Erased: OK
>
> Signed-off-by: Fabio Estevam <fabio.estevam at freescale.com>
> ---
> Changes since v1:
> - Add CONFIG_SPI_FLASH_STM_PROTECT in the Kconfig as suggested by
> Stefan Roese
>
>  common/cmd_sf.c               |  30 +++++++
>  drivers/mtd/spi/Kconfig       |  15 ++++
>  drivers/mtd/spi/sf_internal.h |   6 --
>  drivers/mtd/spi/sf_ops.c      | 188 ++++++++++++++++++++++++++++++++++++++++++
>  include/spi_flash.h           |  25 +++++-
>  5 files changed, 256 insertions(+), 8 deletions(-)
>
> diff --git a/common/cmd_sf.c b/common/cmd_sf.c
> index ac7f5df..a31243f 100644
> --- a/common/cmd_sf.c
> +++ b/common/cmd_sf.c
> @@ -348,6 +348,28 @@ static int do_spi_flash_erase(int argc, char * const argv[])
>         return ret == 0 ? 0 : 1;
>  }
>
> +#ifdef CONFIG_SPI_FLASH_STM_PROTECT

Drop this vendor specific macro on command code (usually command code
deals generic-ness)

> +static int do_spi_protect(int argc, char * const argv[])
> +{
> +       int start, len, ret = 0;
> +
> +       if (argc != 4)
> +               return -1;
> +
> +       start = simple_strtoull(argv[2], NULL, 16);
> +       len = simple_strtoull(argv[3], NULL, 16);

Use proper endptr - see the sample code on same file.

> +
> +       if (strcmp(argv[1], "on") == 0)
> +               ret = stm_lock(flash, start, len);
> +       else if (strcmp(argv[1], "off") == 0)
> +               ret = stm_unlock(flash, start, len);
> +       else
> +               return -1;  /* Unknown parameter */

Again stm_* vendor calls, use spi_flash_protect(flash, start, end,
prot) then in spi_flash.c call functions flash->lock and flash->unlock
like read/write ops.

> +
> +       return ret == 0 ? 0 : 1;
> +}
> +#endif
> +
>  #ifdef CONFIG_CMD_SF_TEST
>  enum {
>         STAGE_ERASE,
> @@ -540,6 +562,10 @@ static int do_spi_flash(cmd_tbl_t *cmdtp, int flag, int argc,
>                 ret = do_spi_flash_read_write(argc, argv);
>         else if (strcmp(cmd, "erase") == 0)
>                 ret = do_spi_flash_erase(argc, argv);
> +#ifdef CONFIG_SPI_FLASH_STM_PROTECT
> +       else if (strcmp(cmd, "protect") == 0)
> +               ret = do_spi_protect(argc, argv);
> +#endif
>  #ifdef CONFIG_CMD_SF_TEST
>         else if (!strcmp(cmd, "test"))
>                 ret = do_spi_flash_test(argc, argv);
> @@ -579,5 +605,9 @@ U_BOOT_CMD(
>         "sf update addr offset|partition len    - erase and write `len' bytes from memory\n"
>         "                                         at `addr' to flash at `offset'\n"
>         "                                         or to start of mtd `partition'\n"
> +#ifdef CONFIG_SPI_FLASH_STM_PROTECT
> +       "sf protect on/off sector len           - protect/unprotect 'len' bytes starting\n"
> +       "                                         at address 'sector'\n"
> +#endif
>         SF_TEST_HELP
>  );
> diff --git a/drivers/mtd/spi/Kconfig b/drivers/mtd/spi/Kconfig
> index 3f7433c..2ee1089 100644
> --- a/drivers/mtd/spi/Kconfig
> +++ b/drivers/mtd/spi/Kconfig
> @@ -101,6 +101,21 @@ config SPI_FLASH_USE_4K_SECTORS
>           Please note that some tools/drivers/filesystems may not work with
>           4096 B erase size (e.g. UBIFS requires 15 KiB as a minimum).
>
> +config SPI_FLASH_STM_PROTECT
> +       bool "Use STM flash protection mechanism"
> +       depends on SPI_FLASH
> +       help
> +         Enable the built-in protection mechanism provided by the
> +         BP2, BP1 and BP0 bits from the status register present
> +         on ST-Micro flashes such as M25P32. Please refer to the
> +         M25P32 datasheet to understand how to program these bits
> +         in order to protect a selected region of the SPI NOR flash.
> +
> +         This same bit protection programming model applies to SPI
> +         NOR flashes from other manufacturers such as:
> +         - Micron M25P32
> +         - SST SST25V32B
> +
>  config SPI_FLASH_DATAFLASH
>         bool "AT45xxx DataFlash support"
>         depends on SPI_FLASH && DM_SPI_FLASH
> diff --git a/drivers/mtd/spi/sf_internal.h b/drivers/mtd/spi/sf_internal.h
> index 9c95d56..e66a62b 100644
> --- a/drivers/mtd/spi/sf_internal.h
> +++ b/drivers/mtd/spi/sf_internal.h
> @@ -162,12 +162,6 @@ int spi_flash_cmd_write(struct spi_slave *spi, const u8 *cmd, size_t cmd_len,
>  /* Flash erase(sectors) operation, support all possible erase commands */
>  int spi_flash_cmd_erase_ops(struct spi_flash *flash, u32 offset, size_t len);
>
> -/* Read the status register */
> -int spi_flash_cmd_read_status(struct spi_flash *flash, u8 *rs);
> -
> -/* Program the status register */
> -int spi_flash_cmd_write_status(struct spi_flash *flash, u8 ws);
> -
>  /* Read the config register */
>  int spi_flash_cmd_read_config(struct spi_flash *flash, u8 *rc);
>
> diff --git a/drivers/mtd/spi/sf_ops.c b/drivers/mtd/spi/sf_ops.c
> index 900ec1f..e12f8ee 100644
> --- a/drivers/mtd/spi/sf_ops.c
> +++ b/drivers/mtd/spi/sf_ops.c
> @@ -573,3 +573,191 @@ int sst_write_bp(struct spi_flash *flash, u32 offset, size_t len,
>         return ret;
>  }
>  #endif
> +
> +#ifdef CONFIG_SPI_FLASH_STM_PROTECT
> +#define SR_BP0                 BIT(2)  /* Block protect 0 */
> +#define SR_BP1                 BIT(3)  /* Block protect 1 */
> +#define SR_BP2                 BIT(4)  /* Block protect 2 */
> +
> +static void stm_get_locked_range(struct spi_flash *nor, u8 sr, loff_t *ofs,
> +                                u32 *len)
> +{
> +       u8 mask = SR_BP2 | SR_BP1 | SR_BP0;
> +       int shift = ffs(mask) - 1;
> +       int pow;
> +
> +       if (!(sr & mask)) {
> +               /* No protection */
> +               *ofs = 0;
> +               *len = 0;
> +       } else {
> +               pow = ((sr & mask) ^ mask) >> shift;
> +               *len = nor->size >> pow;
> +               *ofs = nor->size - *len;
> +       }
> +}
> +
> +/*
> + * Return 1 if the entire region is locked, 0 otherwise
> + */
> +static int stm_is_locked_sr(struct spi_flash *nor, loff_t ofs, u32 len,
> +                           u8 sr)
> +{
> +       loff_t lock_offs;
> +       u32 lock_len;
> +
> +       stm_get_locked_range(nor, sr, &lock_offs, &lock_len);
> +
> +       return (ofs + len <= lock_offs + lock_len) && (ofs >= lock_offs);
> +}
> +
> +/*
> + * Check if a region of the flash is (completely) locked. See stm_lock() for
> + * more info.
> + *
> + * Returns 1 if entire region is locked, 0 if any portion is unlocked, and
> + * negative on errors.
> + */
> +int stm_is_locked(struct spi_flash *nor, loff_t ofs, u32 len)
> +{
> +       int status;
> +       u8 sr;
> +
> +       status = spi_flash_cmd_read_status(nor, &sr);
> +       if (status < 0)
> +               return status;
> +
> +       return stm_is_locked_sr(nor, ofs, len, sr);
> +}
> +
> +/*
> + * Lock a region of the flash. Compatible with ST Micro and similar flash.
> + * Supports only the block protection bits BP{0,1,2} in the status register
> + * (SR). Does not support these features found in newer SR bitfields:
> + *   - TB: top/bottom protect - only handle TB=0 (top protect)
> + *   - SEC: sector/block protect - only handle SEC=0 (block protect)
> + *   - CMP: complement protect - only support CMP=0 (range is not complemented)
> + *
> + * Sample table portion for 8MB flash (Winbond w25q64fw):
> + *
> + *   SEC  |  TB   |  BP2  |  BP1  |  BP0  |  Prot Length  | Protected Portion
> + *  --------------------------------------------------------------------------
> + *    X   |   X   |   0   |   0   |   0   |  NONE         | NONE
> + *    0   |   0   |   0   |   0   |   1   |  128 KB       | Upper 1/64
> + *    0   |   0   |   0   |   1   |   0   |  256 KB       | Upper 1/32
> + *    0   |   0   |   0   |   1   |   1   |  512 KB       | Upper 1/16
> + *    0   |   0   |   1   |   0   |   0   |  1 MB         | Upper 1/8
> + *    0   |   0   |   1   |   0   |   1   |  2 MB         | Upper 1/4
> + *    0   |   0   |   1   |   1   |   0   |  4 MB         | Upper 1/2
> + *    X   |   X   |   1   |   1   |   1   |  8 MB         | ALL
> + *
> + * Returns negative on errors, 0 on success.
> + */
> +int stm_lock(struct spi_flash *nor, u32 ofs, u32 len)
> +{
> +       u8 status_old, status_new;
> +       u8 mask = SR_BP2 | SR_BP1 | SR_BP0;
> +       u8 shift = ffs(mask) - 1, pow, val;
> +
> +       spi_flash_cmd_read_status(nor, &status_old);
> +
> +       /* SPI NOR always locks to the end */
> +       if (ofs + len != nor->size) {
> +               /* Does combined region extend to end? */
> +               if (!stm_is_locked_sr(nor, ofs + len, nor->size - ofs - len,
> +                                     status_old))
> +                       return -EINVAL;
> +               len = nor->size - ofs;
> +       }
> +
> +       /*
> +        * Need smallest pow such that:
> +        *
> +        *   1 / (2^pow) <= (len / size)
> +        *
> +        * so (assuming power-of-2 size) we do:
> +        *
> +        *   pow = ceil(log2(size / len)) = log2(size) - floor(log2(len))
> +        */
> +       pow = __ilog2(nor->size) - __ilog2(len);
> +       val = mask - (pow << shift);
> +       if (val & ~mask)
> +               return -EINVAL;
> +
> +       /* Don't "lock" with no region! */
> +       if (!(val & mask))
> +               return -EINVAL;
> +
> +       status_new = (status_old & ~mask) | val;
> +
> +       /* Only modify protection if it will not unlock other areas */
> +       if ((status_new & mask) <= (status_old & mask))
> +               return -EINVAL;
> +
> +       spi_flash_cmd_write_status(nor, status_new);
> +
> +       return 0;
> +}
> +
> +/*
> + * Unlock a region of the flash. See stm_lock() for more info
> + *
> + * Returns negative on errors, 0 on success.
> + */
> +int stm_unlock(struct spi_flash *nor, u32 ofs, u32 len)
> +{
> +       uint8_t status_old, status_new;
> +       u8 mask = SR_BP2 | SR_BP1 | SR_BP0;
> +       u8 shift = ffs(mask) - 1, pow, val;
> +
> +       spi_flash_cmd_read_status(nor, &status_old);
> +
> +       /* Cannot unlock; would unlock larger region than requested */
> +       if (stm_is_locked_sr(nor, status_old, ofs - nor->erase_size,
> +                            nor->erase_size))
> +               return -EINVAL;
> +       /*
> +        * Need largest pow such that:
> +        *
> +        *   1 / (2^pow) >= (len / size)
> +        *
> +        * so (assuming power-of-2 size) we do:
> +        *
> +        *   pow = floor(log2(size / len)) = log2(size) - ceil(log2(len))
> +        */
> +       pow = __ilog2(nor->size) - order_base_2(nor->size - (ofs + len));
> +       if (ofs + len == nor->size) {
> +               val = 0; /* fully unlocked */
> +       } else {
> +               val = mask - (pow << shift);
> +               /* Some power-of-two sizes are not supported */
> +               if (val & ~mask)
> +                       return -EINVAL;
> +       }
> +
> +       status_new = (status_old & ~mask) | val;
> +
> +       /* Only modify protection if it will not lock other areas */
> +       if ((status_new & mask) >= (status_old & mask))
> +               return -EINVAL;
> +
> +       spi_flash_cmd_write_status(nor, status_new);
> +
> +       return 0;
> +}
> +#else
> +int stm_is_locked(struct spi_flash *nor, loff_t ofs, u32 len)
> +{
> +       return 0;
> +}
> +
> +int stm_lock(struct spi_flash *nor, u32 ofs, u32 len)
> +{
> +       return 0;
> +}
> +
> +int stm_unlock(struct spi_flash *nor, u32 ofs, u32 len)
> +{
> +       return 0;
> +}
> +#endif  /* CONFIG_SPI_FLASH_STM_PROTECT */
> diff --git a/include/spi_flash.h b/include/spi_flash.h
> index 3b2d555..434323e 100644
> --- a/include/spi_flash.h
> +++ b/include/spi_flash.h
> @@ -115,6 +115,17 @@ struct dm_spi_flash_ops {
>         int (*erase)(struct udevice *dev, u32 offset, size_t len);
>  };
>
> +
> +/* Read the status register */
> +int spi_flash_cmd_read_status(struct spi_flash *flash, u8 *rs);
> +
> +/* Program the status register */
> +int spi_flash_cmd_write_status(struct spi_flash *flash, u8 ws);
> +
> +int stm_is_locked(struct spi_flash *nor, loff_t ofs, u32 len);
> +int stm_lock(struct spi_flash *nor, u32 ofs, u32 len);
> +int stm_unlock(struct spi_flash *nor, u32 ofs, u32 len);
> +
>  /* Access the serial operations for a device */
>  #define sf_get_ops(dev) ((struct dm_spi_flash_ops *)(dev)->driver->ops)
>
> @@ -219,13 +230,23 @@ static inline int spi_flash_read(struct spi_flash *flash, u32 offset,
>  static inline int spi_flash_write(struct spi_flash *flash, u32 offset,
>                 size_t len, const void *buf)
>  {
> -       return flash->write(flash, offset, len, buf);
> +       if (stm_is_locked(flash, offset, len) > 0) {
> +               printf("offset 0x%x is protected and cannot be written\n", offset);
> +               return -EINVAL;
> +       } else {
> +               return flash->write(flash, offset, len, buf);
> +       }
>  }
>
>  static inline int spi_flash_erase(struct spi_flash *flash, u32 offset,
>                 size_t len)
>  {
> -       return flash->erase(flash, offset, len);
> +       if (stm_is_locked(flash, offset, len) > 0) {
> +               printf("offset 0x%x is protected and cannot be erased\n", offset);
> +               return -EINVAL;
> +       } else {
> +               return flash->erase(flash, offset, len);
> +       }

Please handle protect check on spi_ops instead of spi_flash, like
check the whether the sector is protected or not before erasing it.

>  }
>  #endif
>
> --
> 1.9.1
>

thanks!
-- 
Jagan.


More information about the U-Boot mailing list