Firmware SPI flash protection on Elgon GBC

The SPI flash contains the BL1 and BL31 firmware (coreboot) as well as the bootloader (LinuxBoot).

The SPI flash is divided into multiple regions using a layout called FMAP.

One part of the flash IC is always read-only, it's called WP_RO. The firmware that is stored in the read-only part verifies the firmware of the read-writeable part (called RW_SECTION_A or RW_SECTION_B) before executing them. That allows to do OTA firmware updates.

To make sure that a part of the flash is read-only, software and hardware mechanisms are used.

Hardware flash protection

The flash IC has a separate write protect enable pin (/WP) that is enabled regular operation. Only when connecting an external flash programmer, the write protection pin is disabled. That way only the hardware owner is able to erase the whole SPI flash.

Software side flash protection

The BL1 firmware verifies that the flash IC has been configured to honour the /WP pin.

By default it does not!

If the flash IC isn't write-protected the firmware enables write protection on the FMAP that is named WP_RO.

This needs to be done on the first boot only and takes about 50msec.

Errors

Any error enabling or verifying the SPI flash write-protection is considered fatal and will result in non-boot case.

The flash protection works only on specific regions of the flash. A non-aligned or size mismatched region might prevent programming flash protection, resulting in an error.

Internals

The flash protection utilises "SPI block protection bits" of the SPI flash status register. The layout of the status register is vendor and revision dependant.

At time of writing coreboot only supports Winbond flash IC block protections.