diff options
| author | Daniel Gröber <dxld@darkboxed.org> | 2020-05-26 22:18:44 +0200 |
|---|---|---|
| committer | Patrick Georgi <pgeorgi@google.com> | 2020-06-22 12:27:08 +0000 |
| commit | 16dbbeb8959a07bbe873aac13579d65129c0ee0d (patch) | |
| tree | da2c9e2a4f91725a95ec6e7b104d94a2af8b4cbe | |
| parent | 231020132c0c4e21be9e7e6028ac5d0fc676607c (diff) | |
| download | coreboot-16dbbeb8959a07bbe873aac13579d65129c0ee0d.tar.xz | |
lockdown: Add Kconfigs for SPI media protection mode
SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors
such as Macronix only support permanent protection but conditional on
the WP# pin state.
Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41747
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
| -rw-r--r-- | src/drivers/spi/boot_device_rw_nommap.c | 12 | ||||
| -rw-r--r-- | src/security/lockdown/Kconfig | 28 |
2 files changed, 38 insertions, 2 deletions
diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c index ba11d05d99..58efc87fe9 100644 --- a/src/drivers/spi/boot_device_rw_nommap.c +++ b/src/drivers/spi/boot_device_rw_nommap.c @@ -96,9 +96,17 @@ int boot_device_wp_region(const struct region_device *rd, if (type == MEDIA_WP) { if (spi_flash_is_write_protected(boot_dev, region_device_region(rd)) != 1) { + enum spi_flash_status_reg_lockdown lock = + SPI_WRITE_PROTECTION_REBOOT; + if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT)) + lock = SPI_WRITE_PROTECTION_REBOOT; + else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN)) + lock = SPI_WRITE_PROTECTION_PIN; + else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT)) + lock = SPI_WRITE_PROTECTION_PERMANENT; + return spi_flash_set_write_protected(boot_dev, - region_device_region(rd), - SPI_WRITE_PROTECTION_REBOOT); + region_device_region(rd), lock); } /* Already write protected */ diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index 30b5237ffc..97094ff2e7 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -82,3 +82,31 @@ config BOOTMEDIA_LOCK_IN_VERSTAGE possible. This option prevents using write protecting facilities in ramstage, like the MRC cache for example. Use this option if you don't trust code running after verstage. + +choice + prompt "SPI Flash write protection duration" + default BOOTMEDIA_SPI_LOCK_REBOOT + depends on BOOTMEDIA_LOCK_CHIP + depends on BOOT_DEVICE_SPI_FLASH + +config BOOTMEDIA_SPI_LOCK_REBOOT + bool "Lock SPI flash until next reboot" + help + The SPI chip is locked until power is removed and re-applied. + Supported by Winbond parts. + +config BOOTMEDIA_SPI_LOCK_PIN + bool "Lock SPI flash using WP# pin" + help + The SPI chip is locked using a non-volatile configuration bit. Writes + are only possible if the WP# is not asserted. Supported by Winbond + and Macronix parts. + +config BOOTMEDIA_SPI_LOCK_PERMANENT + bool "Lock SPI flash permanently" + help + The SPI chip is permanently locked using a non-volatile configuration + bit. No writes are ever possible again after we perform the lock. + Supported by Winbond parts. + +endchoice |