1 files changed, 18 insertions, 3 deletions

diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c
index a8aad9b5eb..62d0a2914a 100644
--- a/src/security/lockdown/lockdown.c
+++ b/src/security/lockdown/lockdown.c
@@ -5,13 +5,15 @@
 #include <commonlib/region.h>
 #include <console/console.h>
 #include <bootstate.h>
+#include <fmap.h>
 
 /*
  * Enables read- /write protection of the bootmedia.
  */
 void boot_device_security_lockdown(void)
 {
-	const struct region_device *rdev;
+	const struct region_device *rdev = NULL;
+	struct region_device dev;
 	enum bootdev_prot_type lock_type;
 
 	printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme ");
@@ -23,19 +25,32 @@ void boot_device_security_lockdown(void)
 		} else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) {
 			printk(BIOS_DEBUG, "'no access'");
 			lock_type = CTRLR_RWP;
+		} else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
+			printk(BIOS_DEBUG, "'WP_RO only'");
+			lock_type = CTRLR_WP;
 		}
 		printk(BIOS_DEBUG, "using CTRL...\n");
 	} else {
 		if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) {
 			printk(BIOS_DEBUG, "'readonly'");
 			lock_type = MEDIA_WP;
+		} else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
+			printk(BIOS_DEBUG, "'WP_RO only'");
+			lock_type = MEDIA_WP;
 		}
 		printk(BIOS_DEBUG, "using flash chip...\n");
 	}
 
-	rdev = boot_device_ro();
+	if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
+		if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0)
+			printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n");
+		else
+			rdev = &dev;
+	} else {
+		rdev = boot_device_ro();
+	}
 
-	if (boot_device_wp_region(rdev, lock_type) >= 0)
+	if (rdev && boot_device_wp_region(rdev, lock_type) >= 0)
 		printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n");
 	else
 		printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n");