From 78feacc44057916161365d079ae92aa0baa679f8 Mon Sep 17 00:00:00 2001
From: Patrick Rudolph <siro@das-labor.org>
Date: Tue, 3 Dec 2019 19:43:06 +0100
Subject: security: Add common boot media write protection

Introduce boot media protection settings and use the existing
boot_device_wp_region() function to apply settings on all
platforms that supports it yet.

Also remove the Intel southbridge code, which is now obsolete.
Every platform locks the SPIBAR in a different stage.
For align up with the common mrc cache driver and lock after it has been
written to.

Tested on Supermicro X11SSH-TF. The whole address space is write-protected.

Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
---
 src/security/Kconfig | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/security/Kconfig')

diff --git a/src/security/Kconfig b/src/security/Kconfig
index b967311345..65d2defe7d 100644
--- a/src/security/Kconfig
+++ b/src/security/Kconfig
@@ -15,3 +15,4 @@ source "src/security/vboot/Kconfig"
 source "src/security/tpm/Kconfig"
 source "src/security/memory/Kconfig"
 source "src/security/intel/Kconfig"
+source "src/security/lockdown/Kconfig"
-- 
cgit v1.2.3