388fb318ad
protection Add support for runtime control of BIOS lock (BOOTMEDIA_SMM_BWP) via the CFR option API. This allows users to enable/disable BIOS write protection in SMM through the setup menu when explicitly enabled. The implementation adds a new "bios_lock" CFR option that: - Controls SMM BIOS write protection at runtime - Sets EISS (Enable InSMM.STS) when enabled - Enables SPI/LPC write protection in SMM - Prevents unauthorised BIOS modifications outside SMM Security model: - Runtime control is opt-in via BOOTMEDIA_SMM_BWP_RUNTIME_OPTION config - When disabled, the option is suppressed in CFR (not exposed in UI) - Compile-time CONFIG(BOOTMEDIA_SMM_BWP) serves as the default/fallback - Protects against unauthorised EFI variable modifications, bypassing BIOS lock when the runtime option is not enabled The option is integrated into Intel's common lockdown code and SMI handlers, replacing compile-time-only checks with conditional runtime lookups where BOOTMEDIA_SMM_BWP_RUNTIME_OPTION is enabled. Change-Id: Ie3b63462501e0d204c33dc3f8a006b73da0899d3 Signed-off-by: Matt DeVillier <matt.devillier@gmail.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/89919 Reviewed-by: Werner Zeh <werner.zeh@siemens.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| lockdown.c | ||
| lockdown.h | ||
| Makefile.mk | ||