coreboot/src/security/lockdown/Kconfig

choice
	prompt "Boot media protection mechanism"
	default BOOTMEDIA_LOCK_NONE

config BOOTMEDIA_LOCK_NONE
	bool "Don't lock boot media sections"

config BOOTMEDIA_LOCK_CONTROLLER
	bool "Lock boot media using the controller"
	help
	  Select this if you want the controller to lock specific regions.
	  This only works on some platforms, please check the code or boot log.
	  On Intel platforms for e.g. this will make use of the SPIBAR PRRs.

config BOOTMEDIA_LOCK_CHIP
	bool "Lock boot media using the chip"
	help
	  Select this if you want the chip to lock specific regions.
	  This only works on some chips, please check the code or search the
	  boot log for "BM-LOCKDOWN".

endchoice

choice
	prompt "Boot media protected regions"
	depends on !BOOTMEDIA_LOCK_NONE
	default BOOTMEDIA_LOCK_WHOLE_RO

config BOOTMEDIA_LOCK_WHOLE_RO
	bool "Write-protect the whole boot medium"
	help
	  Select this if you want to write-protect the whole firmware boot
	  medium.

	  The locking will take place during the chipset lockdown.
	  Chipset lockdown is platform specific und might be done unconditionally,
	  when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
	  (e.g. by the payload or the OS).

	  NOTE: If you trigger the chipset lockdown unconditionally,
	  you won't be able to write to the whole flash chip using the
	  internal controller any more.

config BOOTMEDIA_LOCK_WHOLE_NO_ACCESS
	depends on BOOTMEDIA_LOCK_CONTROLLER
	bool "Read- and write-protect the whole boot medium"
	help
	  Select this if you want to protect the firmware boot medium against
	  all further accesses. On platforms that memory map a part of the
	  boot medium the corresponding region is still readable.

	  The locking will take place during the chipset lockdown.
	  Chipset lockdown is platform specific und might be done unconditionally,
	  when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
	  (e.g. by the payload or the OS).

	  NOTE: If you trigger the chipset lockdown unconditionally,
	  you won't be able to write to the whole flash chip using the
	  internal controller any more.

config BOOTMEDIA_LOCK_WPRO_VBOOT_RO
	bool "Write-protect WP_RO FMAP region in boot medium"
	depends on VBOOT
	help
	  Select this if you want to write-protect the WP_RO region as specified
	  in the VBOOT FMAP. You will be able to write every region outside
	  of WP_RO using the internal controller (eg. FW_MAIN_A/FW_MAIN_B).
	  In case of BOOTMEDIA_LOCK_IN_VERSTAGE the locking will take place
	  early, preventing locking of facilities used in ramstage, like the
	  MRC cache. If not using BOOTMEDIA_LOCK_IN_VERSTAGE the chipset lockdown
	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or
	  has to be triggered later (e.g. by the payload or the OS).

endchoice

config BOOTMEDIA_LOCK_IN_VERSTAGE
	depends on BOOTMEDIA_LOCK_WPRO_VBOOT_RO
	bool "Lock boot media down in verstage"
	help
	  Select this if you want to write-protect the WP_RO region as soon as
	  possible. This option prevents using write protecting facilities in
	  ramstage, like the MRC cache for example.
	  Use this option if you don't trust code running after verstage.

choice
	prompt "SPI Flash write protection duration"
	default BOOTMEDIA_SPI_LOCK_REBOOT
	depends on BOOTMEDIA_LOCK_CHIP
	depends on BOOT_DEVICE_SPI_FLASH

config BOOTMEDIA_SPI_LOCK_REBOOT
	bool "Lock SPI flash until next reboot"
	help
	  The SPI chip is locked until power is removed and re-applied.
	  Supported by Winbond parts.

config BOOTMEDIA_SPI_LOCK_PIN
	bool "Lock SPI flash using WP# pin"
	help
	  The SPI chip is locked using a non-volatile configuration bit. Writes
	  are only possible if the WP# is not asserted. Supported by Winbond
	  and Macronix parts.

config BOOTMEDIA_SPI_LOCK_PERMANENT
	bool "Lock SPI flash permanently"
	help
	  The SPI chip is permanently locked using a non-volatile configuration
	  bit. No writes are ever possible again after we perform the lock.
	  Supported by Winbond parts.

endchoice