erebion/coreboot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
coreboot/src/security/lockdown/Kconfig
Angel Pons d21b463fb0 security/intel: Add option to enable SMM flash access only 
On platforms where the boot media can be updated externally, e.g.
using a BMC, add the possibility to enable writes in SMM only. This
allows to protect the BIOS region even without the use of vboot, but
keeps SMMSTORE working for use in payloads. Note that this breaks
flashconsole, since the flash becomes read-only.

Tested on Asrock B85M Pro4 and HP 280 G2, SMM BIOS write protection
works as expected, and SMMSTORE can still be used.

Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/40830
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
2021-06-21 08:11:11 +00:00

124 lines
4.4 KiB
Text
Raw Blame History

choice
prompt "Boot media protection mechanism"
default BOOTMEDIA_LOCK_NONE
config BOOTMEDIA_LOCK_NONE
bool "Don't lock boot media sections"
config BOOTMEDIA_LOCK_CONTROLLER
bool "Lock boot media using the controller"
help
Select this if you want the controller to lock specific regions.
This only works on some platforms, please check the code or boot log.
On Intel platforms for e.g. this will make use of the SPIBAR PRRs.
config BOOTMEDIA_LOCK_CHIP
bool "Lock boot media using the chip"
help
Select this if you want the chip to lock specific regions.
This only works on some chips, please check the code or search the
boot log for "BM-LOCKDOWN".
endchoice
choice
prompt "Boot media protected regions"
depends on !BOOTMEDIA_LOCK_NONE
default BOOTMEDIA_LOCK_WHOLE_RO
config BOOTMEDIA_LOCK_WHOLE_RO
bool "Write-protect the whole boot medium"
help
Select this if you want to write-protect the whole firmware boot
medium.
The locking will take place during the chipset lockdown.
Chipset lockdown is platform specific und might be done unconditionally,
when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
(e.g. by the payload or the OS).
NOTE: If you trigger the chipset lockdown unconditionally,
you won't be able to write to the whole flash chip using the
internal controller any more.
config BOOTMEDIA_LOCK_WHOLE_NO_ACCESS
depends on BOOTMEDIA_LOCK_CONTROLLER
bool "Read- and write-protect the whole boot medium"
help
Select this if you want to protect the firmware boot medium against
all further accesses. On platforms that memory map a part of the
boot medium the corresponding region is still readable.
The locking will take place during the chipset lockdown.
Chipset lockdown is platform specific und might be done unconditionally,
when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
(e.g. by the payload or the OS).
NOTE: If you trigger the chipset lockdown unconditionally,
you won't be able to write to the whole flash chip using the
internal controller any more.
config BOOTMEDIA_LOCK_WPRO_VBOOT_RO
bool "Write-protect WP_RO FMAP region in boot medium"
depends on VBOOT
help
Select this if you want to write-protect the WP_RO region as specified
in the VBOOT FMAP. You will be able to write every region outside
of WP_RO using the internal controller (eg. FW_MAIN_A/FW_MAIN_B).
In case of BOOTMEDIA_LOCK_IN_VERSTAGE the locking will take place
early, preventing locking of facilities used in ramstage, like the
MRC cache. If not using BOOTMEDIA_LOCK_IN_VERSTAGE the chipset lockdown
is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or
has to be triggered later (e.g. by the payload or the OS).
endchoice
config BOOTMEDIA_LOCK_IN_VERSTAGE
depends on BOOTMEDIA_LOCK_WPRO_VBOOT_RO
bool "Lock boot media down in verstage"
help
Select this if you want to write-protect the WP_RO region as soon as
possible. This option prevents using write protecting facilities in
ramstage, like the MRC cache for example.
Use this option if you don't trust code running after verstage.
config BOOTMEDIA_SMM_BWP
bool "Boot media only writable in SMM"
depends on !CONSOLE_SPI_FLASH
depends on BOOT_DEVICE_SPI_FLASH && HAVE_SMI_HANDLER
depends on SOUTHBRIDGE_INTEL_COMMON_SPI || SOC_INTEL_COMMON_BLOCK_SPI
select SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE if SOC_INTEL_COMMON_BLOCK_SPI
help
Only allow flash writes in SMM. Select this if you want to use SMMSTORE
while also preventing unauthorized writes through the internal controller.
Note that this breaks flashconsole, since the flash becomes read-only.
choice
prompt "SPI Flash write protection duration"
default BOOTMEDIA_SPI_LOCK_REBOOT
depends on BOOTMEDIA_LOCK_CHIP
depends on BOOT_DEVICE_SPI_FLASH
config BOOTMEDIA_SPI_LOCK_REBOOT
bool "Lock SPI flash until next reboot"
help
The SPI chip is locked until power is removed and re-applied.
Supported by Winbond parts.
config BOOTMEDIA_SPI_LOCK_PIN
bool "Lock SPI flash using WP# pin"
help
The SPI chip is locked using a non-volatile configuration bit. Writes
are only possible if the WP# is not asserted. Supported by Winbond
and Macronix parts.
config BOOTMEDIA_SPI_LOCK_PERMANENT
bool "Lock SPI flash permanently"
help
The SPI chip is permanently locked using a non-volatile configuration
bit. No writes are ever possible again after we perform the lock.
Supported by Winbond parts.
endchoice
Reference in a new issue View git blame Copy permalink