Patrick Rudolph has uploaded a new patch set (#6) to the change originally created by Patrick Rudolph. ( https://review.coreboot.org/c/coreboot/+/32705 )
Change subject: security/lockdown: Write-protect WP_RO ......................................................................
security/lockdown: Write-protect WP_RO
Add a wrapper function boot_device_security_lockdown which wraps boot_device_wp_region to either lock (read/write) the WP_RO region or the complete boot device depending on the Kconfig. One can either lock the boot device in VERSTAGE if VBOOT is enabled, or in RAMSTAGE.
Tested on Lenovo T520: The WP_RO region is write-protected.
Tested on Up Sqaured: THe WP_RO region is write-protected in the verstage/ramstage.
Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com Signed-off-by: Christian Walter christian.walter@9elements.com --- M src/include/boot_device.h M src/security/lockdown/Kconfig M src/security/lockdown/Makefile.inc R src/security/lockdown/lockdown.c M src/security/vboot/vboot_logic.c 5 files changed, 69 insertions(+), 7 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/32705/6