Patrick Rudolph has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/40829 )
Change subject: [WIP]security: Add option to lock regions for SMMSTORE ......................................................................
[WIP]security: Add option to lock regions for SMMSTORE
On many server boards the flash is updateable out of band using the BMC and the bios region doesn't need to be writeable except for the SMM_STORE.
Add an option to write-protect the COREBOOT and FMAP region.
UNTESTED.
Change-Id: I1096be9650f2af3e886f12f7db50c5060e0d40e1 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M src/security/lockdown/Kconfig M src/security/lockdown/lockdown.c 2 files changed, 36 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/29/40829/1
diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index 30b5237..d24c5e5 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -72,6 +72,23 @@ is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. by the payload or the OS).
+config BOOTMEDIA_LOCK_COREBOOT_FMAP_RO + depends on BOOTMEDIA_LOCK_CONTROLLER + bool "Write-protect COREBOOT and FMAP region in boot medium" + help + Select this if you want to write-protect the COREBOOT and FMAP region + as specified in the FMAP. You will be able to write every region outside + of COREBOOT and FMAP using the internal controller (eg. SMM_STORE). + + The locking will take place during the chipset lockdown. + Chipset lockdown is platform specific und might be done unconditionally, + when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later + (e.g. by the payload or the OS). + + NOTE: If you trigger the chipset lockdown unconditionally, + you won't be able to write to update coreboot using the internal + controller any more. + endchoice
config BOOTMEDIA_LOCK_IN_VERSTAGE diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index 62d0a29..b4698d7 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -28,8 +28,11 @@ } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { printk(BIOS_DEBUG, "'WP_RO only'"); lock_type = CTRLR_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_COREBOOT_FMAP_RO)) { + printk(BIOS_DEBUG, "'COREBOOT and FMAP'"); + lock_type = CTRLR_WP; } - printk(BIOS_DEBUG, "using CTRL...\n"); + printk(BIOS_DEBUG, " using CTRL...\n"); } else { if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) { printk(BIOS_DEBUG, "'readonly'"); @@ -38,7 +41,7 @@ printk(BIOS_DEBUG, "'WP_RO only'"); lock_type = MEDIA_WP; } - printk(BIOS_DEBUG, "using flash chip...\n"); + printk(BIOS_DEBUG, " using flash chip...\n"); }
if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { @@ -46,6 +49,11 @@ printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n"); else rdev = &dev; + } else if (CONFIG(BOOTMEDIA_LOCK_COREBOOT_FMAP_RO)) { + if (fmap_locate_area_as_rdev("COREBOOT", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'COREBOOT'\n"); + else + rdev = &dev; } else { rdev = boot_device_ro(); } @@ -54,6 +62,15 @@ printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); else printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); + + if (CONFIG(BOOTMEDIA_LOCK_COREBOOT_FMAP_RO)) { + if (fmap_locate_area_as_rdev("FMAP", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'FMAP'\n"); + else if (boot_device_wp_region(&dev, lock_type) >= 0) + printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); + else + printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); + } }
static void lock(void *unused)