Christian Walter uploaded patch set #3 to the change originally created by Patrick Rudolph.

View Change

security/lockdown: Write-protect WP_RO

Add another choice to boot media protection and write-protect WP_RO
in case VBOOT is enabled. Also add ability to choose when to lock
bootmedia, either in VERSTAGE if VBOOT is enabled - otherwise in
RAMSTAGE.

Tested on Lenovo T520:
The WP_RO region is write-protected.

Tested on Up Sqaured:
THe WP_RO region is write-protected in the verstage/ramstage.

Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
---
M src/security/lockdown/Kconfig
M src/security/lockdown/Makefile.inc
M src/security/lockdown/bootmedia.c
A src/security/lockdown/bootmedia.h
M src/security/vboot/verstage.c
5 files changed, 79 insertions(+), 5 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/32705/3

To view, visit change 32705. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Gerrit-Change-Number: 32705
Gerrit-PatchSet: 3
Gerrit-Owner: Patrick Rudolph <patrick.rudolph@9elements.com>
Gerrit-Reviewer: Aaron Durbin <adurbin@chromium.org>
Gerrit-Reviewer: Christian Walter <christian.walter@9elements.com>
Gerrit-Reviewer: Frans Hendriks <fhendriks@eltan.com>
Gerrit-Reviewer: Martin Roth <martinroth@google.com>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph@9elements.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Patrick Rudolph <siro@das-labor.org>
Gerrit-CC: Paul Menzel <paulepanter@users.sourceforge.net>
Gerrit-CC: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-MessageType: newpatchset