Attention is currently required from: Nico Huber. Hello Nico Huber,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/56344
to review the following change.
Change subject: security/lockdown: Add option to allow NVRAM override ......................................................................
security/lockdown: Add option to allow NVRAM override
Some blobs, e.g. Intel FSP, unconditionally lock protection registers even if their configuration can still be considered insecure. This makes them incompatible to coreboot's payload concept if the payload is in charge of bootmedia protection. To work around this, we add an option to allow coreboot's bootmedia protection to be skipped on re- quest. Naturally, the payload has to enforce its own rules when this option is enabled.
Change-Id: Iaed03a4c67ed895c3e54924739c3791d030586f3 Signed-off-by: Nico Huber nico.huber@secunet.com --- M src/security/lockdown/Kconfig M src/security/lockdown/lockdown.c 2 files changed, 23 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/44/56344/1
diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index c3bedd0..ca10351d 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -130,3 +130,19 @@ Supported by Winbond parts.
endchoice + +config BOOTMEDIA_LOCK_NVRAM_OVERRIDE + bool "Allow NVRAM option to override lock decision" + depends on !BOOTMEDIA_LOCK_NONE + help + This option makes coreboot query an `inhibit_flashlock` NVRAM option. + If this option is enabled, locking will be skipped. This is useful, + for instance, if your payload is in charge of locking decisions and + a blob, e.g. FSP, doesn't allow payloads to enable locking. + + The NVRAM option will be reset by coreboot, so the opt-out is only + temporary. + + Only select this option if you have another software component that + takes care of security. Generally, unprivileged software can set + the NVRAM option. diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index b1ad512..44d92a9 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -4,6 +4,7 @@ #include <commonlib/region.h> #include <console/console.h> #include <bootstate.h> +#include <option.h> #include <fmap.h>
/* @@ -15,6 +16,12 @@ struct region_device dev; enum bootdev_prot_type lock_type;
+ if (CONFIG(BOOTMEDIA_LOCK_NVRAM_OVERRIDE) && get_uint_option("inhibit_flashlock", 0)) { + printk(BIOS_INFO, "BM-LOCKDOWN: Skipping boot media protection on NVRAM request"); + set_uint_option("inhibit_flashlock", 0); + return; + } + printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme ");
if (CONFIG(BOOTMEDIA_LOCK_CONTROLLER)) {