Attention is currently required from: Patrick Rudolph, Angel Pons.
Angel Pons uploaded patch set #3 to the change originally created by Patrick Rudolph.
security/intel: Add option to enable SMM flash access only
On platforms where the boot media can be updated externally, e.g.
using a BMC, add the possibility to enable writes in SMM only. This
allows to protect the BIOS region even without the use of vboot, but
keeps SMMSTORE working for use in payloads. Note that this breaks
flashconsole, since the flash becomes read-only.
Do not add the option to soc/intel platforms yet. The SMI# handler does
not clear all status bits, and boards lock up because of a SMI# storm.
The SMI# storm issues are going to be addressed in subsequent commits.
Tested on Asrock B85M Pro4, SMM protection works as expected.
Signed-off-by: Patrick Rudolph <email@example.com>
Signed-off-by: Angel Pons <firstname.lastname@example.org>
4 files changed, 49 insertions(+), 8 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/30/40830/3
To view, visit change 40830. To unsubscribe, or for help writing mail filters, visit settings.