4 comments:
File src/security/lockdown/Kconfig:
Patch Set #6, Line 26: programmer
controller
Patch Set #6, Line 27: chipset lockdown
Then what about the LOCK_IN_VERSTAGE and LOCK_IN_RAMSTAGE options?
File src/security/lockdown/lockdown.c:
Patch Set #6, Line 56: for (size_t i = 0; i < ARRAY_SIZE(wp_prot); i++) {
This is the same sequence as above in the BOOTMEDIA_LOCK_RO path. You should have a helper that fills out a region_device based on the Kconfig:
static int helper(struct region_device *rdev)
{
if (CONFIG(BOOTMEDIA_LOCK_RO) || CONFIG(BOOTMEDIA_LOCK_NO_ACCESS)) {
const struct region_device *boot_rdev = bootdevice_ro();
return rdev_chain_full(rdev, boot_rdev);
} else if (CONFIG(BOOTMEDIA_LOCK_VBOOT_RO))
return fmap_locate_area_as_rdev("WP_RO", rdev);
}
return -1;
}
And add another helper for going through the wp_prot sequence for ones you care about:
static int another_helper(const struct region_device *rdev, const int *wp_prot, size_t wp_num)
{
for (size_t i = 0; i < wp_num; i++) {
boot_device_wp_region(rdev, wp_prot[i])
}
}
Patch Set #6, Line 75: security_lockdown_bootmedia
This is calling a symbol that doesn't exist?
To view, visit change 32705. To unsubscribe, or for help writing mail filters, visit settings.