Attention is currently required from: Nico Huber, Benjamin Doron, Angel Pons, Patrick Rudolph. Angel Pons has uploaded a new patch set (#20) to the change originally created by Patrick Rudolph. ( https://review.coreboot.org/c/coreboot/+/40830 )
Change subject: security/intel: Add option to enable SMM flash access only ......................................................................
security/intel: Add option to enable SMM flash access only
On platforms where the boot media can be updated externally, e.g. using a BMC, add the possibility to enable writes in SMM only. This allows to protect the BIOS region even without the use of vboot, but keeps SMMSTORE working for use in payloads. Note that this breaks flashconsole, since the flash becomes read-only.
Tested on Asrock B85M Pro4 and HP 280 G2, SMM BIOS write protection works as expected, and SMMSTORE can still be used.
Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com Signed-off-by: Angel Pons th3fanbus@gmail.com --- M src/security/lockdown/Kconfig M src/soc/intel/common/block/fast_spi/fast_spi.c M src/soc/intel/common/block/include/intelblocks/fast_spi.h M src/soc/intel/common/block/smm/smihandler.c M src/soc/intel/common/pch/lockdown/lockdown.c M src/southbridge/intel/common/finalize.c M src/southbridge/intel/common/spi.c 7 files changed, 95 insertions(+), 35 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/30/40830/20