Hello Daniel Gröber,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/41747
to review the following change.
Change subject: lockdown: Add Kconfigs for SPI media protection mode ......................................................................
lockdown: Add Kconfigs for SPI media protection mode
SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors such as Macronix only support permanent protection but conditional on the WP# pin state.
Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c Signed-off-by: Daniel Gröber dxld@darkboxed.org --- M src/drivers/spi/boot_device_rw_nommap.c M src/security/lockdown/Kconfig 2 files changed, 37 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/41747/1
diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c index ba11d05..1d68285 100644 --- a/src/drivers/spi/boot_device_rw_nommap.c +++ b/src/drivers/spi/boot_device_rw_nommap.c @@ -96,9 +96,16 @@ if (type == MEDIA_WP) { if (spi_flash_is_write_protected(boot_dev, region_device_region(rd)) != 1) { + enum spi_flash_status_reg_lockdown lock; + if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT)) + lock = SPI_WRITE_PROTECTION_REBOOT; + else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN)) + lock = SPI_WRITE_PROTECTION_PIN; + else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT)) + lock = SPI_WRITE_PROTECTION_PERMANENT; + return spi_flash_set_write_protected(boot_dev, - region_device_region(rd), - SPI_WRITE_PROTECTION_REBOOT); + region_device_region(rd), lock); }
/* Already write protected */ diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index 30b5237..97094ff 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -82,3 +82,31 @@ possible. This option prevents using write protecting facilities in ramstage, like the MRC cache for example. Use this option if you don't trust code running after verstage. + +choice + prompt "SPI Flash write protection duration" + default BOOTMEDIA_SPI_LOCK_REBOOT + depends on BOOTMEDIA_LOCK_CHIP + depends on BOOT_DEVICE_SPI_FLASH + +config BOOTMEDIA_SPI_LOCK_REBOOT + bool "Lock SPI flash until next reboot" + help + The SPI chip is locked until power is removed and re-applied. + Supported by Winbond parts. + +config BOOTMEDIA_SPI_LOCK_PIN + bool "Lock SPI flash using WP# pin" + help + The SPI chip is locked using a non-volatile configuration bit. Writes + are only possible if the WP# is not asserted. Supported by Winbond + and Macronix parts. + +config BOOTMEDIA_SPI_LOCK_PERMANENT + bool "Lock SPI flash permanently" + help + The SPI chip is permanently locked using a non-volatile configuration + bit. No writes are ever possible again after we perform the lock. + Supported by Winbond parts. + +endchoice