Attention is currently required from: Nico Huber. Hello Nico Huber,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/56343
to review the following change.
Change subject: security/lockdown: Allow to lock the controller's full address space ......................................................................
security/lockdown: Allow to lock the controller's full address space
Currently implemented for Intel controllers only, BOOTMEDIA_LOCK_MAX_RO tells the controller driver to write-protect as much address space as possible. This simplifies things: We do not rely on coreboot's know- ledge of the size of the bootmedia. And it makes it easier to verify that the protect is in place by simply checking for the maximum range again.
Change-Id: Ib4193e37b072b0f9e4ce69fa6ae15b6bcf26eec2 Signed-off-by: Nico Huber nico.huber@secunet.com --- M src/drivers/spi/boot_device_rw_nommap.c M src/include/boot_device.h M src/include/spi-generic.h M src/security/lockdown/Kconfig M src/security/lockdown/lockdown.c M src/soc/intel/common/block/fast_spi/fast_spi_flash.c 6 files changed, 26 insertions(+), 4 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/43/56343/1
diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c index 58efc87..90a98ce 100644 --- a/src/drivers/spi/boot_device_rw_nommap.c +++ b/src/drivers/spi/boot_device_rw_nommap.c @@ -117,6 +117,9 @@ case CTRLR_WP: ctrlr_pr = WRITE_PROTECT; break; + case CTRLR_WP_MAX: + ctrlr_pr = WRITE_PROTECT_MAX; + break; case CTRLR_RP: ctrlr_pr = READ_PROTECT; break; diff --git a/src/include/boot_device.h b/src/include/boot_device.h index 84bd16e..8178842 100644 --- a/src/include/boot_device.h +++ b/src/include/boot_device.h @@ -10,16 +10,18 @@ * The following modes are identified. It depends on the flash chip and the * controller if mode is actually supported. * - * MEDIA_WP : Flash/Boot device enforces write protect - * CTRLR_WP : Controller device enforces write protect - * CTRLR_RP : Controller device enforces read protect - * CTRLR_RWP : Controller device enforces read-write protect + * MEDIA_WP : Flash/Boot device enforces write protect + * CTRLR_WP : Controller device enforces write protect + * CTRLR_WP_MAX : Controller device enforces write protect of its whole address space + * CTRLR_RP : Controller device enforces read protect + * CTRLR_RWP : Controller device enforces read-write protect */ enum bootdev_prot_type { CTRLR_WP = 1, CTRLR_RP = 2, CTRLR_RWP = 3, MEDIA_WP = 4, + CTRLR_WP_MAX = 5, }; /* * Please note that the read-only boot device may not be coherent with diff --git a/src/include/spi-generic.h b/src/include/spi-generic.h index 77a3c09..dfc3813 100644 --- a/src/include/spi-generic.h +++ b/src/include/spi-generic.h @@ -107,6 +107,7 @@ READ_PROTECT = 1, WRITE_PROTECT = 2, READ_WRITE_PROTECT = 3, + WRITE_PROTECT_MAX = 4, };
enum { diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index 8d48beb..c3bedd0 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -43,6 +43,14 @@ you won't be able to write to the whole flash chip using the internal controller any more.
+config BOOTMEDIA_LOCK_MAX_RO + bool "Write-protect the controller's complete address space" + depends on SOC_INTEL_COMMON_BLOCK_FAST_SPI + depends on BOOTMEDIA_LOCK_CONTROLLER + help + Select this if you want to write-protect the whole address space of + the flash controller. + config BOOTMEDIA_LOCK_WHOLE_NO_ACCESS depends on BOOTMEDIA_LOCK_CONTROLLER bool "Read- and write-protect the whole boot medium" diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index c2e2ac3..b1ad512 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -21,6 +21,9 @@ if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) { printk(BIOS_DEBUG, "'readonly'"); lock_type = CTRLR_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_MAX_RO)) { + printk(BIOS_DEBUG, "'readonly (full address space)'"); + lock_type = CTRLR_WP_MAX; } else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) { printk(BIOS_DEBUG, "'no access'"); lock_type = CTRLR_RWP; diff --git a/src/soc/intel/common/block/fast_spi/fast_spi_flash.c b/src/soc/intel/common/block/fast_spi/fast_spi_flash.c index 1b0652d..4d77452 100644 --- a/src/soc/intel/common/block/fast_spi/fast_spi_flash.c +++ b/src/soc/intel/common/block/fast_spi/fast_spi_flash.c @@ -358,6 +358,11 @@ case WRITE_PROTECT: protect_mask |= SPI_FPR_WPE; break; + case WRITE_PROTECT_MAX: + protect_mask |= SPI_FPR_WPE; + start = 0x00000000; + end = 0xffffffff; + break; case READ_PROTECT: protect_mask |= SPI_FPR_RPE; break;