[coreboot-gerrit] Change in ...coreboot[master]: security/lockdown: Write-protect WP_RO

9 May 2019

Patrick Rudolph has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/32705
Change subject: security/lockdown: Write-protect WP_RO
......................................................................
security/lockdown: Write-protect WP_RO
Add another choice to boot media protection and write-protect WP_RO
in case VBOOT is enabled.
Tested on Lenovo T520:
The WP_RO region is write-protected.
Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com
---
M src/security/lockdown/Kconfig
M src/security/lockdown/bootmedia.c
2 files changed, 29 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/32705/1

diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig
index bb4d072..1e982d8 100644
--- a/src/security/lockdown/Kconfig
+++ b/src/security/lockdown/Kconfig
@@ -15,6 +15,18 @@
 config BOOTMEDIA_LOCK_NONE
    bool "Don't lock boot media sections"
+config BOOTMEDIA_LOCK_VBOOT_RO
+	bool "Write-protect WP_RO region in boot media"
+	depends on VBOOT
+	help
+	  Select this if you want to write-protect the WP_RO region as specified
+	  in the VBOOT FMAP. You will only be able to write the regions
+	  FW_MAIN_A/FW_MAIN_B, which are not write-protected using the internal
+	  programmer.
+	  The locking will take place during the chipset lockdown, which
+	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
+	  or has to be triggered later (e.g. by the payload or the OS).
+
 config BOOTMEDIA_LOCK_RO
    bool "Write-protect the whole boot media"
    help
diff --git a/src/security/lockdown/bootmedia.c b/src/security/lockdown/bootmedia.c
index 8fb4ae9..6fa2de2 100644
--- a/src/security/lockdown/bootmedia.c
+++ b/src/security/lockdown/bootmedia.c
@@ -17,6 +17,7 @@
 #include <commonlib/region.h>
 #include <console/console.h>
 #include <bootstate.h>
+#include <fmap.h>
/*
  * Enable write protection on the WP_RO region of the bootmedia.
@@ -47,8 +48,23 @@
    		       "of whole bootmedia\n");
    		locked = true;
    	}
-	}
+	} else if (CONFIG(BOOTMEDIA_LOCK_VBOOT_RO)) {
+		struct region_device dev;
+		if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0) {
+			printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n");
+		} else {
+			for (size_t i = 0; i < ARRAY_SIZE(wp_prot); i++) {
+				printk(BIOS_DEBUG, "BM-LOCKDOWN: Trying write-protection"
+				       "#%zu ...\n", i);
+				if (boot_device_wp_region(&dev, wp_prot[i]) < 0)
+					continue;
+				printk(BIOS_INFO, "BM-LOCKDOWN: Enabled write-protection of"
+				       "WP_RO region\n");
+				locked = true;
+			}
+		}
+	}
    if (!locked)
    	printk(BIOS_INFO, "BM-LOCKDOWN: Didn't enable bootmedia protection\n");
 }
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/32705
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Gerrit-Change-Number: 32705
Gerrit-PatchSet: 1
Gerrit-Owner: Patrick Rudolph patrick.rudolph@9elements.com
Gerrit-MessageType: newchange



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in ...coreboot[master]: security/lockdown: Write-protect WP_RO