Hello build bot (Jenkins), Patrick Rudolph,
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/39925
to look at the new patch set (#6).
Change subject: boot_device: Add boot_device_lockdown ......................................................................
boot_device: Add boot_device_lockdown
Add a new method to lock the SPI protected range registers.
This allows to lock the SPI controller early, which can be used to write-protect the WP_RO region in bootblock before handing of control to the later stages not protected by WP_RO.
In conjunction with VBOOT and BOOTMEDIA_LOCK_CONTROLLER_RO_VBOOT_RO this enables a secure boot mechanism on non CHROMEOS enabled devices.
Also move the SPIBAR locking on older Intel platforms into ring0, keeping the current locking logic the same. Only the dependency to SMI_HANDLER is dropped.
Change-Id: I9d3a80a2e278c77212e1fba5236ea639ea018837 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com --- M src/drivers/spi/boot_device_rw_nommap.c M src/drivers/spi/spi_flash.c M src/include/boot_device.h M src/include/spi-generic.h M src/include/spi_flash.h M src/lib/boot_device.c M src/security/lockdown/lockdown.c M src/soc/intel/braswell/southcluster.c M src/soc/intel/broadwell/finalize.c M src/soc/intel/common/block/fast_spi/fast_spi_flash.c M src/soc/intel/common/pch/lockdown/lockdown.c M src/southbridge/intel/common/finalize.c M src/southbridge/intel/common/spi.c M src/southbridge/intel/i82801gx/lpc.c 14 files changed, 71 insertions(+), 15 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/25/39925/6