Patrick Rudolph uploaded patch set #6 to this change.
boot_device: Add boot_device_lockdown
Add a new method to lock the SPI protected range registers.
This allows to lock the SPI controller early, which can be used to
write-protect the WP_RO region in bootblock before handing of control
to the later stages not protected by WP_RO.
In conjunction with VBOOT and BOOTMEDIA_LOCK_CONTROLLER_RO_VBOOT_RO this
enables a secure boot mechanism on non CHROMEOS enabled devices.
Also move the SPIBAR locking on older Intel platforms into ring0, keeping
the current locking logic the same. Only the dependency to SMI_HANDLER is
dropped.
Change-Id: I9d3a80a2e278c77212e1fba5236ea639ea018837
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
---
M src/drivers/spi/boot_device_rw_nommap.c
M src/drivers/spi/spi_flash.c
M src/include/boot_device.h
M src/include/spi-generic.h
M src/include/spi_flash.h
M src/lib/boot_device.c
M src/security/lockdown/lockdown.c
M src/soc/intel/braswell/southcluster.c
M src/soc/intel/broadwell/finalize.c
M src/soc/intel/common/block/fast_spi/fast_spi_flash.c
M src/soc/intel/common/pch/lockdown/lockdown.c
M src/southbridge/intel/common/finalize.c
M src/southbridge/intel/common/spi.c
M src/southbridge/intel/i82801gx/lpc.c
14 files changed, 71 insertions(+), 15 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/25/39925/6
To view, visit change 39925. To unsubscribe, or for help writing mail filters, visit settings.