Christian Walter has uploaded a new patch set (#2) to the change originally created by Patrick Rudolph. ( https://review.coreboot.org/c/coreboot/+/32705 )
Change subject: security/lockdown: Write-protect WP_RO ......................................................................
security/lockdown: Write-protect WP_RO
Add another choice to boot media protection and write-protect WP_RO in case VBOOT is enabled. Also add ability to choose when to lock bootmedia, either in VERSTAGE if VBOOT is enabled - otherwise in RAMSTAGE.
Tested on Lenovo T520: The WP_RO region is write-protected.
Tested on Up Sqaured: THe WP_RO region is write-protected in the verstage/ramstage.
Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2 Signed-off-by: Patrick Rudolph patrick.rudolph@9elements.com Signed-off-by: Christian Walter christian.walter@9elements.com --- M src/security/lockdown/Kconfig M src/security/lockdown/Makefile.inc M src/security/lockdown/bootmedia.c A src/security/lockdown/bootmedia.h M src/security/vboot/verstage.c 5 files changed, 80 insertions(+), 5 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/05/32705/2