Attention is currently required from: Nico Huber, Angel Pons.

Angel Pons uploaded patch set #10 to the change originally created by Patrick Rudolph.

View Change

security/intel: Add option to enable SMM flash access only

On platforms where the boot media can be updated externally, e.g.
using a BMC, add the possibility to enable writes in SMM only. This
allows to protect the BIOS region even without the use of vboot, but
keeps SMMSTORE working for use in payloads. Note that this breaks
flashconsole, since the flash becomes read-only.

Tested on Asrock B85M Pro4, SMM protection works as expected.

Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa
Signed-off-by: Patrick Rudolph <>
Signed-off-by: Angel Pons <>
M src/security/lockdown/Kconfig
M src/soc/intel/common/block/smm/smihandler.c
M src/soc/intel/common/pch/lockdown/lockdown.c
M src/southbridge/intel/common/finalize.c
M src/southbridge/intel/common/spi.c
5 files changed, 77 insertions(+), 35 deletions(-)

git pull ssh:// refs/changes/30/40830/10

To view, visit change 40830. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa
Gerrit-Change-Number: 40830
Gerrit-PatchSet: 10
Gerrit-Owner: Patrick Rudolph <>
Gerrit-Reviewer: Angel Pons <>
Gerrit-Reviewer: Benjamin Doron <>
Gerrit-Reviewer: Patrick Rudolph <>
Gerrit-Reviewer: build bot (Jenkins) <>
Gerrit-CC: Nico Huber <>
Gerrit-CC: Paul Menzel <>
Gerrit-Attention: Nico Huber <>
Gerrit-Attention: Angel Pons <>
Gerrit-MessageType: newpatchset