Change in coreboot[master]: lockdown: Add Kconfigs for SPI media protection mode - coreboot-gerrit

26 May 2020

Hello Daniel Gröber,
I'd like you to do a code review. Please visit
https://review.coreboot.org/c/coreboot/+/41747
to review the following change.
Change subject: lockdown: Add Kconfigs for SPI media protection mode
......................................................................
lockdown: Add Kconfigs for SPI media protection mode
SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors
such as Macronix only support permanent protection but conditional on
the WP# pin state.
Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Signed-off-by: Daniel Gröber dxld@darkboxed.org
---
M src/drivers/spi/boot_device_rw_nommap.c
M src/security/lockdown/Kconfig
2 files changed, 37 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/47/41747/1

diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c
index ba11d05..1d68285 100644
--- a/src/drivers/spi/boot_device_rw_nommap.c
+++ b/src/drivers/spi/boot_device_rw_nommap.c
@@ -96,9 +96,16 @@
    if (type == MEDIA_WP) {
    	if (spi_flash_is_write_protected(boot_dev,
    					 region_device_region(rd)) != 1) {
+			enum spi_flash_status_reg_lockdown lock;
+			if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT))
+				lock = SPI_WRITE_PROTECTION_REBOOT;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN))
+				lock = SPI_WRITE_PROTECTION_PIN;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT))
+				lock = SPI_WRITE_PROTECTION_PERMANENT;
+
    		return spi_flash_set_write_protected(boot_dev,
-						region_device_region(rd),
-						SPI_WRITE_PROTECTION_REBOOT);
+						region_device_region(rd), lock);
    	}
/* Already write protected */
diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig
index 30b5237..97094ff 100644
--- a/src/security/lockdown/Kconfig
+++ b/src/security/lockdown/Kconfig
@@ -82,3 +82,31 @@
      possible. This option prevents using write protecting facilities in
      ramstage, like the MRC cache for example.
      Use this option if you don't trust code running after verstage.
+
+choice
+	prompt "SPI Flash write protection duration"
+	default BOOTMEDIA_SPI_LOCK_REBOOT
+	depends on BOOTMEDIA_LOCK_CHIP
+	depends on BOOT_DEVICE_SPI_FLASH
+
+config BOOTMEDIA_SPI_LOCK_REBOOT
+	bool "Lock SPI flash until next reboot"
+	help
+	  The SPI chip is locked until power is removed and re-applied.
+	  Supported by Winbond parts.
+
+config BOOTMEDIA_SPI_LOCK_PIN
+	bool "Lock SPI flash using WP# pin"
+	help
+	  The SPI chip is locked using a non-volatile configuration bit. Writes
+	  are only possible if the WP# is not asserted. Supported by Winbond
+	  and Macronix parts.
+
+config BOOTMEDIA_SPI_LOCK_PERMANENT
+	bool "Lock SPI flash permanently"
+	help
+	  The SPI chip is permanently locked using a non-volatile configuration
+	  bit. No writes are ever possible again after we perform the lock.
+	  Supported by Winbond parts.
+
+endchoice
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/41747
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Gerrit-Change-Number: 41747
Gerrit-PatchSet: 1
Gerrit-Owner: Daniel Gröber (dxld)
Gerrit-Reviewer: Daniel Gröber dxld@darkboxed.org
Gerrit-MessageType: newchange



    