diff options
| author | Patrick Rudolph <patrick.rudolph@9elements.com> | 2019-05-08 18:36:39 +0200 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2020-04-28 01:20:43 +0000 |
| commit | 6093c5099f673a2f274acfbd9e6b17a9bf76843d (patch) | |
| tree | b5b5870f171ca66285ea529f7059ec3efc2f1a79 /src/security/lockdown/lockdown.c | |
| parent | 78feacc44057916161365d079ae92aa0baa679f8 (diff) | |
security/lockdown: Write-protect WP_RO
Allow to write protect only the WP_RO region in case of enabled VBOOT.
One can either lock the boot device in VERSTAGE early if VBOOT is enabled,
or late in RAMSTAGE. Both options have their downsides as explained below.
Lock early if you don't trust the code that's stored in the writeable
flash partition. This prevents write-protecting the MRC cache, which
is written in ramstage. In case the contents of the MRC cache are
corrupted this can lead to system instability or trigger unwanted code
flows inside the firmware.
Lock late if you trust the code that's stored in the writeable
flash partition. This allows write-protecting the MRC cache, but
if a vulnerability is found in the code of the writeable partition
an attacker might be able to overwrite the whole flash as it hasn't
been locked yet.
Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32705
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Diffstat (limited to 'src/security/lockdown/lockdown.c')
| -rw-r--r-- | src/security/lockdown/lockdown.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index a8aad9b5eb..62d0a2914a 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -5,13 +5,15 @@ #include <commonlib/region.h> #include <console/console.h> #include <bootstate.h> +#include <fmap.h> /* * Enables read- /write protection of the bootmedia. */ void boot_device_security_lockdown(void) { - const struct region_device *rdev; + const struct region_device *rdev = NULL; + struct region_device dev; enum bootdev_prot_type lock_type; printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme "); @@ -23,19 +25,32 @@ void boot_device_security_lockdown(void) } else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) { printk(BIOS_DEBUG, "'no access'"); lock_type = CTRLR_RWP; + } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + printk(BIOS_DEBUG, "'WP_RO only'"); + lock_type = CTRLR_WP; } printk(BIOS_DEBUG, "using CTRL...\n"); } else { if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) { printk(BIOS_DEBUG, "'readonly'"); lock_type = MEDIA_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + printk(BIOS_DEBUG, "'WP_RO only'"); + lock_type = MEDIA_WP; } printk(BIOS_DEBUG, "using flash chip...\n"); } - rdev = boot_device_ro(); + if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n"); + else + rdev = &dev; + } else { + rdev = boot_device_ro(); + } - if (boot_device_wp_region(rdev, lock_type) >= 0) + if (rdev && boot_device_wp_region(rdev, lock_type) >= 0) printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); else printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); |