diff options
Diffstat (limited to 'src/security/lockdown/lockdown.c')
-rw-r--r-- | src/security/lockdown/lockdown.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index a8aad9b5eb..62d0a2914a 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -5,13 +5,15 @@ #include <commonlib/region.h> #include <console/console.h> #include <bootstate.h> +#include <fmap.h> /* * Enables read- /write protection of the bootmedia. */ void boot_device_security_lockdown(void) { - const struct region_device *rdev; + const struct region_device *rdev = NULL; + struct region_device dev; enum bootdev_prot_type lock_type; printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme "); @@ -23,19 +25,32 @@ void boot_device_security_lockdown(void) } else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) { printk(BIOS_DEBUG, "'no access'"); lock_type = CTRLR_RWP; + } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + printk(BIOS_DEBUG, "'WP_RO only'"); + lock_type = CTRLR_WP; } printk(BIOS_DEBUG, "using CTRL...\n"); } else { if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) { printk(BIOS_DEBUG, "'readonly'"); lock_type = MEDIA_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + printk(BIOS_DEBUG, "'WP_RO only'"); + lock_type = MEDIA_WP; } printk(BIOS_DEBUG, "using flash chip...\n"); } - rdev = boot_device_ro(); + if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { + if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n"); + else + rdev = &dev; + } else { + rdev = boot_device_ro(); + } - if (boot_device_wp_region(rdev, lock_type) >= 0) + if (rdev && boot_device_wp_region(rdev, lock_type) >= 0) printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); else printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); |