summaryrefslogtreecommitdiff
path: root/src/security/lockdown/Kconfig
AgeCommit message (Collapse)Author
2020-06-22lockdown: Add hint for how to check for lockdown support in boot logDaniel Gröber
Change-Id: Iaceb2e82f900e52efcce702486e18d0483665640 Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/41749 Reviewed-by: Patrick Rudolph <siro@das-labor.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-06-22lockdown: Add Kconfigs for SPI media protection modeDaniel Gröber
SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors such as Macronix only support permanent protection but conditional on the WP# pin state. Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/41747 Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Patrick Rudolph <siro@das-labor.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2020-04-28security/lockdown: Write-protect WP_ROPatrick Rudolph
Allow to write protect only the WP_RO region in case of enabled VBOOT. One can either lock the boot device in VERSTAGE early if VBOOT is enabled, or late in RAMSTAGE. Both options have their downsides as explained below. Lock early if you don't trust the code that's stored in the writeable flash partition. This prevents write-protecting the MRC cache, which is written in ramstage. In case the contents of the MRC cache are corrupted this can lead to system instability or trigger unwanted code flows inside the firmware. Lock late if you trust the code that's stored in the writeable flash partition. This allows write-protecting the MRC cache, but if a vulnerability is found in the code of the writeable partition an attacker might be able to overwrite the whole flash as it hasn't been locked yet. Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Signed-off-by: Christian Walter <christian.walter@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/32705 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2020-04-28security: Add common boot media write protectionPatrick Rudolph
Introduce boot media protection settings and use the existing boot_device_wp_region() function to apply settings on all platforms that supports it yet. Also remove the Intel southbridge code, which is now obsolete. Every platform locks the SPIBAR in a different stage. For align up with the common mrc cache driver and lock after it has been written to. Tested on Supermicro X11SSH-TF. The whole address space is write-protected. Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-by: Julius Werner <jwerner@chromium.org>