From 16dbbeb8959a07bbe873aac13579d65129c0ee0d Mon Sep 17 00:00:00 2001
From: Daniel Gröber <dxld@darkboxed.org>
Date: Tue, 26 May 2020 22:18:44 +0200
Subject: lockdown: Add Kconfigs for SPI media protection mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors
such as Macronix only support permanent protection but conditional on
the WP# pin state.

Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41747
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/drivers/spi/boot_device_rw_nommap.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'src/drivers/spi/boot_device_rw_nommap.c')

diff --git a/src/drivers/spi/boot_device_rw_nommap.c b/src/drivers/spi/boot_device_rw_nommap.c
index ba11d05d99..58efc87fe9 100644
--- a/src/drivers/spi/boot_device_rw_nommap.c
+++ b/src/drivers/spi/boot_device_rw_nommap.c
@@ -96,9 +96,17 @@ int boot_device_wp_region(const struct region_device *rd,
 	if (type == MEDIA_WP) {
 		if (spi_flash_is_write_protected(boot_dev,
 						 region_device_region(rd)) != 1) {
+			enum spi_flash_status_reg_lockdown lock =
+				SPI_WRITE_PROTECTION_REBOOT;
+			if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT))
+				lock = SPI_WRITE_PROTECTION_REBOOT;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN))
+				lock = SPI_WRITE_PROTECTION_PIN;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT))
+				lock = SPI_WRITE_PROTECTION_PERMANENT;
+
 			return spi_flash_set_write_protected(boot_dev,
-						region_device_region(rd),
-						SPI_WRITE_PROTECTION_REBOOT);
+						region_device_region(rd), lock);
 		}
 
 		/* Already write protected */
-- 
cgit v1.2.3