From 78feacc44057916161365d079ae92aa0baa679f8 Mon Sep 17 00:00:00 2001
From: Patrick Rudolph <siro@das-labor.org>
Date: Tue, 3 Dec 2019 19:43:06 +0100
Subject: security: Add common boot media write protection

Introduce boot media protection settings and use the existing
boot_device_wp_region() function to apply settings on all
platforms that supports it yet.

Also remove the Intel southbridge code, which is now obsolete.
Every platform locks the SPIBAR in a different stage.
For align up with the common mrc cache driver and lock after it has been
written to.

Tested on Supermicro X11SSH-TF. The whole address space is write-protected.

Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
---
 src/include/boot_device.h | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/include')

diff --git a/src/include/boot_device.h b/src/include/boot_device.h
index 4707331ce6..31464624b9 100644
--- a/src/include/boot_device.h
+++ b/src/include/boot_device.h
@@ -62,4 +62,12 @@ int boot_device_wp_region(const struct region_device *rd,
  **/
 void boot_device_init(void);
 
+/*
+ * Restrict read/write access to the bootmedia using platform defined rules.
+ */
+#if CONFIG(BOOTMEDIA_LOCK_NONE)
+static inline void boot_device_security_lockdown(void) {}
+#else
+void boot_device_security_lockdown(void);
+#endif
 #endif /* _BOOT_DEVICE_H_ */
-- 
cgit v1.2.3