From 16dbbeb8959a07bbe873aac13579d65129c0ee0d Mon Sep 17 00:00:00 2001 From: Daniel Gröber Date: Tue, 26 May 2020 22:18:44 +0200 Subject: lockdown: Add Kconfigs for SPI media protection mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors such as Macronix only support permanent protection but conditional on the WP# pin state. Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c Signed-off-by: Daniel Gröber Reviewed-on: https://review.coreboot.org/c/coreboot/+/41747 Reviewed-by: Paul Menzel Reviewed-by: Patrick Rudolph Tested-by: build bot (Jenkins) --- src/security/lockdown/Kconfig | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'src/security') diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index 30b5237ffc..97094ff2e7 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -82,3 +82,31 @@ config BOOTMEDIA_LOCK_IN_VERSTAGE possible. This option prevents using write protecting facilities in ramstage, like the MRC cache for example. Use this option if you don't trust code running after verstage. + +choice + prompt "SPI Flash write protection duration" + default BOOTMEDIA_SPI_LOCK_REBOOT + depends on BOOTMEDIA_LOCK_CHIP + depends on BOOT_DEVICE_SPI_FLASH + +config BOOTMEDIA_SPI_LOCK_REBOOT + bool "Lock SPI flash until next reboot" + help + The SPI chip is locked until power is removed and re-applied. + Supported by Winbond parts. + +config BOOTMEDIA_SPI_LOCK_PIN + bool "Lock SPI flash using WP# pin" + help + The SPI chip is locked using a non-volatile configuration bit. Writes + are only possible if the WP# is not asserted. Supported by Winbond + and Macronix parts. + +config BOOTMEDIA_SPI_LOCK_PERMANENT + bool "Lock SPI flash permanently" + help + The SPI chip is permanently locked using a non-volatile configuration + bit. No writes are ever possible again after we perform the lock. + Supported by Winbond parts. + +endchoice -- cgit v1.2.3