lockdown: Add Kconfigs for SPI media protection mode

SPI_WRITE_PROTECTION_REBOOT seems to be a Winbond thing, other vendors
such as Macronix only support permanent protection but conditional on
the WP# pin state.

Change-Id: Iba7c1229c82c86e1303d74c7bc8f89662b5bb58c
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41747
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

src/drivers/spi/boot_device_rw_nommap.c

@@ -96,9 +96,17 @@ int boot_device_wp_region(const struct region_device *rd,
 	if (type == MEDIA_WP) {
 		if (spi_flash_is_write_protected(boot_dev,
 						 region_device_region(rd)) != 1) {
+			enum spi_flash_status_reg_lockdown lock =
+				SPI_WRITE_PROTECTION_REBOOT;
+			if (CONFIG(BOOTMEDIA_SPI_LOCK_REBOOT))
+				lock = SPI_WRITE_PROTECTION_REBOOT;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PIN))
+				lock = SPI_WRITE_PROTECTION_PIN;
+			else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT))
+				lock = SPI_WRITE_PROTECTION_PERMANENT;
+
 			return spi_flash_set_write_protected(boot_dev,
-						region_device_region(rd),
-						SPI_WRITE_PROTECTION_REBOOT);
+						region_device_region(rd), lock);
 		}
 
 		/* Already write protected */