security: Add common boot media write protection
Introduce boot media protection settings and use the existing boot_device_wp_region() function to apply settings on all platforms that supports it yet. Also remove the Intel southbridge code, which is now obsolete. Every platform locks the SPIBAR in a different stage. For align up with the common mrc cache driver and lock after it has been written to. Tested on Supermicro X11SSH-TF. The whole address space is write-protected. Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183 Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/32704 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
Patrick Rudolph
committed by
Philipp Deppenwiese
Philipp Deppenwiese
parent
7bcd9a1d91
commit
78feacc440
@ -62,4 +62,12 @@ int boot_device_wp_region(const struct region_device *rd,
|
||||
**/
|
||||
void boot_device_init(void);
|
||||
|
||||
/*
|
||||
* Restrict read/write access to the bootmedia using platform defined rules.
|
||||
*/
|
||||
#if CONFIG(BOOTMEDIA_LOCK_NONE)
|
||||
static inline void boot_device_security_lockdown(void) {}
|
||||
#else
|
||||
void boot_device_security_lockdown(void);
|
||||
#endif
|
||||
#endif /* _BOOT_DEVICE_H_ */
|
||||
|
||||
Reference in New Issue
Block a user