sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
56eafbbc3ac6ea01a03daf4b54a989d3d44260ae
system76-coreboot/src/include/boot_device.h
Patrick Rudolph 6093c5099f security/lockdown: Write-protect WP_RO 
Allow to write protect only the WP_RO region in case of enabled VBOOT.
One can either lock the boot device in VERSTAGE early if VBOOT is enabled,
or late in RAMSTAGE. Both options have their downsides as explained below.

Lock early if you don't trust the code that's stored in the writeable
flash partition. This prevents write-protecting the MRC cache, which
is written in ramstage. In case the contents of the MRC cache are
corrupted this can lead to system instability or trigger unwanted code
flows inside the firmware.

Lock late if you trust the code that's stored in the writeable
flash partition. This allows write-protecting the MRC cache, but
if a vulnerability is found in the code of the writeable partition
an attacker might be able to overwrite the whole flash as it hasn't
been locked yet.

Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Christian Walter <christian.walter@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32705
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
2020-04-28 01:20:43 +00:00

74 lines
2.2 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-only */
/* This file is part of the coreboot project. */
#ifndef _BOOT_DEVICE_H_
#define _BOOT_DEVICE_H_
#include <commonlib/region.h>
/*
* Boot device region can be protected by 2 sources, media and controller.
* The following modes are identified. It depends on the flash chip and the
* controller if mode is actually supported.
*
* MEDIA_WP : Flash/Boot device enforces write protect
* CTRLR_WP : Controller device enforces write protect
* CTRLR_RP : Controller device enforces read protect
* CTRLR_RWP : Controller device enforces read-write protect
*/
enum bootdev_prot_type {
CTRLR_WP = 1,
CTRLR_RP = 2,
CTRLR_RWP = 3,
MEDIA_WP = 4,
};
/*
* Please note that the read-only boot device may not be coherent with
* the read-write boot device. Thus, mixing mmap() and writeat() is
* most likely not to work so don't rely on such semantics.
*/
/* Return the region_device for the read-only boot device. */
const struct region_device *boot_device_ro(void);
/* Return the region_device for the read-write boot device. */
const struct region_device *boot_device_rw(void);
/*
* Create a sub-region of the read-only boot device.
* Returns 0 on success, < 0 on error.
*/
int boot_device_ro_subregion(const struct region *sub,
struct region_device *subrd);
/*
* Create a sub-region of the read-write boot device.
* Returns 0 on success, < 0 on error.
*/
int boot_device_rw_subregion(const struct region *sub,
struct region_device *subrd);
/*
* Write protect a sub-region of the boot device represented
* by the region device.
* Returns 0 on success, < 0 on error.
*/
int boot_device_wp_region(const struct region_device *rd,
const enum bootdev_prot_type type);
/*
* Initialize the boot device. This may be called multiple times within
* a stage so boot device implementations should account for this behavior.
**/
void boot_device_init(void);
/*
* Restrict read/write access to the bootmedia using platform defined rules.
*/
#if CONFIG(BOOTMEDIA_LOCK_NONE) || (CONFIG(BOOTMEDIA_LOCK_IN_VERSTAGE) && ENV_RAMSTAGE)
static inline void boot_device_security_lockdown(void) {}
#else
void boot_device_security_lockdown(void);
#endif
#endif /* _BOOT_DEVICE_H_ */
Reference in New Issue View Git Blame Copy Permalink