Blame - src/security/lockdown/Kconfig - coreboot

blob: 8de7979904e3d9fa6820aebeff251f340ba7c182 [file] [log] [blame]

Martin Roth	5bdac84	2024-02-16 10:45:54 -0700	[diff] [blame^]	1	## SPDX-License-Identifier: GPL-2.0-only
Patrick Rudolph	78feacc	2019-12-03 19:43:06 +0100	[diff] [blame]	2
				3	choice
				4	prompt "Boot media protection mechanism"
				5	default BOOTMEDIA_LOCK_NONE
				6
				7	config BOOTMEDIA_LOCK_NONE
				8	bool "Don't lock boot media sections"
				9
				10	config BOOTMEDIA_LOCK_CONTROLLER
				11	bool "Lock boot media using the controller"
				12	help
				13	Select this if you want the controller to lock specific regions.
				14	This only works on some platforms, please check the code or boot log.
				15	On Intel platforms for e.g. this will make use of the SPIBAR PRRs.
				16
				17	config BOOTMEDIA_LOCK_CHIP
				18	bool "Lock boot media using the chip"
				19	help
				20	Select this if you want the chip to lock specific regions.
Daniel Gröber	a890138	2020-05-26 22:21:41 +0200	[diff] [blame]	21	This only works on some chips, please check the code or search the
				22	boot log for "BM-LOCKDOWN".
Patrick Rudolph	78feacc	2019-12-03 19:43:06 +0100	[diff] [blame]	23
				24	endchoice
				25
				26	choice
				27	prompt "Boot media protected regions"
				28	depends on !BOOTMEDIA_LOCK_NONE
				29	default BOOTMEDIA_LOCK_WHOLE_RO
				30
				31	config BOOTMEDIA_LOCK_WHOLE_RO
				32	bool "Write-protect the whole boot medium"
				33	help
				34	Select this if you want to write-protect the whole firmware boot
				35	medium.
				36
				37	The locking will take place during the chipset lockdown.
				38	Chipset lockdown is platform specific und might be done unconditionally,
				39	when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
				40	(e.g. by the payload or the OS).
				41
				42	NOTE: If you trigger the chipset lockdown unconditionally,
				43	you won't be able to write to the whole flash chip using the
				44	internal controller any more.
				45
				46	config BOOTMEDIA_LOCK_WHOLE_NO_ACCESS
				47	depends on BOOTMEDIA_LOCK_CONTROLLER
				48	bool "Read- and write-protect the whole boot medium"
				49	help
				50	Select this if you want to protect the firmware boot medium against
				51	all further accesses. On platforms that memory map a part of the
				52	boot medium the corresponding region is still readable.
				53
				54	The locking will take place during the chipset lockdown.
				55	Chipset lockdown is platform specific und might be done unconditionally,
				56	when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
				57	(e.g. by the payload or the OS).
				58
				59	NOTE: If you trigger the chipset lockdown unconditionally,
				60	you won't be able to write to the whole flash chip using the
				61	internal controller any more.
				62
Patrick Rudolph	6093c50	2019-05-08 18:36:39 +0200	[diff] [blame]	63	config BOOTMEDIA_LOCK_WPRO_VBOOT_RO
				64	bool "Write-protect WP_RO FMAP region in boot medium"
				65	depends on VBOOT
				66	help
				67	Select this if you want to write-protect the WP_RO region as specified
				68	in the VBOOT FMAP. You will be able to write every region outside
				69	of WP_RO using the internal controller (eg. FW_MAIN_A/FW_MAIN_B).
				70	In case of BOOTMEDIA_LOCK_IN_VERSTAGE the locking will take place
				71	early, preventing locking of facilities used in ramstage, like the
				72	MRC cache. If not using BOOTMEDIA_LOCK_IN_VERSTAGE the chipset lockdown
				73	is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or
				74	has to be triggered later (e.g. by the payload or the OS).
				75
Patrick Rudolph	78feacc	2019-12-03 19:43:06 +0100	[diff] [blame]	76	endchoice
Patrick Rudolph	6093c50	2019-05-08 18:36:39 +0200	[diff] [blame]	77
				78	config BOOTMEDIA_LOCK_IN_VERSTAGE
				79	depends on BOOTMEDIA_LOCK_WPRO_VBOOT_RO
				80	bool "Lock boot media down in verstage"
				81	help
				82	Select this if you want to write-protect the WP_RO region as soon as
				83	possible. This option prevents using write protecting facilities in
				84	ramstage, like the MRC cache for example.
				85	Use this option if you don't trust code running after verstage.
Daniel Gröber	16dbbeb	2020-05-26 22:18:44 +0200	[diff] [blame]	86
Angel Pons	d21b463	2021-02-10 17:12:05 +0100	[diff] [blame]	87	config BOOTMEDIA_SMM_BWP
				88	bool "Boot media only writable in SMM"
				89	depends on !CONSOLE_SPI_FLASH
				90	depends on BOOT_DEVICE_SPI_FLASH && HAVE_SMI_HANDLER
				91	depends on SOUTHBRIDGE_INTEL_COMMON_SPI \|\| SOC_INTEL_COMMON_BLOCK_SPI
				92	select SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE if SOC_INTEL_COMMON_BLOCK_SPI
				93	help
				94	Only allow flash writes in SMM. Select this if you want to use SMMSTORE
				95	while also preventing unauthorized writes through the internal controller.
				96	Note that this breaks flashconsole, since the flash becomes read-only.
				97
Daniel Gröber	16dbbeb	2020-05-26 22:18:44 +0200	[diff] [blame]	98	choice
				99	prompt "SPI Flash write protection duration"
				100	default BOOTMEDIA_SPI_LOCK_REBOOT
				101	depends on BOOTMEDIA_LOCK_CHIP
				102	depends on BOOT_DEVICE_SPI_FLASH
				103
				104	config BOOTMEDIA_SPI_LOCK_REBOOT
				105	bool "Lock SPI flash until next reboot"
				106	help
				107	The SPI chip is locked until power is removed and re-applied.
				108	Supported by Winbond parts.
				109
				110	config BOOTMEDIA_SPI_LOCK_PIN
				111	bool "Lock SPI flash using WP# pin"
				112	help
				113	The SPI chip is locked using a non-volatile configuration bit. Writes
				114	are only possible if the WP# is not asserted. Supported by Winbond
				115	and Macronix parts.
				116
				117	config BOOTMEDIA_SPI_LOCK_PERMANENT
				118	bool "Lock SPI flash permanently"
				119	help
				120	The SPI chip is permanently locked using a non-volatile configuration
				121	bit. No writes are ever possible again after we perform the lock.
				122	Supported by Winbond parts.
				123
				124	endchoice