xref: /aosp_15_r20/external/coreboot/src/security/lockdown/Kconfig (revision b9411a12aaaa7e1e6a6fb7c5e057f44ee179a49c) 
1## SPDX-License-Identifier: GPL-2.0-only
2
3choice
4	prompt "Boot media protection mechanism"
5	default BOOTMEDIA_LOCK_NONE
6
7config BOOTMEDIA_LOCK_NONE
8	bool "Don't lock boot media sections"
9
10config BOOTMEDIA_LOCK_CONTROLLER
11	bool "Lock boot media using the controller"
12	help
13	  Select this if you want the controller to lock specific regions.
14	  This only works on some platforms, please check the code or boot log.
15	  On Intel platforms for e.g. this will make use of the SPIBAR PRRs.
16
17config BOOTMEDIA_LOCK_CHIP
18	bool "Lock boot media using the chip"
19	help
20	  Select this if you want the chip to lock specific regions.
21	  This only works on some chips, please check the code or search the
22	  boot log for "BM-LOCKDOWN".
23
24endchoice
25
26choice
27	prompt "Boot media protected regions"
28	depends on !BOOTMEDIA_LOCK_NONE
29	default BOOTMEDIA_LOCK_WHOLE_RO
30
31config BOOTMEDIA_LOCK_WHOLE_RO
32	bool "Write-protect the whole boot medium"
33	help
34	  Select this if you want to write-protect the whole firmware boot
35	  medium.
36
37	  The locking will take place during the chipset lockdown.
38	  Chipset lockdown is platform specific und might be done unconditionally,
39	  when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
40	  (e.g. by the payload or the OS).
41
42	  NOTE: If you trigger the chipset lockdown unconditionally,
43	  you won't be able to write to the whole flash chip using the
44	  internal controller any more.
45
46config BOOTMEDIA_LOCK_WHOLE_NO_ACCESS
47	depends on BOOTMEDIA_LOCK_CONTROLLER
48	bool "Read- and write-protect the whole boot medium"
49	help
50	  Select this if you want to protect the firmware boot medium against
51	  all further accesses. On platforms that memory map a part of the
52	  boot medium the corresponding region is still readable.
53
54	  The locking will take place during the chipset lockdown.
55	  Chipset lockdown is platform specific und might be done unconditionally,
56	  when INTEL_CHIPSET_LOCKDOWN is set or has to be triggered later
57	  (e.g. by the payload or the OS).
58
59	  NOTE: If you trigger the chipset lockdown unconditionally,
60	  you won't be able to write to the whole flash chip using the
61	  internal controller any more.
62
63config BOOTMEDIA_LOCK_WPRO_VBOOT_RO
64	bool "Write-protect WP_RO FMAP region in boot medium"
65	depends on VBOOT
66	help
67	  Select this if you want to write-protect the WP_RO region as specified
68	  in the VBOOT FMAP. You will be able to write every region outside
69	  of WP_RO using the internal controller (eg. FW_MAIN_A/FW_MAIN_B).
70	  In case of BOOTMEDIA_LOCK_IN_VERSTAGE the locking will take place
71	  early, preventing locking of facilities used in ramstage, like the
72	  MRC cache. If not using BOOTMEDIA_LOCK_IN_VERSTAGE the chipset lockdown
73	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or
74	  has to be triggered later (e.g. by the payload or the OS).
75
76endchoice
77
78config BOOTMEDIA_LOCK_IN_VERSTAGE
79	depends on BOOTMEDIA_LOCK_WPRO_VBOOT_RO
80	bool "Lock boot media down in verstage"
81	help
82	  Select this if you want to write-protect the WP_RO region as soon as
83	  possible. This option prevents using write protecting facilities in
84	  ramstage, like the MRC cache for example.
85	  Use this option if you don't trust code running after verstage.
86
87config BOOTMEDIA_SMM_BWP
88	bool "Boot media only writable in SMM"
89	depends on !CONSOLE_SPI_FLASH
90	depends on BOOT_DEVICE_SPI_FLASH && HAVE_SMI_HANDLER
91	depends on SOUTHBRIDGE_INTEL_COMMON_SPI || SOC_INTEL_COMMON_BLOCK_SPI
92	select SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE if SOC_INTEL_COMMON_BLOCK_SPI
93	help
94	  Only allow flash writes in SMM. Select this if you want to use SMMSTORE
95	  while also preventing unauthorized writes through the internal controller.
96	  Note that this breaks flashconsole, since the flash becomes read-only.
97
98choice
99	prompt "SPI Flash write protection duration"
100	default BOOTMEDIA_SPI_LOCK_REBOOT
101	depends on BOOTMEDIA_LOCK_CHIP
102	depends on BOOT_DEVICE_SPI_FLASH
103
104config BOOTMEDIA_SPI_LOCK_REBOOT
105	bool "Lock SPI flash until next reboot"
106	help
107	  The SPI chip is locked until power is removed and re-applied.
108	  Supported by Winbond parts.
109
110config BOOTMEDIA_SPI_LOCK_PIN
111	bool "Lock SPI flash using WP# pin"
112	help
113	  The SPI chip is locked using a non-volatile configuration bit. Writes
114	  are only possible if the WP# is not asserted. Supported by Winbond
115	  and Macronix parts.
116
117config BOOTMEDIA_SPI_LOCK_PERMANENT
118	bool "Lock SPI flash permanently"
119	help
120	  The SPI chip is permanently locked using a non-volatile configuration
121	  bit. No writes are ever possible again after we perform the lock.
122	  Supported by Winbond parts.
123
124endchoice
125