novacustom-v540tu: enable PR0 lockdown in SMM

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2025-04-07 19:34:26 +00:00 · 2024-12-09 16:21:45 +01:00 · 2024-12-09 16:21:45 +01:00 · 6174b63a12
commit 6174b63a12
parent bb6c83de49
2 changed files with 20 additions and 3 deletions
--- a/boards/novacustom-v540tu/novacustom-v540tu.config
+++ b/boards/novacustom-v540tu/novacustom-v540tu.config
@ -69,3 +69,7 @@ export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
 export CONFIG_BOARD_NAME="NovaCustom V540TU"
 export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
--- a/config/coreboot-novacustom-v540tu.config
+++ b/config/coreboot-novacustom-v540tu.config
@ -172,7 +172,6 @@ CONFIG_TPM_PIRQ=0x61
 # CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set
 CONFIG_VBOOT_FWID_VERSION="$(CONFIG_LOCALVERSION)"
 CONFIG_EC_SYSTEM76_EC_BAT_THRESHOLDS=y
-CONFIG_PXE_ROM_ID="10ec,8168"
 CONFIG_BOARD_CLEVO_MTLH_COMMON=y
 CONFIG_BOARD_CLEVO_V5X0TU_BASE=y
 CONFIG_EC_SYSTEM76_EC_FLASH_SIZE=0x40000
@ -461,6 +460,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y
 CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y
 CONFIG_SOC_INTEL_COMMON_PCH_BASE=y
 CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y
+CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y
 CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y
@ -524,8 +524,10 @@ CONFIG_PCIEXP_HOTPLUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
 CONFIG_RCBA_LENGTH=0x4000

@ -659,6 +661,7 @@ CONFIG_MRC_CACHE_USING_MRC_VERSION=y
 CONFIG_SPI_FLASH=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y
+CONFIG_SPI_FLASH_SMM=y
 # CONFIG_SPI_FLASH_NO_FAST_READ is not set
 CONFIG_TPM_INIT_RAMSTAGE=y
 CONFIG_TPM_PPI=y
@ -776,9 +779,12 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_CBNT_SUPPORT is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
-# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
+# CONFIG_BOOTMEDIA_LOCK_WPRO_VBOOT_RO is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security

@ -870,6 +876,13 @@ CONFIG_PAYLOAD_FILE="@BOARD_BUILD_DIR@/bzImage"
 CONFIG_PAYLOAD_OPTIONS=""
 # CONFIG_PXE is not set
 CONFIG_LINUX_INITRD="@BOARD_BUILD_DIR@/initrd.cpio.xz"
+
+#
+# Dasharo specific payload options
+#
+# end of Dasharo specific payload options
+
+# CONFIG_PAYLOAD_IS_FLAT_BINARY is not set
 CONFIG_COMPRESS_SECONDARY_PAYLOAD=y

 #