diff --git a/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config b/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config index 260f320f..6ea92e2f 100644 --- a/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config +++ b/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead diff --git a/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config b/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config index 046a872a..5c7a27cd 100644 --- a/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config +++ b/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config index 7721927b..ffcb9457 100644 --- a/boards/nitropad-ns50/nitropad-ns50.config +++ b/boards/nitropad-ns50/nitropad-ns50.config @@ -29,7 +29,13 @@ CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y -CONFIG_MSRTOOLS=y + +#TODO: readd when tested +#platform locking finalization (PR0) +#CONFIG_IO386=y +#export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + #Remote attestation support # TPM2 requirements CONFIG_TPM2_TSS=y diff --git a/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config b/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config index fa351396..92ab67d4 100644 --- a/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config +++ b/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config @@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y -CONFIG_MSRTOOLS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + #Remote attestation support # TPM2 requirements CONFIG_TPM2_TSS=y diff --git a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config index b034491b..e695df4f 100644 --- a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config +++ b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config index 1e0ed105..9d4e0e6f 100644 --- a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config +++ b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config @@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config index ab0d8c42..35aa57d1 100644 --- a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config +++ b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config index eef49910..03a711e4 100644 --- a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config +++ b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config @@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config index 9975550f..4ab33a43 100644 --- a/boards/t420-hotp-maximized/t420-hotp-maximized.config +++ b/boards/t420-hotp-maximized/t420-hotp-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config index 39475d88..1293dd2d 100644 --- a/boards/t420-maximized/t420-maximized.config +++ b/boards/t420-maximized/t420-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config index d9961116..4b64ffef 100644 --- a/boards/t430-hotp-maximized/t430-hotp-maximized.config +++ b/boards/t430-hotp-maximized/t430-hotp-maximized.config @@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config index 188048bf..4164db3d 100644 --- a/boards/t430-maximized/t430-maximized.config +++ b/boards/t430-maximized/t430-maximized.config @@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config index 213547f9..bdd005ae 100644 --- a/boards/t530-hotp-maximized/t530-hotp-maximized.config +++ b/boards/t530-hotp-maximized/t530-hotp-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config index 4449e2d8..b291fa94 100644 --- a/boards/t530-maximized/t530-maximized.config +++ b/boards/t530-maximized/t530-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config index 7d7a1826..ddb91dba 100644 --- a/boards/w530-hotp-maximized/w530-hotp-maximized.config +++ b/boards/w530-hotp-maximized/w530-hotp-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config index e9bb59df..bb691ad7 100644 --- a/boards/w530-maximized/w530-maximized.config +++ b/boards/w530-maximized/w530-maximized.config @@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config index 1a777086..b8dc88e4 100644 --- a/boards/x220-hotp-maximized/x220-hotp-maximized.config +++ b/boards/x220-hotp-maximized/x220-hotp-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config index 55265785..2bd094ec 100644 --- a/boards/x220-maximized/x220-maximized.config +++ b/boards/x220-maximized/x220-maximized.config @@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support #TPM based requirements diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config index 1bb65c31..0e8c8420 100644 --- a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config +++ b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config @@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config index f4e85983..cdd0c867 100644 --- a/boards/x230-hotp-maximized/x230-hotp-maximized.config +++ b/boards/x230-hotp-maximized/x230-hotp-maximized.config @@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y #platform locking finalization (PR0) # This prevents SPI from being writeable outside of Heads CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Nitrokey Storage admin tool (deprecated) #CONFIG_NKSTORECLI=n diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index a6dd8727..8508baa8 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -39,7 +39,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config index feda20a9..7ca11057 100644 --- a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config +++ b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config @@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config index 7b5b4a01..78cc6492 100644 --- a/boards/x230-maximized/x230-maximized.config +++ b/boards/x230-maximized/x230-maximized.config @@ -34,7 +34,7 @@ CONFIG_PCIUTILS=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y #Remote attestation support diff --git a/boards/z220-cmt-maximized/z220-cmt-maximized.config b/boards/z220-cmt-maximized/z220-cmt-maximized.config index 41cb9927..c254331d 100644 --- a/boards/z220-cmt-maximized/z220-cmt-maximized.config +++ b/boards/z220-cmt-maximized/z220-cmt-maximized.config @@ -43,7 +43,7 @@ CONFIG_TPMTOTP=y #platform locking finalization (PR0) CONFIG_IO386=y -export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead # for a console-based menu. diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config index 9e5dc0ee..f7f95058 100644 --- a/config/coreboot-nitropad-ns50.config +++ b/config/coreboot-nitropad-ns50.config @@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 CONFIG_RCBA_LENGTH=0x4000 @@ -617,6 +620,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y CONFIG_SPI_FLASH=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y # CONFIG_SPI_FLASH_NO_FAST_READ is not set CONFIG_TPM_INIT_RAMSTAGE=y # CONFIG_TPM_PPI is not set @@ -729,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set # CONFIG_INTEL_CBNT_SUPPORT is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y -# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-novacustom_nv4x_adl.config b/config/coreboot-novacustom_nv4x_adl.config index 933b04de..a8bea3cc 100644 --- a/config/coreboot-novacustom_nv4x_adl.config +++ b/config/coreboot-novacustom_nv4x_adl.config @@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 CONFIG_RCBA_LENGTH=0x4000 @@ -618,6 +621,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y CONFIG_SPI_FLASH=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y # CONFIG_SPI_FLASH_NO_FAST_READ is not set CONFIG_TPM_INIT_RAMSTAGE=y # CONFIG_TPM_PPI is not set @@ -730,9 +734,11 @@ CONFIG_INTEL_TXT_LIB=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set # CONFIG_INTEL_CBNT_SUPPORT is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y -# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 2580dc26..b09860ea 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -83,7 +83,7 @@ while true; do 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" ) - [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ] && dynamic_config_options+=( + [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=( 't' ' Deactivate Platform Locking to permit OS write access to firmware' ) @@ -103,8 +103,8 @@ while true; do case "$menu_choice" in "t" ) - unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE - replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n" + unset CONFIG_FINALIZE_PLATFORM_LOCKING + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n" combine_configs . /tmp/config ;; diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index 14478879..fa37ebf9 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -170,7 +170,7 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr kexec_finalize fi -if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then +if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then lock_chip fi diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip index 9519dc16..6085b84e 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip @@ -1,41 +1,25 @@ #!/bin/sh # For this to work: -# - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work) -# - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN +# - io386 module needs to be enabled in board config +# - =Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y) # - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. -# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly #include ash shell functions (TRACE requires it) . /etc/ash_functions TRACE "Under /bin/lock_chip" -if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then +if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then APM_CNT=0xb2 FIN_CODE=0xcb fi if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then - # SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature. - # SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper - # for SMM access. - # - # It uses the processor’s memory protection and paging mechanisms to restrict what - # SMM code can read and write. SMM Supervisor marks critical pages, such as its - # own code, data, and page tables, as supervisor pages, which are only accessible - # from the most privileged level (CPL0). - # - # It also marks the rest of the SMM memory as user pages, which are accessible - # from any privilege level. - # - # This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy - # that states what resources the SMI handlers (the interrupt handlers that run in SMM) - # require access to. - # - # SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, - # which prevents further changes to the SMM memory and configuration. - # Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset. - # This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers - # after the system boots. + # PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, + # which prevents further changes to the SPI controller configuration. The flash + # will become write protected in the range specified in the PR0 register. Once + # the protection is set and locked, it cannot be disabled + # until the next system reset. echo "Finalizing chipset Write Protection through SMI PR0 lockdown call" io386 -o b -b x $APM_CNT $FIN_CODE else diff --git a/patches/coreboot-dasharo-unreleased/501.patch b/patches/coreboot-dasharo-unreleased/0001-tpm_pirq-not_conditional.patch similarity index 100% rename from patches/coreboot-dasharo-unreleased/501.patch rename to patches/coreboot-dasharo-unreleased/0001-tpm_pirq-not_conditional.patch diff --git a/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch new file mode 100644 index 00000000..768dfc16 --- /dev/null +++ b/patches/coreboot-dasharo-unreleased/0002-pr0_chipset_locking-post_skylake.patch @@ -0,0 +1,391 @@ +From ff22122c229bbe2109de92ded773493428f7ece9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= +Date: Sun, 20 Oct 2024 13:15:19 +0200 +Subject: [PATCH] soc/intel/lockdown: Allow locking down SPI and LPC in SMM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Heads payload uses APM_CNT_FINALIZE SMI to set and lock down +the SPI controller with PR0 flash protection. Add new option +to skip LPC and FAST SPI lock down in coreboot and move it +to APM_CNT_FINALIZE SMI handler. + +Signed-off-by: Michał Żygowski +--- + src/soc/intel/alderlake/finalize.c | 4 ++- + src/soc/intel/cannonlake/finalize.c | 3 +- + src/soc/intel/common/block/lpc/Makefile.inc | 4 +++ + src/soc/intel/common/block/smm/smihandler.c | 10 ++++++ + .../common/pch/include/intelpch/lockdown.h | 3 ++ + src/soc/intel/common/pch/lockdown/Kconfig | 15 ++++++++ + .../intel/common/pch/lockdown/Makefile.inc | 5 +++ + src/soc/intel/common/pch/lockdown/lockdown.c | 33 +++++------------ + .../intel/common/pch/lockdown/lockdown_lpc.c | 23 ++++++++++++ + .../intel/common/pch/lockdown/lockdown_spi.c | 35 +++++++++++++++++++ + src/soc/intel/denverton_ns/lpc.c | 3 +- + src/soc/intel/elkhartlake/finalize.c | 3 +- + src/soc/intel/jasperlake/finalize.c | 3 +- + src/soc/intel/meteorlake/finalize.c | 3 +- + src/soc/intel/skylake/finalize.c | 3 +- + src/soc/intel/tigerlake/finalize.c | 3 +- + src/soc/intel/xeon_sp/finalize.c | 3 +- + 17 files changed, 123 insertions(+), 33 deletions(-) + create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_lpc.c + create mode 100644 src/soc/intel/common/pch/lockdown/lockdown_spi.c + +diff --git a/src/soc/intel/alderlake/finalize.c b/src/soc/intel/alderlake/finalize.c +index 460c8af174e..9cd9351d96a 100644 +--- a/src/soc/intel/alderlake/finalize.c ++++ b/src/soc/intel/alderlake/finalize.c +@@ -84,7 +84,9 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); ++ + tbt_finalize(); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && + CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) +diff --git a/src/soc/intel/cannonlake/finalize.c b/src/soc/intel/cannonlake/finalize.c +index ba7fc69b552..b5f727e97c7 100644 +--- a/src/soc/intel/cannonlake/finalize.c ++++ b/src/soc/intel/cannonlake/finalize.c +@@ -87,7 +87,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT) && + CONFIG(SOC_INTEL_COMMON_BLOCK_HECI1_DISABLE_USING_PMC_IPC)) + heci1_disable(); +diff --git a/src/soc/intel/common/block/lpc/Makefile.inc b/src/soc/intel/common/block/lpc/Makefile.inc +index b510cd0ec35..60792654b5a 100644 +--- a/src/soc/intel/common/block/lpc/Makefile.inc ++++ b/src/soc/intel/common/block/lpc/Makefile.inc +@@ -5,3 +5,7 @@ romstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c + + ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c + ramstage-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc.c ++ ++ifeq ($(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM),y) ++smm-$(CONFIG_SOC_INTEL_COMMON_BLOCK_LPC) += lpc_lib.c ++endif +diff --git a/src/soc/intel/common/block/smm/smihandler.c b/src/soc/intel/common/block/smm/smihandler.c +index 4bfd17bfd07..dcd74764957 100644 +--- a/src/soc/intel/common/block/smm/smihandler.c ++++ b/src/soc/intel/common/block/smm/smihandler.c +@@ -15,12 +15,14 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + #include + #include ++#include + #include + #include + #include +@@ -343,6 +345,14 @@ static void finalize(void) + } + finalize_done = 1; + ++ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) { ++ /* SPI lock down configuration */ ++ fast_spi_lockdown_bios(CHIPSET_LOCKDOWN_COREBOOT); ++ ++ /* LPC/eSPI lock down configuration */ ++ lpc_lockdown_config(CHIPSET_LOCKDOWN_COREBOOT); ++ } ++ + if (CONFIG(SPI_FLASH_SMM)) + /* Re-init SPI driver to handle locked BAR */ + fast_spi_init(); +diff --git a/src/soc/intel/common/pch/include/intelpch/lockdown.h b/src/soc/intel/common/pch/include/intelpch/lockdown.h +index b5aba06fe0e..1b96f41a2a4 100644 +--- a/src/soc/intel/common/pch/include/intelpch/lockdown.h ++++ b/src/soc/intel/common/pch/include/intelpch/lockdown.h +@@ -22,4 +22,7 @@ int get_lockdown_config(void); + */ + void soc_lockdown_config(int chipset_lockdown); + ++void fast_spi_lockdown_bios(int chipset_lockdown); ++void lpc_lockdown_config(int chipset_lockdown); ++ + #endif /* SOC_INTEL_COMMON_PCH_LOCKDOWN_H */ +diff --git a/src/soc/intel/common/pch/lockdown/Kconfig b/src/soc/intel/common/pch/lockdown/Kconfig +index 8fce5e785c2..fbeb341e9ac 100644 +--- a/src/soc/intel/common/pch/lockdown/Kconfig ++++ b/src/soc/intel/common/pch/lockdown/Kconfig +@@ -1,7 +1,22 @@ + config SOC_INTEL_COMMON_PCH_LOCKDOWN + bool + default n ++ select HAVE_INTEL_CHIPSET_LOCKDOWN + help + This option allows to have chipset lockdown for DMI, FAST_SPI and + soc_lockdown_config() to implement any additional lockdown as PMC, + LPC for supported PCH. ++ ++config SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM ++ bool "Lock down SPI controller in SMM" ++ default n ++ depends on HAVE_SMI_HANDLER ++ select SPI_FLASH_SMM ++ help ++ This option allows to have chipset lockdown for FAST_SPI and LPC for ++ supported PCH. If selected, coreboot will skip locking down the SPI ++ and LPC controller. The payload or OS is responsible for locking it ++ using APM_CNT_FINALIZE SMI. Used by heads to set and lock PR0 flash ++ protection. ++ ++ If unsure, say N. +\ No newline at end of file +diff --git a/src/soc/intel/common/pch/lockdown/Makefile.inc b/src/soc/intel/common/pch/lockdown/Makefile.inc +index 71466f8edd1..64aad562acf 100644 +--- a/src/soc/intel/common/pch/lockdown/Makefile.inc ++++ b/src/soc/intel/common/pch/lockdown/Makefile.inc +@@ -1,2 +1,7 @@ + ## SPDX-License-Identifier: GPL-2.0-only + ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown.c ++ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_lpc.c ++ramstage-$(CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN) += lockdown_spi.c ++ ++smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_lpc.c ++smm-$(CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM) += lockdown_spi.c +diff --git a/src/soc/intel/common/pch/lockdown/lockdown.c b/src/soc/intel/common/pch/lockdown/lockdown.c +index 1b1d99cc0c9..7e52fb826fe 100644 +--- a/src/soc/intel/common/pch/lockdown/lockdown.c ++++ b/src/soc/intel/common/pch/lockdown/lockdown.c +@@ -61,21 +61,24 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) + /* Set FAST_SPI opcode menu */ + fast_spi_set_opcode_menu(); + +- /* Discrete Lock Flash PR registers */ +- fast_spi_pr_dlock(); +- + /* Check if SPI transaction is pending */ + fast_spi_cycle_in_progress(); + + /* Clear any outstanding status bits like AEL, FCERR, FDONE, SAF etc. */ + fast_spi_clear_outstanding_status(); + +- /* Lock FAST_SPIBAR */ +- fast_spi_lock_bar(); +- + /* Set Vendor Component Lock (VCL) */ + fast_spi_vscc0_lock(); + ++ if (CONFIG(SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM)) ++ return; ++ ++ /* Discrete Lock Flash PR registers */ ++ fast_spi_pr_dlock(); ++ ++ /* Lock FAST_SPIBAR */ ++ fast_spi_lock_bar(); ++ + /* Set BIOS Interface Lock, BIOS Lock */ + if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { + /* BIOS Interface Lock */ +@@ -95,24 +98,6 @@ static void fast_spi_lockdown_cfg(int chipset_lockdown) + } + } + +-static void lpc_lockdown_config(int chipset_lockdown) +-{ +- /* Set BIOS Interface Lock, BIOS Lock */ +- if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { +- /* BIOS Interface Lock */ +- lpc_set_bios_interface_lock_down(); +- +- /* Only allow writes in SMM */ +- if (CONFIG(BOOTMEDIA_SMM_BWP) && is_smm_bwp_permitted()) { +- lpc_set_eiss(); +- lpc_enable_wp(); +- } +- +- /* BIOS Lock */ +- lpc_set_lock_enable(); +- } +-} +- + static void sa_lockdown_config(int chipset_lockdown) + { + if (!CONFIG(SOC_INTEL_COMMON_BLOCK_SA)) +diff --git a/src/soc/intel/common/pch/lockdown/lockdown_lpc.c b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +new file mode 100644 +index 00000000000..69278ea343f +--- /dev/null ++++ b/src/soc/intel/common/pch/lockdown/lockdown_lpc.c +@@ -0,0 +1,23 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++#include ++ ++void lpc_lockdown_config(int chipset_lockdown) ++{ ++ /* Set BIOS Interface Lock, BIOS Lock */ ++ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { ++ /* BIOS Interface Lock */ ++ lpc_set_bios_interface_lock_down(); ++ ++ /* Only allow writes in SMM */ ++ if (CONFIG(BOOTMEDIA_SMM_BWP)) { ++ lpc_set_eiss(); ++ lpc_enable_wp(); ++ } ++ ++ /* BIOS Lock */ ++ lpc_set_lock_enable(); ++ } ++} +diff --git a/src/soc/intel/common/pch/lockdown/lockdown_spi.c b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +new file mode 100644 +index 00000000000..fa09cec7c2e +--- /dev/null ++++ b/src/soc/intel/common/pch/lockdown/lockdown_spi.c +@@ -0,0 +1,35 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++#include ++ ++void fast_spi_lockdown_bios(int chipset_lockdown) ++{ ++ if (!CONFIG(SOC_INTEL_COMMON_BLOCK_FAST_SPI)) ++ return; ++ ++ /* Discrete Lock Flash PR registers */ ++ fast_spi_pr_dlock(); ++ ++ /* Lock FAST_SPIBAR */ ++ fast_spi_lock_bar(); ++ ++ /* Set BIOS Interface Lock, BIOS Lock */ ++ if (chipset_lockdown == CHIPSET_LOCKDOWN_COREBOOT) { ++ /* BIOS Interface Lock */ ++ fast_spi_set_bios_interface_lock_down(); ++ ++ /* Only allow writes in SMM */ ++ if (CONFIG(BOOTMEDIA_SMM_BWP)) { ++ fast_spi_set_eiss(); ++ fast_spi_enable_wp(); ++ } ++ ++ /* BIOS Lock */ ++ fast_spi_set_lock_enable(); ++ ++ /* EXT BIOS Lock */ ++ fast_spi_set_ext_bios_lock_enable(); ++ } ++} +diff --git a/src/soc/intel/denverton_ns/lpc.c b/src/soc/intel/denverton_ns/lpc.c +index 7ebca1eb946..8d8acf05088 100644 +--- a/src/soc/intel/denverton_ns/lpc.c ++++ b/src/soc/intel/denverton_ns/lpc.c +@@ -536,7 +536,8 @@ static const struct pci_driver lpc_driver __pci_driver = { + + static void finalize_chipset(void *unused) + { +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + } + + BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, finalize_chipset, NULL); +diff --git a/src/soc/intel/elkhartlake/finalize.c b/src/soc/intel/elkhartlake/finalize.c +index 275413b4efa..802d02cb596 100644 +--- a/src/soc/intel/elkhartlake/finalize.c ++++ b/src/soc/intel/elkhartlake/finalize.c +@@ -43,7 +43,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && + CONFIG(USE_FSP_NOTIFY_PHASE_END_OF_FIRMWARE)) + heci_finalize(); +diff --git a/src/soc/intel/jasperlake/finalize.c b/src/soc/intel/jasperlake/finalize.c +index 6cff7a80f30..1b68cc51786 100644 +--- a/src/soc/intel/jasperlake/finalize.c ++++ b/src/soc/intel/jasperlake/finalize.c +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + + /* Indicate finalize step with post code */ + post_code(POSTCODE_OS_BOOT); +diff --git a/src/soc/intel/meteorlake/finalize.c b/src/soc/intel/meteorlake/finalize.c +index a977b0516e5..951153fa812 100644 +--- a/src/soc/intel/meteorlake/finalize.c ++++ b/src/soc/intel/meteorlake/finalize.c +@@ -75,7 +75,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + tbt_finalize(); + sa_finalize(); + if (CONFIG(USE_FSP_NOTIFY_PHASE_READY_TO_BOOT) && +diff --git a/src/soc/intel/skylake/finalize.c b/src/soc/intel/skylake/finalize.c +index fd80aeac1a0..a147b62e46f 100644 +--- a/src/soc/intel/skylake/finalize.c ++++ b/src/soc/intel/skylake/finalize.c +@@ -106,7 +106,8 @@ static void soc_finalize(void *unused) + pch_finalize_script(dev); + + soc_lockdown(dev); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + + /* Indicate finalize step with post code */ + post_code(POSTCODE_OS_BOOT); +diff --git a/src/soc/intel/tigerlake/finalize.c b/src/soc/intel/tigerlake/finalize.c +index cd02745a9e6..06ce243fe72 100644 +--- a/src/soc/intel/tigerlake/finalize.c ++++ b/src/soc/intel/tigerlake/finalize.c +@@ -55,7 +55,8 @@ static void soc_finalize(void *unused) + printk(BIOS_DEBUG, "Finalizing chipset.\n"); + + pch_finalize(); +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + tbt_finalize(); + if (CONFIG(DISABLE_HECI1_AT_PRE_BOOT)) + heci1_disable(); +diff --git a/src/soc/intel/xeon_sp/finalize.c b/src/soc/intel/xeon_sp/finalize.c +index af630fe8127..8e409b8c439 100644 +--- a/src/soc/intel/xeon_sp/finalize.c ++++ b/src/soc/intel/xeon_sp/finalize.c +@@ -59,7 +59,8 @@ static void soc_finalize(void *unused) + if (!CONFIG(USE_PM_ACPI_TIMER)) + setbits8(pmc_mmio_regs() + PCH_PWRM_ACPI_TMR_CTL, ACPI_TIM_DIS); + +- apm_control(APM_CNT_FINALIZE); ++ if (CONFIG(INTEL_CHIPSET_LOCKDOWN) || acpi_is_wakeup_s3()) ++ apm_control(APM_CNT_FINALIZE); + lock_pam0123(); + + if (CONFIG_MAX_SOCKET > 1) {