From ef0b70a89a893f7db295cc7cb9bf6d3b0a0dbc3b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 22 Oct 2024 06:57:04 -0400 Subject: [PATCH] ns50: add PR0 chipset locking requirements to board config and coreboot config Signed-off-by: Thierry Laurion --- boards/nitropad-ns50/nitropad-ns50.config | 7 ++++++- config/coreboot-nitropad-ns50.config | 10 ++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config index 7721927b..c0eccb69 100644 --- a/boards/nitropad-ns50/nitropad-ns50.config +++ b/boards/nitropad-ns50/nitropad-ns50.config @@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_PCIUTILS=y -CONFIG_MSRTOOLS=y + +#platform locking finalization (PR0) +CONFIG_IO386=y +export CONFIG_FINALIZE_PLATFORM_LOCKING=y + + #Remote attestation support # TPM2 requirements CONFIG_TPM2_TSS=y diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config index 9e5dc0ee..f7f95058 100644 --- a/config/coreboot-nitropad-ns50.config +++ b/config/coreboot-nitropad-ns50.config @@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y CONFIG_SOC_INTEL_COMMON_PCH_BASE=y CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y +CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y @@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 CONFIG_RCBA_LENGTH=0x4000 @@ -617,6 +620,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y CONFIG_SPI_FLASH=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y +CONFIG_SPI_FLASH_SMM=y # CONFIG_SPI_FLASH_NO_FAST_READ is not set CONFIG_TPM_INIT_RAMSTAGE=y # CONFIG_TPM_PPI is not set @@ -729,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set # CONFIG_INTEL_CBNT_SUPPORT is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y -# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set +# CONFIG_BOOTMEDIA_LOCK_NONE is not set +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security