coreboot
coreboot is an Open Source project aimed at replacing the proprietary BIOS found in most computers.
lockdown.c
Go to the documentation of this file.
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 
3 #include <boot_device.h>
4 #include <commonlib/region.h>
5 #include <console/console.h>
6 #include <bootstate.h>
7 #include <fmap.h>
8 
9 /*
10  * Enables read- /write protection of the bootmedia.
11  */
12 void boot_device_security_lockdown(void)
13 {
14  const struct region_device *rdev = NULL;
15  struct region_device dev;
16  enum bootdev_prot_type lock_type;
17 
18  printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme ");
19 
20  if (CONFIG(BOOTMEDIA_LOCK_CONTROLLER)) {
21  if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) {
22  printk(BIOS_DEBUG, "'readonly'");
23  lock_type = CTRLR_WP;
24  } else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) {
25  printk(BIOS_DEBUG, "'no access'");
26  lock_type = CTRLR_RWP;
27  } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
28  printk(BIOS_DEBUG, "'WP_RO only'");
29  lock_type = CTRLR_WP;
30  }
31  printk(BIOS_DEBUG, " using CTRL...\n");
32  } else {
33  if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) {
34  printk(BIOS_DEBUG, "'readonly'");
35  lock_type = MEDIA_WP;
36  } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
37  printk(BIOS_DEBUG, "'WP_RO only'");
38  lock_type = MEDIA_WP;
39  }
40  printk(BIOS_DEBUG, " using flash chip...\n");
41  }
42 
43  if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
44  if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0)
45  printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n");
46  else
47  rdev = &dev;
48  } else {
49  rdev = boot_device_ro();
50  }
51 
52  if (rdev && boot_device_wp_region(rdev, lock_type) >= 0)
53  printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n");
54  else
55  printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n");
56 }
57 
58 static void lock(void *unused)
59 {
60  boot_device_security_lockdown();
61 }
62 
63 /*
64  * Keep in sync with mrc_cache.c
65  */
66 
67 #if CONFIG(MRC_WRITE_NV_LATE)
68 BOOT_STATE_INIT_ENTRY(BS_OS_RESUME_CHECK, BS_ON_EXIT, lock, NULL);
69 #else
70 BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_ENTRY, lock, NULL);
71 #endif
boot_device_ro
const struct region_device * boot_device_ro(void)
Definition: rom_media.c:9
boot_device.h
bootdev_prot_type
bootdev_prot_type
Definition: boot_device.h:18
CTRLR_RWP
@ CTRLR_RWP
Definition: boot_device.h:21
CTRLR_WP
@ CTRLR_WP
Definition: boot_device.h:19
MEDIA_WP
@ MEDIA_WP
Definition: boot_device.h:22
boot_device_wp_region
int boot_device_wp_region(const struct region_device *rd, const enum bootdev_prot_type type)
Definition: boot_device_rw_nommap.c:83
BS_OS_RESUME_CHECK
@ BS_OS_RESUME_CHECK
Definition: bootstate.h:85
BS_DEV_RESOURCES
@ BS_DEV_RESOURCES
Definition: bootstate.h:81
BS_ON_ENTRY
@ BS_ON_ENTRY
Definition: bootstate.h:95
BS_ON_EXIT
@ BS_ON_EXIT
Definition: bootstate.h:96
printk
#define printk(level,...)
Definition: stdlib.h:16
CONFIG
@ CONFIG
Definition: dsi_common.h:201
rdev
static struct region_device rdev
Definition: flashconsole.c:14
fmap_locate_area_as_rdev
int fmap_locate_area_as_rdev(const char *name, struct region_device *area)
Definition: fmap.c:144
BIOS_INFO
#define BIOS_INFO
BIOS_INFO - Expected events.
Definition: loglevel.h:113
BIOS_DEBUG
#define BIOS_DEBUG
BIOS_DEBUG - Verbose output.
Definition: loglevel.h:128
BIOS_ERR
#define BIOS_ERR
BIOS_ERR - System in incomplete state.
Definition: loglevel.h:72
BOOT_STATE_INIT_ENTRY
BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_ENTRY, lock, NULL)
lock
static void lock(void *unused)
Definition: lockdown.c:58
boot_device_security_lockdown
void boot_device_security_lockdown(void)
Definition: lockdown.c:12
NULL
#define NULL
Definition: stddef.h:19
region_device
Definition: region.h:81