src/security/lockdown/lockdown.c

   1 /* SPDX-License-Identifier: GPL-2.0-or-later */
   2
   3 #include <boot_device.h>
   4 #include <commonlib/region.h>
   5 #include <console/console.h>
   6 #include <bootstate.h>
   7 #include <fmap.h>
   8
   9 /*
  10  * Enables read- /write protection of the bootmedia.
  11  */
  12 void boot_device_security_lockdown(void)
  13 {
  14         const struct region_device *rdev = NULL;
  15         struct region_device dev;
  16         enum bootdev_prot_type lock_type;
  17
  18         printk(BIOS_DEBUG, "BM-LOCKDOWN: Enabling boot media protection scheme ");
  19
  20         if (CONFIG(BOOTMEDIA_LOCK_CONTROLLER)) {
  21                 if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) {
  22                         printk(BIOS_DEBUG, "'readonly'");
  23                         lock_type = CTRLR_WP;
  24                 } else if (CONFIG(BOOTMEDIA_LOCK_WHOLE_NO_ACCESS)) {
  25                         printk(BIOS_DEBUG, "'no access'");
  26                         lock_type = CTRLR_RWP;
  27                 } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
  28                         printk(BIOS_DEBUG, "'WP_RO only'");
  29                         lock_type = CTRLR_WP;
  30                 }
  31                 printk(BIOS_DEBUG, " using CTRL...\n");
  32         } else {
  33                 if (CONFIG(BOOTMEDIA_LOCK_WHOLE_RO)) {
  34                         printk(BIOS_DEBUG, "'readonly'");
  35                         lock_type = MEDIA_WP;
  36                 } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
  37                         printk(BIOS_DEBUG, "'WP_RO only'");
  38                         lock_type = MEDIA_WP;
  39                 }
  40                 printk(BIOS_DEBUG, " using flash chip...\n");
  41         }
  42
  43         if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) {
  44                 if (fmap_locate_area_as_rdev("WP_RO", &dev) < 0)
  45                         printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n");
  46                 else
  47                         rdev = &dev;
  48         } else {
  49                 rdev = boot_device_ro();
  50         }
  51
  52         if (rdev && boot_device_wp_region(rdev, lock_type) >= 0)
  53                 printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n");
  54         else
  55                 printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n");
  56 }
  57
  58 static void lock(void *unused)
  59 {
  60         boot_device_security_lockdown();
  61 }
  62
  63 /*
  64  * Keep in sync with mrc_cache.c
  65  */
  66
  67 #if CONFIG(MRC_WRITE_NV_LATE)
  68 BOOT_STATE_INIT_ENTRY(BS_OS_RESUME_CHECK, BS_ON_EXIT, lock, NULL);
  69 #else
  70 BOOT_STATE_INIT_ENTRY(BS_DEV_RESOURCES, BS_ON_ENTRY, lock, NULL);
  71 #endif