diff --git a/configs/config.protectli_vp66xx_cmos_edk2 b/configs/config.protectli_vp66xx_cmos_edk2 index 4f25318fe3a..adf25a6c167 100644 --- a/configs/config.protectli_vp66xx_cmos_edk2 +++ b/configs/config.protectli_vp66xx_cmos_edk2 @@ -60,3 +60,5 @@ CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y # CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set # CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set CONFIG_POST_DEVICE_LPC=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_BOOTMEDIA_LOCK_TOPSWAP=y diff --git a/payloads/external/edk2/Kconfig.dasharo b/payloads/external/edk2/Kconfig.dasharo index 9efcbca4b5f..b080c1d56e8 100644 --- a/payloads/external/edk2/Kconfig.dasharo +++ b/payloads/external/edk2/Kconfig.dasharo @@ -4,7 +4,7 @@ config EDK2_REPOSITORY default "https://github.com/Dasharo/edk2" config EDK2_TAG_OR_REV - default "42934b120ff2a73051f64926e45fe5c2750ad741" + default "origin/capsule_redundancy" config EDK2_SYSTEM76_EC_LOGGING bool "Enable edk2 logging to System76 EC" diff --git a/src/mainboard/protectli/vault_adl_p/Kconfig b/src/mainboard/protectli/vault_adl_p/Kconfig index 815ab48eb89..ef896e9565b 100644 --- a/src/mainboard/protectli/vault_adl_p/Kconfig +++ b/src/mainboard/protectli/vault_adl_p/Kconfig @@ -20,9 +20,11 @@ config BOARD_SPECIFIC_OPTIONS select HAVE_CMOS_DEFAULT select USE_OPTION_TABLE select INTEL_HAS_TOP_SWAP - select INTEL_ADD_TOP_SWAP_BOOTBLOCK - select INTEL_TOP_SWAP_SEPARATE_REGIONS - select INTEL_TOP_SWAP_OPTION_CONTROL + select TOP_SWAP_REDUNDANCY + select CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE + +config INTEL_TOP_SWAP_BOOTBLOCK_SIZE + default 0x80000 config MAINBOARD_DIR default "protectli/vault_adl_p" diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index fac338017e4..7374e2b0beb 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -72,6 +72,18 @@ config BOOTMEDIA_LOCK_WPRO_VBOOT_RO is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. by the payload or the OS). +config BOOTMEDIA_LOCK_TOPSWAP + bool "Write-protect the COREBOOT & BOOTBLOCK regions" + depends on TOP_SWAP_REDUNDANCY + depends on BOOTMEDIA_LOCK_CONTROLLER + help + Select this if you want to write-protect the BOOTBLOCK and COREBOOT + (Slot A) regions as specified in the Top Swap FMAP. You will be able to + write to the TOPSWAP and COREBOOT_TS (Slot B) regions and set the + attempt_slot_b CMOS option to run updated firmware. The BOOTBLOCK and + COREBOOT regions will remain a read-only golden copy, which you can + then revert to by resetting CMOS. + endchoice config BOOTMEDIA_LOCK_IN_VERSTAGE diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index 233968e955e..147d70eb971 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -33,6 +33,9 @@ void boot_device_security_lockdown(void) } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { printk(BIOS_DEBUG, "'WP_RO only'"); lock_type = CTRLR_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + printk(BIOS_DEBUG, "'COREBOOT + BOOTBLOCK'"); + lock_type = CTRLR_WP; } printk(BIOS_DEBUG, " using CTRL...\n"); } else { @@ -51,6 +54,11 @@ void boot_device_security_lockdown(void) printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n"); else rdev = &dev; + } else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + if (fmap_locate_area_as_rdev("COREBOOT", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'COREBOOT'\n"); + else + rdev = &dev; } else { rdev = boot_device_ro(); } @@ -59,6 +67,18 @@ void boot_device_security_lockdown(void) printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); else printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); + + if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + /* + * Additionally set a protected range for the BOOTBLOCK region + */ + if (fmap_locate_area_as_rdev("BOOTBLOCK", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'BOOTBLOCK'\n"); + else if (boot_device_wp_region(&dev, lock_type) >= 0) + printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection for BOOTBLOCK\n"); + else + printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection for BOOTBLOCK\n"); + } } static void lock(void *unused) diff --git a/src/soc/intel/common/Kconfig.common b/src/soc/intel/common/Kconfig.common index 7037dd76af9..a1a0babab02 100644 --- a/src/soc/intel/common/Kconfig.common +++ b/src/soc/intel/common/Kconfig.common @@ -66,6 +66,19 @@ config INTEL_TOP_SWAP_OPTION_CONTROL option. Note that the option must be present in the board's cmos.layout. file. +config TOP_SWAP_REDUNDANCY + bool "Toggle the Intel Top Swap - based redundancy" + depends on HAVE_OPTION_TABLE && INTEL_HAS_TOP_SWAP + select INTEL_ADD_TOP_SWAP_BOOTBLOCK + select INTEL_TOP_SWAP_SEPARATE_REGIONS + select INTEL_TOP_SWAP_OPTION_CONTROL + help + Toggle the Intel Top Swap based redundancy, where the BOOTBLOCK and COREBOOT + regions form a read-only golden copy and TOPSWAP and COREBOOT_TS are an + update partition. CMOS option "attempt_top_swap" decides which of the slots + gets booted, which means the platform can be reverted to the known-good copy + via CMOS reset. + endif config SOC_INTEL_COMMON diff --git a/src/southbridge/intel/common/firmware/Makefile.mk b/src/southbridge/intel/common/firmware/Makefile.mk index 10b1c4c906b..74f89ad6ef7 100644 --- a/src/southbridge/intel/common/firmware/Makefile.mk +++ b/src/southbridge/intel/common/firmware/Makefile.mk @@ -49,7 +49,7 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_EC_BIN_PATH)) endif add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL) -ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) +ifeq ($(CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) printf " IFDTOOL Modifying top swap PCH strap in IFD\n" printf " $(IFDTOOL_USE_CHIPSET)" $(objutil)/ifdtool/ifdtool \ @@ -58,7 +58,7 @@ ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) -O $(obj)/ifd_custom_tsbs \ $(IFD_BIN_PATH) printf " DD Adding Intel Firmware Descriptor\n" - dd if=$(obj)/ifd_custom_tsbs\ + dd if=$(obj)/ifd_custom_tsbs \ of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1 else printf " DD Adding Intel Firmware Descriptor\n"