From bad306cb3dd94785841ffd474b99076061221d8c Mon Sep 17 00:00:00 2001 From: Sergii Dmytruk Date: Tue, 9 Dec 2025 00:48:13 +0200 Subject: [PATCH 1/4] sb/intel/common/firmware/Makefile.mk: fix INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE Halfway through the review of CB:89493 (commit 6e4501661095 ("intel soc,southbridge: Add Kconfig to set TSBS in IFD during build")) the option was renamed and lost "CONFIG_" prefix in the Makefile. Add the missing prefix. The omission was discovered and the fix tested while trying to use this option on Protectli VP6670 where incorrect Top Swap size prevented a boot. Adding a missing space while at it. Change-Id: Ie85fc0b81b2231760878306cf065598bec390e9f Signed-off-by: Sergii Dmytruk Reviewed-on: https://review.coreboot.org/c/coreboot/+/90432 Reviewed-by: Matt DeVillier Tested-by: build bot (Jenkins) --- src/southbridge/intel/common/firmware/Makefile.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/southbridge/intel/common/firmware/Makefile.mk b/src/southbridge/intel/common/firmware/Makefile.mk index 10b1c4c906b..74f89ad6ef7 100644 --- a/src/southbridge/intel/common/firmware/Makefile.mk +++ b/src/southbridge/intel/common/firmware/Makefile.mk @@ -49,7 +49,7 @@ ifeq ($(CONFIG_HAVE_EC_BIN),y) add_intel_firmware: $(call strip_quotes,$(CONFIG_EC_BIN_PATH)) endif add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL) -ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) +ifeq ($(CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) printf " IFDTOOL Modifying top swap PCH strap in IFD\n" printf " $(IFDTOOL_USE_CHIPSET)" $(objutil)/ifdtool/ifdtool \ @@ -58,7 +58,7 @@ ifeq ($(INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE),y) -O $(obj)/ifd_custom_tsbs \ $(IFD_BIN_PATH) printf " DD Adding Intel Firmware Descriptor\n" - dd if=$(obj)/ifd_custom_tsbs\ + dd if=$(obj)/ifd_custom_tsbs \ of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1 else printf " DD Adding Intel Firmware Descriptor\n" From fb3d1ce8a164e8212438479aaf672ade2ea8324e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Lewi=C5=84ski?= Date: Mon, 8 Dec 2025 14:39:57 +0100 Subject: [PATCH 2/4] security/lockdown/lockdown.c: option to lock COREBOOT and BOOTBLOCK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add an option to lock the regions BOOTBLOCK and COREBOOT, leaving the regions TOPSWAP and COREBOOT_TS for updates in an Intel Top Swap redundancy scenario. This means that the user can now write and choose to boot from the update regions, selecting the attempt_slot_b CMOS option, and there is a protected golden copy of the entire firmware, that cannot be overwritten and can be reverted to by resetting CMOS. This is part of an ongoing implementation of a redundancy feature proposed on the mailing list: https://mail.coreboot.org/archives/list/coreboot@coreboot.org/thread/C6JN2PB7K7D67EG7OIKB6BBERZU5YV35/ Change-Id: Ia6dea22c41e2fc778af6ca7049b72c92686ec85f Signed-off-by: Filip Lewiński --- src/security/lockdown/Kconfig | 12 ++++++++++++ src/security/lockdown/lockdown.c | 20 ++++++++++++++++++++ src/soc/intel/common/Kconfig.common | 13 +++++++++++++ 3 files changed, 45 insertions(+) diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig index fac338017e4..7374e2b0beb 100644 --- a/src/security/lockdown/Kconfig +++ b/src/security/lockdown/Kconfig @@ -72,6 +72,18 @@ config BOOTMEDIA_LOCK_WPRO_VBOOT_RO is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g. by the payload or the OS). +config BOOTMEDIA_LOCK_TOPSWAP + bool "Write-protect the COREBOOT & BOOTBLOCK regions" + depends on TOP_SWAP_REDUNDANCY + depends on BOOTMEDIA_LOCK_CONTROLLER + help + Select this if you want to write-protect the BOOTBLOCK and COREBOOT + (Slot A) regions as specified in the Top Swap FMAP. You will be able to + write to the TOPSWAP and COREBOOT_TS (Slot B) regions and set the + attempt_slot_b CMOS option to run updated firmware. The BOOTBLOCK and + COREBOOT regions will remain a read-only golden copy, which you can + then revert to by resetting CMOS. + endchoice config BOOTMEDIA_LOCK_IN_VERSTAGE diff --git a/src/security/lockdown/lockdown.c b/src/security/lockdown/lockdown.c index 233968e955e..147d70eb971 100644 --- a/src/security/lockdown/lockdown.c +++ b/src/security/lockdown/lockdown.c @@ -33,6 +33,9 @@ void boot_device_security_lockdown(void) } else if (CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)) { printk(BIOS_DEBUG, "'WP_RO only'"); lock_type = CTRLR_WP; + } else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + printk(BIOS_DEBUG, "'COREBOOT + BOOTBLOCK'"); + lock_type = CTRLR_WP; } printk(BIOS_DEBUG, " using CTRL...\n"); } else { @@ -51,6 +54,11 @@ void boot_device_security_lockdown(void) printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'WP_RO'\n"); else rdev = &dev; + } else if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + if (fmap_locate_area_as_rdev("COREBOOT", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'COREBOOT'\n"); + else + rdev = &dev; } else { rdev = boot_device_ro(); } @@ -59,6 +67,18 @@ void boot_device_security_lockdown(void) printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection\n"); else printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection\n"); + + if (CONFIG(BOOTMEDIA_LOCK_TOPSWAP)) { + /* + * Additionally set a protected range for the BOOTBLOCK region + */ + if (fmap_locate_area_as_rdev("BOOTBLOCK", &dev) < 0) + printk(BIOS_ERR, "BM-LOCKDOWN: Could not find region 'BOOTBLOCK'\n"); + else if (boot_device_wp_region(&dev, lock_type) >= 0) + printk(BIOS_INFO, "BM-LOCKDOWN: Enabled bootmedia protection for BOOTBLOCK\n"); + else + printk(BIOS_ERR, "BM-LOCKDOWN: Failed to enable bootmedia protection for BOOTBLOCK\n"); + } } static void lock(void *unused) diff --git a/src/soc/intel/common/Kconfig.common b/src/soc/intel/common/Kconfig.common index 7037dd76af9..a1a0babab02 100644 --- a/src/soc/intel/common/Kconfig.common +++ b/src/soc/intel/common/Kconfig.common @@ -66,6 +66,19 @@ config INTEL_TOP_SWAP_OPTION_CONTROL option. Note that the option must be present in the board's cmos.layout. file. +config TOP_SWAP_REDUNDANCY + bool "Toggle the Intel Top Swap - based redundancy" + depends on HAVE_OPTION_TABLE && INTEL_HAS_TOP_SWAP + select INTEL_ADD_TOP_SWAP_BOOTBLOCK + select INTEL_TOP_SWAP_SEPARATE_REGIONS + select INTEL_TOP_SWAP_OPTION_CONTROL + help + Toggle the Intel Top Swap based redundancy, where the BOOTBLOCK and COREBOOT + regions form a read-only golden copy and TOPSWAP and COREBOOT_TS are an + update partition. CMOS option "attempt_top_swap" decides which of the slots + gets booted, which means the platform can be reverted to the known-good copy + via CMOS reset. + endif config SOC_INTEL_COMMON From 24db89d226aee882ced1a293be72a624a33622b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Lewi=C5=84ski?= Date: Wed, 17 Dec 2025 08:40:57 +0100 Subject: [PATCH 3/4] downstream config after locking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I19ec5c901961a0af76a048620728a669fe15b048 Signed-off-by: Filip Lewiński --- configs/config.protectli_vp66xx_cmos_edk2 | 2 ++ src/mainboard/protectli/vault_adl_p/Kconfig | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/configs/config.protectli_vp66xx_cmos_edk2 b/configs/config.protectli_vp66xx_cmos_edk2 index 4f25318fe3a..adf25a6c167 100644 --- a/configs/config.protectli_vp66xx_cmos_edk2 +++ b/configs/config.protectli_vp66xx_cmos_edk2 @@ -60,3 +60,5 @@ CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y # CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set # CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set CONFIG_POST_DEVICE_LPC=y +CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y +CONFIG_BOOTMEDIA_LOCK_TOPSWAP=y diff --git a/src/mainboard/protectli/vault_adl_p/Kconfig b/src/mainboard/protectli/vault_adl_p/Kconfig index 815ab48eb89..ef896e9565b 100644 --- a/src/mainboard/protectli/vault_adl_p/Kconfig +++ b/src/mainboard/protectli/vault_adl_p/Kconfig @@ -20,9 +20,11 @@ config BOARD_SPECIFIC_OPTIONS select HAVE_CMOS_DEFAULT select USE_OPTION_TABLE select INTEL_HAS_TOP_SWAP - select INTEL_ADD_TOP_SWAP_BOOTBLOCK - select INTEL_TOP_SWAP_SEPARATE_REGIONS - select INTEL_TOP_SWAP_OPTION_CONTROL + select TOP_SWAP_REDUNDANCY + select CONFIG_INTEL_IFD_SET_TOP_SWAP_BOOTBLOCK_SIZE + +config INTEL_TOP_SWAP_BOOTBLOCK_SIZE + default 0x80000 config MAINBOARD_DIR default "protectli/vault_adl_p" From 367b1d66d70b80e252342aa3047e8a0fac7c5c82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Lewi=C5=84ski?= Date: Fri, 19 Dec 2025 12:56:25 +0100 Subject: [PATCH 4/4] bump for edk2 capsule work WiP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I22ae0c336cf36c6903f93b36437341b2da25500c Signed-off-by: Filip Lewiński --- payloads/external/edk2/Kconfig.dasharo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/external/edk2/Kconfig.dasharo b/payloads/external/edk2/Kconfig.dasharo index 9efcbca4b5f..b080c1d56e8 100644 --- a/payloads/external/edk2/Kconfig.dasharo +++ b/payloads/external/edk2/Kconfig.dasharo @@ -4,7 +4,7 @@ config EDK2_REPOSITORY default "https://github.com/Dasharo/edk2" config EDK2_TAG_OR_REV - default "42934b120ff2a73051f64926e45fe5c2750ad741" + default "origin/capsule_redundancy" config EDK2_SYSTEM76_EC_LOGGING bool "Enable edk2 logging to System76 EC"