From dbac4540c9ec33c812a705b9ed479663b85566db Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 26 Jun 2023 11:23:12 -0400 Subject: [PATCH] coreboot config: correct CONFIG_INTEL_CHIPSET_LOCKDOWN behavior to make sure none locks --- config/coreboot-p8z77-m_pro-tpm1.config | 2 +- config/coreboot-t420-maximized.config | 8 +++++--- config/coreboot-t420.config | 2 +- config/coreboot-t430-legacy.config | 2 +- config/coreboot-t430-maximized.config | 4 +++- config/coreboot-t520-maximized.config | 8 +++++--- config/coreboot-t530-dgpu-maximized.config | 8 +++++--- config/coreboot-t530-maximized.config | 4 +++- config/coreboot-w530-dgpu-K1000m-maximized.config | 4 +++- config/coreboot-w530-dgpu-K2000m-maximized.config | 4 +++- config/coreboot-w530-maximized.config | 8 +++++--- config/coreboot-x220-maximized.config | 4 +++- config/coreboot-x220.config | 2 +- config/coreboot-x230-legacy.config | 2 +- config/coreboot-x230-maximized-fhd_edp.config | 4 +++- config/coreboot-x230-maximized.config | 8 +++++--- 16 files changed, 48 insertions(+), 26 deletions(-) diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config index b512b48ef..269df7906 100644 --- a/config/coreboot-p8z77-m_pro-tpm1.config +++ b/config/coreboot-p8z77-m_pro-tpm1.config @@ -327,7 +327,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config index f7653a336..ba3900f77 100644 --- a/config/coreboot-t420-maximized.config +++ b/config/coreboot-t420-maximized.config @@ -328,14 +328,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 @@ -541,9 +541,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config index 87b64f628..5afd33a7a 100644 --- a/config/coreboot-t420.config +++ b/config/coreboot-t420.config @@ -334,7 +334,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 diff --git a/config/coreboot-t430-legacy.config b/config/coreboot-t430-legacy.config index a9972b78c..7262e3dd9 100644 --- a/config/coreboot-t430-legacy.config +++ b/config/coreboot-t430-legacy.config @@ -332,7 +332,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config index 297dd3248..e969548bc 100644 --- a/config/coreboot-t430-maximized.config +++ b/config/coreboot-t430-maximized.config @@ -541,9 +541,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config index 152689e2c..74fe892da 100644 --- a/config/coreboot-t520-maximized.config +++ b/config/coreboot-t520-maximized.config @@ -329,14 +329,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 @@ -537,9 +537,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config index f19c77238..1e9cb8293 100644 --- a/config/coreboot-t530-dgpu-maximized.config +++ b/config/coreboot-t530-dgpu-maximized.config @@ -334,14 +334,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 @@ -542,9 +542,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config index d61b370f4..c54f81e7a 100644 --- a/config/coreboot-t530-maximized.config +++ b/config/coreboot-t530-maximized.config @@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config index 1acc7ae55..45017955a 100644 --- a/config/coreboot-w530-dgpu-K1000m-maximized.config +++ b/config/coreboot-w530-dgpu-K1000m-maximized.config @@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config index 5d838c810..5553695f4 100644 --- a/config/coreboot-w530-dgpu-K2000m-maximized.config +++ b/config/coreboot-w530-dgpu-K2000m-maximized.config @@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config index cc1d7c245..ba4e53152 100644 --- a/config/coreboot-w530-maximized.config +++ b/config/coreboot-w530-maximized.config @@ -331,14 +331,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 @@ -544,9 +544,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config index 57b36c0da..35928de24 100644 --- a/config/coreboot-x220-maximized.config +++ b/config/coreboot-x220-maximized.config @@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index 202c02f81..00bb495a2 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -333,7 +333,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 diff --git a/config/coreboot-x230-legacy.config b/config/coreboot-x230-legacy.config index 06d4967ae..d5dbebe7f 100644 --- a/config/coreboot-x230-legacy.config +++ b/config/coreboot-x230-legacy.config @@ -330,7 +330,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config index 2a1b778ca..51c9ebee5 100644 --- a/config/coreboot-x230-maximized-fhd_edp.config +++ b/config/coreboot-x230-maximized-fhd_edp.config @@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config index 321e0eaa9..25019519b 100644 --- a/config/coreboot-x230-maximized.config +++ b/config/coreboot-x230-maximized.config @@ -328,14 +328,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y -# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set +CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set -CONFIG_INTEL_CHIPSET_LOCKDOWN=y +# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set CONFIG_TCO_SPACE_NOT_YET_SPLIT=y CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000 @@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y # CONFIG_INTEL_TXT is not set # CONFIG_STM is not set -CONFIG_BOOTMEDIA_LOCK_NONE=y +# CONFIG_BOOTMEDIA_LOCK_NONE is not set CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y # CONFIG_BOOTMEDIA_LOCK_CHIP is not set +CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y +# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set # CONFIG_BOOTMEDIA_SMM_BWP is not set # end of Security