coreboot config: correct CONFIG_INTEL_CHIPSET_LOCKDOWN behavior to make sure none locks

tlaurion · tlaurion · commit 14e7a76aaa10 · 2023-06-27T11:21:41.000-04:00
diff --git a/config/coreboot-p8z77-m_pro-tpm1.config b/config/coreboot-p8z77-m_pro-tpm1.config
@@ -327,7 +327,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set 
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
diff --git a/config/coreboot-t420-maximized.config b/config/coreboot-t420-maximized.config
@@ -328,14 +328,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
@@ -541,9 +541,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config
@@ -334,7 +334,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
diff --git a/config/coreboot-t430-legacy.config b/config/coreboot-t430-legacy.config
@@ -332,7 +332,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
diff --git a/config/coreboot-t430-maximized.config b/config/coreboot-t430-maximized.config
@@ -541,9 +541,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-t520-maximized.config b/config/coreboot-t520-maximized.config
@@ -329,14 +329,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
@@ -537,9 +537,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-t530-dgpu-maximized.config b/config/coreboot-t530-dgpu-maximized.config
@@ -334,14 +334,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
@@ -542,9 +542,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-t530-maximized.config b/config/coreboot-t530-maximized.config
@@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-w530-dgpu-K1000m-maximized.config b/config/coreboot-w530-dgpu-K1000m-maximized.config
@@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-w530-dgpu-K2000m-maximized.config b/config/coreboot-w530-dgpu-K2000m-maximized.config
@@ -543,9 +543,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-w530-maximized.config b/config/coreboot-w530-maximized.config
@@ -331,14 +331,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
@@ -544,9 +544,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-x220-maximized.config b/config/coreboot-x220-maximized.config
@@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config
@@ -333,7 +333,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
diff --git a/config/coreboot-x230-legacy.config b/config/coreboot-x230-legacy.config
@@ -332,7 +332,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
diff --git a/config/coreboot-x230-maximized-fhd_edp.config b/config/coreboot-x230-maximized-fhd_edp.config
@@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
diff --git a/config/coreboot-x230-maximized.config b/config/coreboot-x230-maximized.config
@@ -328,14 +328,14 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SPI_ICH9=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_RCBA_PIRQ=y
-# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMM=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_ACPI_MADT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_FINALIZE=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_USB_DEBUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
-CONFIG_INTEL_CHIPSET_LOCKDOWN=y
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_TCO_SPACE_NOT_YET_SPLIT=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_WATCHDOG=y
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
@@ -540,9 +540,11 @@ CONFIG_PLATFORM_HAS_DRAM_CLEAR=y
 
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
 CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 
