security/intel: Add option to enable SMM flash access only

On platforms where the boot media can be updated externally, e.g.
using a BMC, add the possibility to enable writes in SMM only. This
allows to protect the BIOS region even without the use of vboot, but
keeps SMMSTORE working for use in payloads. Note that this breaks
flashconsole, since the flash becomes read-only.

Tested on Asrock B85M Pro4 and HP 280 G2, SMM BIOS write protection
works as expected, and SMMSTORE can still be used.

Change-Id: I157db885b5f1d0f74009ede6fb2342b20d9429fa
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/40830
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/security/lockdown/Kconfig b/src/security/lockdown/Kconfig
index 9d83a45b1d3e..8d48beb76643 100644
--- a/src/security/lockdown/Kconfig
+++ b/src/security/lockdown/Kconfig
@@ -84,6 +84,17 @@ config BOOTMEDIA_LOCK_IN_VERSTAGE
 	  ramstage, like the MRC cache for example.
 	  Use this option if you don't trust code running after verstage.
 
+config BOOTMEDIA_SMM_BWP
+	bool "Boot media only writable in SMM"
+	depends on !CONSOLE_SPI_FLASH
+	depends on BOOT_DEVICE_SPI_FLASH && HAVE_SMI_HANDLER
+	depends on SOUTHBRIDGE_INTEL_COMMON_SPI || SOC_INTEL_COMMON_BLOCK_SPI
+	select SOC_INTEL_COMMON_BLOCK_SMM_TCO_ENABLE if SOC_INTEL_COMMON_BLOCK_SPI
+	help
+	  Only allow flash writes in SMM. Select this if you want to use SMMSTORE
+	  while also preventing unauthorized writes through the internal controller.
+	  Note that this breaks flashconsole, since the flash becomes read-only.
+
 choice
 	prompt "SPI Flash write protection duration"
 	default BOOTMEDIA_SPI_LOCK_REBOOT