Merge pull request #1818 from tlaurion/pr0_skylake_and_more_recent

WiP: PR0 (SPI write prevention through chipset locking) for nv4x_adl, setting base for other platforms/downstream forks supporting >=Skylake+
linuxboot · Nov 29, 2024 · e31afc5 · e31afc5
2 parents 87732b7 + 03ba386
commit e31afc5
Show file tree

Hide file tree

Showing 31 changed files with 455 additions and 57 deletions.
diff --git a/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config b/boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config
@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead

diff --git a/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config b/boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config
@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead

diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config
@@ -29,7 +29,13 @@ CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
-CONFIG_MSRTOOLS=y
+
+#TODO: readd when tested
+#platform locking finalization (PR0)
+#CONFIG_IO386=y
+#export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
 #Remote attestation support
 # TPM2 requirements
 CONFIG_TPM2_TSS=y

diff --git a/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config b/boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config
@@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
-CONFIG_MSRTOOLS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
 #Remote attestation support
 # TPM2 requirements
 CONFIG_TPM2_TSS=y

diff --git a/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config b/boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config
@@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y
 #platform locking finalization (PR0)
 # This prevents SPI from being writeable outside of Heads
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Nitrokey Storage admin tool (deprecated)
 #CONFIG_NKSTORECLI=n

diff --git a/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config b/boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config
@@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y
 #platform locking finalization (PR0)
 # This prevents SPI from being writeable outside of Heads
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Nitrokey Storage admin tool (deprecated)
 #CONFIG_NKSTORECLI=n

diff --git a/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config b/boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config
@@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y
 #platform locking finalization (PR0)
 # This prevents SPI from being writeable outside of Heads
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Nitrokey Storage admin tool (deprecated)
 #CONFIG_NKSTORECLI=n

diff --git a/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config b/boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config
@@ -49,7 +49,7 @@ CONFIG_TPMTOTP=y
 #platform locking finalization (PR0)
 # This prevents SPI from being writeable outside of Heads
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Nitrokey Storage admin tool (deprecated)
 #CONFIG_NKSTORECLI=n

diff --git a/boards/t420-hotp-maximized/t420-hotp-maximized.config b/boards/t420-hotp-maximized/t420-hotp-maximized.config
@@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements

diff --git a/boards/t420-maximized/t420-maximized.config b/boards/t420-maximized/t420-maximized.config
@@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements

diff --git a/boards/t430-hotp-maximized/t430-hotp-maximized.config b/boards/t430-hotp-maximized/t430-hotp-maximized.config
@@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements

diff --git a/boards/t430-maximized/t430-maximized.config b/boards/t430-maximized/t430-maximized.config
@@ -30,7 +30,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/t530-hotp-maximized/t530-hotp-maximized.config b/boards/t530-hotp-maximized/t530-hotp-maximized.config
@@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/t530-maximized/t530-maximized.config b/boards/t530-maximized/t530-maximized.config
@@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/w530-hotp-maximized/w530-hotp-maximized.config b/boards/w530-hotp-maximized/w530-hotp-maximized.config
@@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/w530-maximized/w530-maximized.config b/boards/w530-maximized/w530-maximized.config
@@ -31,7 +31,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/x220-hotp-maximized/x220-hotp-maximized.config b/boards/x220-hotp-maximized/x220-hotp-maximized.config
@@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements

diff --git a/boards/x220-maximized/x220-maximized.config b/boards/x220-maximized/x220-maximized.config
@@ -32,7 +32,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Remote attestation support
 #TPM based requirements

diff --git a/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config b/boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
@@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/x230-hotp-maximized/x230-hotp-maximized.config b/boards/x230-hotp-maximized/x230-hotp-maximized.config
@@ -49,7 +49,7 @@ CONFIG_HOTPKEY=y
 #platform locking finalization (PR0)
 # This prevents SPI from being writeable outside of Heads
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 #Nitrokey Storage admin tool (deprecated)
 #CONFIG_NKSTORECLI=n

diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
@@ -39,7 +39,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config b/boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
@@ -43,7 +43,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/x230-maximized/x230-maximized.config b/boards/x230-maximized/x230-maximized.config
@@ -34,7 +34,7 @@ CONFIG_PCIUTILS=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
 
 
 #Remote attestation support

diff --git a/boards/z220-cmt-maximized/z220-cmt-maximized.config b/boards/z220-cmt-maximized/z220-cmt-maximized.config
@@ -43,7 +43,7 @@ CONFIG_TPMTOTP=y
 
 #platform locking finalization (PR0)
 CONFIG_IO386=y
-export CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE=y 
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y 
 
 # Dependencies for a graphical menu. Enable CONFIG_SLANG and CONFIG_NEWT instead
 # for a console-based menu.

diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config
@@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y
 CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y
 CONFIG_SOC_INTEL_COMMON_PCH_BASE=y
 CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y
+CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y
 CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y
@@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
 CONFIG_RCBA_LENGTH=0x4000
 
@@ -617,6 +620,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y
 CONFIG_SPI_FLASH=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y
+CONFIG_SPI_FLASH_SMM=y
 # CONFIG_SPI_FLASH_NO_FAST_READ is not set
 CONFIG_TPM_INIT_RAMSTAGE=y
 # CONFIG_TPM_PPI is not set
@@ -729,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_CBNT_SUPPORT is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
-# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 

diff --git a/config/coreboot-novacustom_nv4x_adl.config b/config/coreboot-novacustom_nv4x_adl.config
@@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y
 CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y
 CONFIG_SOC_INTEL_COMMON_PCH_BASE=y
 CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y
+CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y
 CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y
@@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
 CONFIG_RCBA_LENGTH=0x4000
 
@@ -618,6 +621,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y
 CONFIG_SPI_FLASH=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y
+CONFIG_SPI_FLASH_SMM=y
 # CONFIG_SPI_FLASH_NO_FAST_READ is not set
 CONFIG_TPM_INIT_RAMSTAGE=y
 # CONFIG_TPM_PPI is not set
@@ -730,9 +734,11 @@ CONFIG_INTEL_TXT_LIB=y
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_CBNT_SUPPORT is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
-# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security
 

diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
@@ -83,7 +83,7 @@ while true; do
         'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output"
     )
 
-    [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ] && dynamic_config_options+=(
+    [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=(
         't' ' Deactivate Platform Locking to permit OS write access to firmware'
     )
 
@@ -103,8 +103,8 @@ while true; do
 
   case "$menu_choice" in
     "t" )
-      unset CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE
-      replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" "n"
+      unset CONFIG_FINALIZE_PLATFORM_LOCKING
+      replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n"
       combine_configs
       . /tmp/config
     ;;

diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot
@@ -170,7 +170,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
 	tpmr kexec_finalize
 fi
 
-if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
+if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then
 	lock_chip
 fi
 

diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip
@@ -1,41 +1,25 @@
 #!/bin/sh
 # For this to work:
-#  - io386 module needs to be enabled in board config (sandy/ivy/haswell know to work)
-#  - coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
+#  - io386 module needs to be enabled in board config
+#  - <Skylake: coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
+#  - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y)
 #  - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
-# TODO: If more platforms are able to enable CONFIG_INTEL_CHIPSET_LOCKDOWN in the future, have board config export APM_CNT and FIN_CODE and modify this script accordingly
 
 #include ash shell functions (TRACE requires it)
 . /etc/ash_functions
 
 TRACE "Under /bin/lock_chip"
-if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
+if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then
 	APM_CNT=0xb2
 	FIN_CODE=0xcb
 fi
 
 if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
-	# SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature.
-	# SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper
-	# for SMM access.
-	#
-	# It uses the processor’s memory protection and paging mechanisms to restrict what
-	# SMM code can read and write. SMM Supervisor marks critical pages, such as its
-	# own code, data, and page tables, as supervisor pages, which are only accessible
-	# from the most privileged level (CPL0).
-	#
-	# It also marks the rest of the SMM memory as user pages, which are accessible
-	# from any privilege level.
-	#
-	# This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy
-	# that states what resources the SMI handlers (the interrupt handlers that run in SMM)
-	# require access to.
-	#
-	# SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
-	# which prevents further changes to the SMM memory and configuration.
-	# Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset.
-	# This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers
-	# after the system boots.
+	# PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
+	# which prevents further changes to the SPI controller configuration. The flash
+	# will become write protected in the range specified in the PR0 register. Once
+	# the protection is set and locked, it cannot be disabled 
+	# until the next system reset.
 	echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
 	io386 -o b -b x $APM_CNT $FIN_CODE
 else

diff --git a/...hes/coreboot-dasharo-unreleased/501.patch → ...eased/0001-tpm_pirq-not_conditional.patch b/...hes/coreboot-dasharo-unreleased/501.patch → ...eased/0001-tpm_pirq-not_conditional.patch