ns50: add PR0 chipset locking requirements to board config and coreboot config

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

boards/nitropad-ns50/nitropad-ns50.config

@@ -29,7 +29,12 @@ CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
-CONFIG_MSRTOOLS=y
+
+#platform locking finalization (PR0)
+CONFIG_IO386=y
+export CONFIG_FINALIZE_PLATFORM_LOCKING=y
+
+
 #Remote attestation support
 # TPM2 requirements
 CONFIG_TPM2_TSS=y

config/coreboot-nitropad-ns50.config

@@ -428,6 +428,7 @@ CONFIG_SOC_INTEL_COMMON_BLOCK_XHCI_ELOG=y
 CONFIG_SOC_INTEL_COMMON_PCH_CLIENT=y
 CONFIG_SOC_INTEL_COMMON_PCH_BASE=y
 CONFIG_SOC_INTEL_COMMON_PCH_LOCKDOWN=y
+CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y
 CONFIG_PCH_SPECIFIC_BASE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_DISCRETE_OPTIONS=y
 CONFIG_PCH_SPECIFIC_CLIENT_OPTIONS=y
@@ -489,8 +490,10 @@ CONFIG_PCIEXP_HOTPLUG=y
 CONFIG_INTEL_DESCRIPTOR_MODE_REQUIRED=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_SMBUS=y
 CONFIG_SOUTHBRIDGE_INTEL_COMMON_PIRQ_ACPI_GEN=y
+CONFIG_HAVE_INTEL_CHIPSET_LOCKDOWN=y
 CONFIG_INTEL_DESCRIPTOR_MODE_CAPABLE=y
 # CONFIG_VALIDATE_INTEL_DESCRIPTOR is not set
+# CONFIG_INTEL_CHIPSET_LOCKDOWN is not set
 CONFIG_FIXED_RCBA_MMIO_BASE=0xfed1c000
 CONFIG_RCBA_LENGTH=0x4000
 
@@ -617,6 +620,7 @@ CONFIG_MRC_SETTINGS_PROTECT=y
 CONFIG_SPI_FLASH=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP=y
 CONFIG_BOOT_DEVICE_SPI_FLASH_RW_NOMMAP_EARLY=y
+CONFIG_SPI_FLASH_SMM=y
 # CONFIG_SPI_FLASH_NO_FAST_READ is not set
 CONFIG_TPM_INIT_RAMSTAGE=y
 # CONFIG_TPM_PPI is not set
@@ -729,9 +733,11 @@ CONFIG_INTEL_TXT_LIB=y
 # CONFIG_INTEL_TXT is not set
 # CONFIG_STM is not set
 # CONFIG_INTEL_CBNT_SUPPORT is not set
-CONFIG_BOOTMEDIA_LOCK_NONE=y
-# CONFIG_BOOTMEDIA_LOCK_CONTROLLER is not set
+# CONFIG_BOOTMEDIA_LOCK_NONE is not set
+CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y
 # CONFIG_BOOTMEDIA_LOCK_CHIP is not set
+CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y
+# CONFIG_BOOTMEDIA_LOCK_WHOLE_NO_ACCESS is not set
 # CONFIG_BOOTMEDIA_SMM_BWP is not set
 # end of Security