[coreboot-gerrit] Change in coreboot[master]: security: Add common boot media write protection

Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )

Change subject: security: Add common boot media write protection ......................................................................

Patch Set 12:

(12 comments)

https://review.coreboot.org/c/coreboot/+/32704/5/src/drivers/spi/Kconfig File src/drivers/spi/Kconfig:

https://review.coreboot.org/c/coreboot/+/32704/5/src/drivers/spi/Kconfig@64 PS5, Line 64: config SPI_FLASH_CTRL_PROTECT

removed

Done

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/Kconf... PS1, Line 13: default BOOTMEDIA_LOCK_NONE

It's not covered at all

Done

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/Kconf... PS1, Line 22: media. The locking will take place during the chipset lockdown, which

How to be more precise? This is platform specific?

No reply within a year, marking as resolved

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/Kconf... PS1, Line 35: boot media the corresponding region is still readable.

It's platform specific, but I don't see how to be more precise

Done

https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:

https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 18: LOCK_RO

Done

Done

https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 22: media

Done

Done

https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 26: NOTE: If you trigger the chipset lockdown unconditionally,

Done

Done

https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 30: LOCK_NO_ACCESS

Done

Done

https://review.coreboot.org/c/coreboot/+/32704/4/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:

https://review.coreboot.org/c/coreboot/+/32704/4/src/security/lockdown/Kconf... PS4, Line 2: config SECURITY_BOOTMEDIA_LOCKDOWN

removed

Done

https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:

https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... PS5, Line 2: config SECURITY_BOOTMEDIA_LOCKDOWN

removed

Done

https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... PS5, Line 19: config BOOTMEDIA_LOCK_RO

Done

Done

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/bootm... File src/security/lockdown/bootmedia.c:

https://review.coreboot.org/c/coreboot/+/32704/1/src/security/lockdown/bootm... PS1, Line 57: BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, security_lockdown_bootmedia,

No. It's unrelated to vboot.

Done