Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )
Change subject: security: Add common boot media write protection ......................................................................
Patch Set 1: Code-Review-1
(4 comments)
We need documentation about the platform lockdown mechanism used (PRR?)
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig File src/security/lockdown/Kconfig:
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@13 PS1, Line 13: default BOOTMEDIA_LOCK_NONE vboot isn't covered correctly
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@22 PS1, Line 22: media. The locking will take place during the chipset lockdown, which too imprecise
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@35 PS1, Line 35: boot media the corresponding region is still readable. too imprecise
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/bootmedia.c File src/security/lockdown/bootmedia.c:
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/bootmedia.c@57 PS1, Line 57: BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, security_lockdown_bootmedia, Can we move this into the core root of trust vboot_logic.c if vboot is enabled?