Paul Menzel has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )
Change subject: security: Add common boot media write protection ......................................................................
Patch Set 8:
(7 comments)
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 2: config SECURITY_BOOTMEDIA_LOCKDOWN
removed
Done
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 6: support
removed
Done
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 30: NO_ACCESS
it's not read-writeable
Ack
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/Kconf... PS3, Line 36: The locking will take place during the chipset lockdown, which is
I don't understand
``` Select this if you want to protect the firmware boot media against all further accesses. On platforms that memory map a part of the boot media the corresponding region is still readable.
The locking will take place during the chipset lockdown, which is ```
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/bootm... File src/security/lockdown/bootmedia.c:
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/bootm... PS3, Line 40: "whole bootmedia\n");
removed the loop
Done
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/bootm... PS3, Line 49: }
Unified the error handling
Done
https://review.coreboot.org/c/coreboot/+/32704/3/src/security/lockdown/bootm... PS3, Line 53: Didn't
Isn't printed any more if no bootmedia protection is selected
Done