Marshall Dawson has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/33396 )
Change subject: util/amdfwtool: Add argument for soft fuse override ......................................................................
Patch Set 2:
(2 comments)
https://review.coreboot.org/#/c/33396/1/util/amdfwtool/amdfwtool.c File util/amdfwtool/amdfwtool.c:
https://review.coreboot.org/#/c/33396/1/util/amdfwtool/amdfwtool.c@458 PS1, Line 458: pspdir->entries[count].addr = 1;
Done
Thanks for catching, BTW.
https://review.coreboot.org/#/c/33396/2/util/amdfwtool/amdfwtool.c File util/amdfwtool/amdfwtool.c:
https://review.coreboot.org/#/c/33396/2/util/amdfwtool/amdfwtool.c@83 PS2, Line 83: #define DEFAULT_SOFT_FUSE_CHAIN "0x1"
I have 54267 1.05 document under NDA. […]
I assume you recognized my plan was to leave all platforms' current settings alone but I'm going to be overriding it for Picasso.
I've thought b0=0 would be an improvement and surely some customers may prefer it. However, I'm not sure about its practical benefits. You know what the bit does, but if an attacker has physical access and the ability to rewrite flash, then they just change the bit and update the checksum. BTW, I'm implying what the requests for security features certain customers used to request while I was at AMD, and this wouldn't be sufficient.
I've also noted that AMD ships CRB images with b0=1 (there's probably nothing wrong with that, especially for what CRBs are intended for). But also, I just checked the BIOS on my main system and b0=1 there also. So, I just haven't worried about it.
By the way, I'm OK making the default 0 after a quick smoke test on stoney (and I'll infer CZ will behave the same). Have you run that way? I'm not sure how Mullins would behave with the minimal PSP implementation.