[coreboot-gerrit] Change in coreboot[master]: security/lockdown: Write-protect WP_RO

Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32705 )

Change subject: security/lockdown: Write-protect WP_RO ......................................................................

Patch Set 12: Code-Review+2

In cases where vboot isn't used, could this be extended later to only cover the COREBOOT region (decision in config), or is there a reason why this wouldn't work?

I would stick to the name WP_RO since COREBOOT doesn't always contain all the code. For example, on non-x86 devices the bootblock is usually stored in a separate BOOTBLOCK section. But if there's desire for it we could update the util/cbfstool/default.fmd and .../default-x86.fmd maps to include a WP_RO wrapper for the relevant sections (COREBOOT, BOOTBLOCK and FMAP, I'd say) and then we can make it available without CONFIG_VBOOT. (One issue with this is that if you want to use chip-based lockdown, the WP_RO vs. rest split must be on a power-of-two boundary. I guess this patch only implements controller-based lockdown so it's not relevant there, but it might become so if it were expanded later.)