Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32705 )
Change subject: security/lockdown: Write-protect WP_RO ......................................................................
Patch Set 1:
I think the concepts clashing here are too different to be easily aligned: One idea is to write-protect the whole flash *after* coreboot is done. The other is the vboot idea of a readonly, trusted partition. The latter has to be read-only *before* we jump to an untrusted RW partition.
So while these two concepts can share the underlying infrastructure to commit the write protection, IMO, their setup and hookup should stay independent.
As vboot verifies the RW partitions, it's trusted code. Locking in ramstage is thus OK following your argumentation. Shouldn't that be +1 then?
Um, no. Nothing is trusted that isn't in RO, afaiui. Consider this scenario: You issue an update that con- tains an exploitable bug in some parser for disk con- tents. Then, if not write-protected early, your root of trust could be compromised. Recovery mode and fur- ther updates won't help.