I think the concepts clashing here are too different
to be easily aligned: One idea is to write-protect
the whole flash *after* coreboot is done. The other
is the vboot idea of a readonly, trusted partition.
The latter has to be read-only *before* we jump to
an untrusted RW partition.

So while these two concepts can share the underlying
infrastructure to commit the write protection, IMO,
their setup and hookup should stay independent.

As vboot verifies the RW partitions, it's trusted code. Locking in ramstage is thus OK following your argumentation. Shouldn't that be +1 then?

Um, no. Nothing is trusted that isn't in RO, afaiui.
Consider this scenario: You issue an update that con-
tains an exploitable bug in some parser for disk con-
tents. Then, if not write-protected early, your root
of trust could be compromised. Recovery mode and fur-
ther updates won't help.

View Change

To view, visit change 32705. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Gerrit-Change-Number: 32705
Gerrit-PatchSet: 1
Gerrit-Owner: Patrick Rudolph <patrick.rudolph@9elements.com>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Patrick Rudolph <siro@das-labor.org>
Gerrit-CC: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Comment-Date: Sat, 11 May 2019 16:43:43 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
Gerrit-MessageType: comment