[coreboot-gerrit] Change in coreboot[master]: security: Add common boot media write protection

4 Mar 2020


      Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )
Change subject: security: Add common boot media write protection
......................................................................
Patch Set 5:
(5 comments)
https://review.coreboot.org/c/coreboot/+/32704/5/src/drivers/spi/Kconfig 
File src/drivers/spi/Kconfig:
https://review.coreboot.org/c/coreboot/+/32704/5/src/drivers/spi/Kconfig@64 
PS5, Line 64: config SPI_FLASH_CTRL_PROTECT
Technically coreboot supports multiple SPI flashes on multiple SPI controllers, so you can't really generalize over all of them. I'm not sure you need this... you already have runtime checks to make sure you print an error and continue gracefully if this is not supported, I think that should be good enough.
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... 
File src/security/lockdown/Kconfig:
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... 
PS5, Line 2: config SECURITY_BOOTMEDIA_LOCKDOWN
Again, I'm not really sure what this option is for, I would just display the 'choice' menu below directly. If the selected choice is NONE, you can skip compiling lockdown/bootmedia.c.
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/Kconf... 
PS5, Line 19: config BOOTMEDIA_LOCK_RO
It feels a bit odd that you force both media and controller lockdown into a single option. Do you even need the case where both are tried on any platform? Why not just offer BOOTMEDIA_LOCK_NONE, BOOTMEDIA_LOCK_CHIP_RO, BOOTMEDIA_LOCK_CONTROLLER_RO and BOOTMEDIA_LOCK_CONTROLLER_NO_ACCESS? Or if you do have a platform where you really need to have it try both ways, you could take all of those and add another BOOTMEDIA_LOCK_BOTH_RO. With every platform having its own constraints here I think having that extra granularity would be helpful.
(In order to not blow it up to too many options, I would make a separate 'choice' for the VBOOT_RO in the next patch, which is only shown when a version with chip locking is selected.)
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/bootm... 
File src/security/lockdown/bootmedia.c:
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/bootm... 
PS5, Line 26:   
nit: one space too many?
https://review.coreboot.org/c/coreboot/+/32704/5/src/security/lockdown/bootm... 
PS5, Line 35: #%zu
nit: can we use meaningful strings here?
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/32704
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Iceb3ecf0bde5cec562bc62d1d5c79da35305d183
Gerrit-Change-Number: 32704
Gerrit-PatchSet: 5
Gerrit-Owner: Patrick Rudolph patrick.rudolph@9elements.com
Gerrit-Reviewer: Arthur Heymans arthur@aheymans.xyz
Gerrit-Reviewer: Christian Walter christian.walter@9elements.com
Gerrit-Reviewer: Frans Hendriks fhendriks@eltan.com
Gerrit-Reviewer: Martin Roth martinroth@google.com
Gerrit-Reviewer: Nico Huber nico.h@gmx.de
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: Patrick Rudolph patrick.rudolph@9elements.com
Gerrit-Reviewer: Patrick Rudolph siro@das-labor.org
Gerrit-Reviewer: Philipp Deppenwiese zaolin.daisuki@gmail.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Aaron Durbin adurbin@chromium.org
Gerrit-CC: Julius Werner jwerner@chromium.org
Gerrit-CC: Michael Niewöhner
Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-Comment-Date: Wed, 04 Mar 2020 00:34:29 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: security: Add common boot media write protection