Attention is currently required from: Nico Huber, Patrick Rudolph, Angel Pons. Benjamin Doron has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/40830 )
Change subject: security/intel: Add option to enable SMM flash access only ......................................................................
Patch Set 6:
InSMM.STS does not exist on older plaforms.
That's right, and it's known that those platforms can't be SMM protected.
Moreover, InSMM.STS needs special handling when using SMMSTORE, and the point of these patches is to protect the flash chip while allowsing SMMSTORE to work (otherwise I would've simply used protected ranges).
Is that the case? My understanding is that handling is required for WPD as well. To allow writes (on newer platforms), SPI_BC WPD is set and InSMM.Sts is set in MSR 0x1fe.
I know what you are up to. It just seems to me that all the WPD related patches are effectively about a no-op.
Once I have InSMM.STS working, I can enable it by default where supported when one chooses to write-protect the flash through SMM.
I tried to get it working at CB:50724, but regular SPI write protection wasn't working. I haven't yet tested an update based on CB:50754, but you can try the InSMM.Sts handling there.
Again, on older platforms it's not really write-protected without InSMM.STS. So you would just leave a Kconfig there that only pretends to protect?
Well, we could also just call it "protection against accidental writes".