Patch Set 1: Code-Review-1

I think the concepts clashing here are too different
to be easily aligned: One idea is to write-protect
the whole flash *after* coreboot is done. The other
is the vboot idea of a readonly, trusted partition.
The latter has to be read-only *before* we jump to
an untrusted RW partition.

So while these two concepts can share the underlying
infrastructure to commit the write protection, IMO,
their setup and hookup should stay independent.

As vboot verifies the RW partitions, it's trusted code. Locking in ramstage is thus OK following your argumentation. Shouldn't that be +1 then?

View Change

To view, visit change 32705. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I72c3e1a0720514b9b85b0433944ab5fb7109b2a2
Gerrit-Change-Number: 32705
Gerrit-PatchSet: 1
Gerrit-Owner: Patrick Rudolph <patrick.rudolph@9elements.com>
Gerrit-Reviewer: Nico Huber <nico.h@gmx.de>
Gerrit-Reviewer: Patrick Georgi <pgeorgi@google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Patrick Rudolph <siro@das-labor.org>
Gerrit-CC: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Comment-Date: Sat, 11 May 2019 16:31:12 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
Gerrit-MessageType: comment