Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32705 )
Change subject: security/lockdown: Write-protect WP_RO ......................................................................
Patch Set 10:
(3 comments)
https://review.coreboot.org/c/coreboot/+/32705/10/src/security/lockdown/Kcon... File src/security/lockdown/Kconfig:
https://review.coreboot.org/c/coreboot/+/32705/10/src/security/lockdown/Kcon... PS10, Line 6: default BOOTMEDIA_LOCK_CONTROLLER_RO_VBOOT_RO if VBOOT && !CHROMEOS Since controller locks are not supported on all platforms, I don't think we want to set a default here. I think this decision is too complicated and too dependent on the specific board layout to really make a general recommendation for everyone, so I'd leave it at NONE.
https://review.coreboot.org/c/coreboot/+/32705/10/src/security/lockdown/Kcon... PS10, Line 56: write the regions : FW_MAIN_A/FW_MAIN_B, which are not write-protected using the internal : controller. nit: well, technically you may write everything that's outside WP_RO which usually also contains some common shared data outside of the RW A/B sections.
https://review.coreboot.org/c/coreboot/+/32705/10/src/security/lockdown/Make... File src/security/lockdown/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/32705/10/src/security/lockdown/Make... PS10, Line 12: bootblock-$(VBOOT_STARTS_IN_BOOTBLOCK) += lockdown.c You should not need this. We already merge verstage-srcs into the appropriate stage when SEPARATE_VERSTAGE=n. You should only need
verstage-$(CONFIG_BOOTMEDIA_LOCK_IN_VERSTAGE) += lockdown.c