Patrick Rudolph has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )
Change subject: security: Add common boot media write protection ......................................................................
Patch Set 1:
(4 comments)
Patch Set 1: Code-Review-1
(4 comments)
We need documentation about the platform lockdown mechanism used (PRR?)
Agree, I'll add documentation.
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig File src/security/lockdown/Kconfig:
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@13 PS1, Line 13: default BOOTMEDIA_LOCK_NONE
vboot isn't covered correctly
It's not covered at all
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@22 PS1, Line 22: media. The locking will take place during the chipset lockdown, which
too imprecise
How to be more precise? This is platform specific?
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/Kconfig@35 PS1, Line 35: boot media the corresponding region is still readable.
too imprecise
It's platform specific, but I don't see how to be more precise
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/bootmedia.c File src/security/lockdown/bootmedia.c:
https://review.coreboot.org/#/c/32704/1/src/security/lockdown/bootmedia.c@57 PS1, Line 57: BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, security_lockdown_bootmedia,
Can we move this into the core root of trust vboot_logic. […]
No. It's unrelated to vboot.