LGTM basically, just some documentation stuff left.
Patch set 8:Code-Review +2
4 comments:
File src/security/lockdown/Kconfig:
Patch Set #8, Line 17: (e.g. by the payload or the OS).
The help text should explain that this is only supported on certain controllers (e.g. Intel).
The locking will take place during the chipset lockdown, which
is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
or has to be triggered later (e.g. by the payload or the OS).
This is wrong for chip lockdown, isn't it? It happens immediately when the lockdown code runs.
Select this if you want to protect the firmware boot medium against
all further accesses. On platforms that memory map a part of the
boot medium the corresponding region is still readable.
nit: Just curious... why do we need this option at all? If it only really works on Intel controllers, those are all memory-mapped and the memory-mapping still works afterwards anyway... what's the point in enabling this over CONTROLLER_RO?
File src/security/lockdown/lockdown.c:
nit: why not spell out 'SPI controller'?
To view, visit change 32704. To unsubscribe, or for help writing mail filters, visit settings.