Daniel Gröber (dxld) has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41747 )
Change subject: lockdown: Add Kconfigs for SPI media protection mode ......................................................................
Patch Set 5:
(1 comment)
https://review.coreboot.org/c/coreboot/+/41747/5/src/drivers/spi/boot_device... File src/drivers/spi/boot_device_rw_nommap.c:
https://review.coreboot.org/c/coreboot/+/41747/5/src/drivers/spi/boot_device... PS5, Line 105: else if (CONFIG(BOOTMEDIA_SPI_LOCK_PERMANENT)) : lock = SPI_WRITE_PROTECTION_PERMANENT;
Is this something the firmware (as opposed to the OS, ensuring the system actually boots) should eve […]
I really only added it since the `SPI_WRITE_PROTECTION_PERMANENT` flag already existed, so I figured why not add them all as options.
IMO it wouldn't be entirely unreasonable to want the firmware to lock itself on first boot. I don't think the OS should be involved in that honestly. If you really want that level of "security" why not trigger it right in the firmware. Though you could always unsolder the SPI chip, so what additional level of security this actually buys over just _PIN is questionable but why not give users the option?