Attention is currently required from: Felix Singer, Patrick Rudolph. Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/56343 )
Change subject: security/lockdown: Allow to lock the controller's full address space ......................................................................
Patch Set 1:
(1 comment)
Patchset:
PS1: Sorry, I don't really understand what this does. Doesn't BOOTMEDIA_LOCK_WHOLE_RO already do this (when BOOTMEDIA_LOCK_WPRO_VBOOT_RO is not set)? It makes the whole flash read-only. Is there any difference between that and the "full address space"? (There is nothing in the flash controller's address space other than the flash itself, right?)
Or are you just trying to implement this as a form of simplifying precaution or something? Is there a specific reason for that? I think in general, if we implement a system that can protect specific flash regions (including the "whole flash" region), we should write it in a way that we can trust it to work, and shouldn't need to have an extra "same thing but extra secure" option (the option we already had should already be secure, if it isn't we need to fix that). Or, in other words: in general we should try not to have two separate ways of doing the same thing.
Anyway, if I correctly understood what this does, then pulling it into boot_device_wp_region() sounds like the really wrong way to go. wp_region is specifically meant to protect *a region*, and if you want it to protect everything we should model that by giving it the "everything" region (as the existing code does). We shouldn't do it with a separate protection type.
If you really want a hack where fast_spi_flash_protect() forces `start` and `end` to 0 and ~0, then I'd put that directly into fast_spi_flash_protect() (checking CONFIG(BOOTMEDIA_LOCK_WHOLE_RO && !CONFIG(BOOTMEDIA_LOCK_WPRO_VBOOT_RO)). But like I said above I think that would be a hack and we really shouldn't need that -- the existing system should already reliably lock everything that can be locked.