Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32704 )
Change subject: security: Add common boot media write protection ......................................................................
Patch Set 4:
(1 comment)
https://review.coreboot.org/c/coreboot/+/32704/4/src/security/lockdown/Kconf... File src/security/lockdown/Kconfig:
https://review.coreboot.org/c/coreboot/+/32704/4/src/security/lockdown/Kconf... PS4, Line 2: config SECURITY_BOOTMEDIA_LOCKDOWN What's the point of this option? boot_device_wp_region() is already available everywhere (because there's a default weak implementation). So I'd either just always run this code (accepting that it doesn't do anything on some platforms... maybe add another print to the weak stub for boot_device_wp_region() for that), or rearrange all of that so that this option is directly tied to the availability of that function. The way you have it here is too disconnected.
(Also, there's really no reason the implementation of boot_device_wp_region() is in boot_device_rw_nommap.c right now. It should work just as well on systems with COMMON_CBFS_SPI_WRAPPER. In fact, there's a bunch of unnecessary duplication between boot_device_rw_nommap.c and cbfs_spi.c that should probably be cleaned up.)