It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.

Dont say "if there is physical access to your computer, its game over" this is now true. I have a way to tamper detect if the case was opened.

My question is. How can I make it where coreboot can only be flashed and updated using the external SOIC clip on the bios chip? Without having to worry about permanently locking it down. I want to be able to reflash coreboot and seabios but only using an external flasher when needed. I want to block internal flashing.

How can this be done? I have not found any documentation anywhere on how to do this. The laptop is X220

Thank you