On 02/16/2019 07:31 AM, Frank Beuth wrote:
On Thu, Feb 14, 2019 at 12:21:36PM -0500, Matt B wrote:
For Coreboot afaik the only two methods available are to flash with a programmer or to flash internally from linux with iomem=relaxed.
On another mailing list, someone commented "I would never use Coreboot, because it would let malware flash your bios from within Linux." (paraphrased)
Those people are silly then, since a propriatary BIOS doesn't prevent that either. They also think that if something isn't absolutely perfect that one should not bother which is absurd.
The ones that prompt for BIOS passwords or w/e are just doing it to be polite they have no software-enforced firmware update signing mechanisms - now of course ones that do enforce it (but via hardware) always include external flashes too making them not owner controlled and thus evil.
I'm reasonably sure that this is not true and security-conscious users can disable internal flashing, but I haven't been able to find any mention of such a setting in the documentation.
Isn't it possible to set the flash chip write lock bit on the flash chip so things can't be flashed internally the same way intel blocks one from re-writing the ME region internally?