You have to do it with the descriptor.
Have a look at the corresponding "SPI Programming Guide" (e.g. http://www.corus.pro/pilotes/CorusX/X37/XP/ME/SPI%20Programming%20Guide.pdf) Here you can find how the sections are defined and how the section access is configurable. You can find details in chapter 4.1.4 where access to your BIOS region should be controlled in register "FLMSTR1—Flash Master 1 (Host CPU/ BIOS)". And as the descriptor has no data integrity checksum, you can just change the needed bits and give it a try.
But make sure you still have a way to flash your device with the external programmer to have a way to recover.
I hope this helps. Werner
-----Ursprüngliche Nachricht----- Von: Public Email Account publicthrowawayemail@protonmail.com Gesendet: Montag, 15. Juli 2019 18:19 An: Zeh, Werner (DI MC MTS R&D HW 1) werner.zeh@siemens.com Cc: coreboot@coreboot.org Betreff: Re: AW: [coreboot] Re: Question how to write protect flash
Yes its sandy bridge. What is proper way to do this though. On flash descriptor (and if so, how?) or through coreboot option?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, July 15, 2019 12:37 AM, werner.zeh@siemens.com werner.zeh@siemens.com wrote:
IIRC X220 uses Sandy Bridge. I think there is a flag somewhere in the descriptor where you can lock down your BIOS-region as read-only for the x86 host. I never have tried it but in theory this should lead to errors on every write attempt to the BIOS region therefore disabling write access to the flash from OS/flashrom.
Werner