IIRC X220 uses Sandy Bridge. I think there is a flag somewhere in the descriptor where you can lock down your BIOS-region as read-only for the x86 host. I never have tried it but in theory this should lead to errors on every write attempt to the BIOS region therefore disabling write access to the flash from OS/flashrom.
Werner
-----Ursprüngliche Nachricht----- Von: Nico Huber nico.h@gmx.de Gesendet: Montag, 15. Juli 2019 00:18 An: Public Email Account publicthrowawayemail@protonmail.com; coreboot@coreboot.org Betreff: [coreboot] Re: Question how to write protect flash
Hi,
for the X220, there should be related options in the "Chipset" menu of the coreboot configuration:
"Lock down chipset in coreboot" "Flash locking during chipset lockdown"
On 14.07.19 23:21, Public Email Account via coreboot wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
If this is bad depends on how you deal with your flash chip contents. It seems, you already know that "malware or anything that gets sudo rights" can overwrite the data on your harddrive (e.g. your trusted OS). Your harddrive is usually not write protected either.
So if you scrub your harddrive after you suspect a malware infection, you can also scrub a flash chip in the same case. That firmware needs a different level of protection, is what a proprietary firmware vendor would tell you. Because you have no means at all to trust the firmware and restore it. With open-source firmware, however, you have the free- dom to treat things differently.
Nico _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org