To make a real write protection on your spi flash you may go two ways after setting region protection and configuration bits in your flash
1) Write a SMM handler, that will prevent software to set high level on SPI #WP/WE pin (that can be done it it connected to chipset) absolute chipset-specific, also possibly this will be a mainboard specific task.
Or
2) After flashing coreboot with setted up protection bits you can disconnect #WP/WE pin from mainboard and hardwire it to ground.
Second way is a bit simple, but you may lost hibernation/S3 on amd and lost memory training data on intel FSP based boards.
The final decision is yours.
сб, 16 февр. 2019 г., 15:31 Frank Beuth seclists@boxdan.com:
On Thu, Feb 14, 2019 at 12:21:36PM -0500, Matt B wrote:
For Coreboot afaik the only two methods available are to flash with a programmer or to flash internally from linux with iomem=relaxed.
On another mailing list, someone commented "I would never use Coreboot, because it would let malware flash your bios from within Linux." (paraphrased)
I'm reasonably sure that this is not true and security-conscious users can disable internal flashing, but I haven't been able to find any mention of such a setting in the documentation.
How can users disable internal flashing? _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org