On Sun, Feb 17, 2019 at 10:02:42AM +0100, Nico Huber wrote:
What, why? Did you just say "SeaBIOS" because I said "sometimes ... payload"?
SeaBIOS is a very generic payload, trying not to be board specific. And I just said it depends on the hardware. Also, all generic, one-fits-all- scenarios solutions for flash locking that I've heard about failed (ex- ploits, exploits, exploits).
SeaBIOS being the most commonly used one, and you seemed to imply locking should/must be done by the payload.
It sounds like you are saying the locking which one is used to with proprietary/manufacturers' firmwares, the locking which often requires a hardware programmer, is possible because those firmwares are board specific. And therefore not really possible for an open source firmware like Coreboot+$PAYLOAD.
Before you ask somebody to implement a lock, you should ask yourself why.
The "why" here is "so that Coreboot is at least as secure as the original firmware in this respect."