Thank you. I'll check this. But if there are two options, which one should i select? Are these both options different?
And I am aware that malware can infect my OS. I am just worried more about persistence of malware on bios, why I want to write protect.
And would these two options while blocking internal flashing, still allow me to externally flash?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, July 14, 2019 5:17 PM, Nico Huber nico.h@gmx.de wrote:
Hi,
for the X220, there should be related options in the "Chipset" menu of the coreboot configuration:
"Lock down chipset in coreboot" "Flash locking during chipset lockdown"
On 14.07.19 23:21, Public Email Account via coreboot wrote:
It seems that flashrom is able to flash the bios chip internally. This is frightening. This means that malware or anything that gets sudo rights or anyone who gets physical access to computer is able to rewrite the flash.
If this is bad depends on how you deal with your flash chip contents. It seems, you already know that "malware or anything that gets sudo rights" can overwrite the data on your harddrive (e.g. your trusted OS). Your harddrive is usually not write protected either.
So if you scrub your harddrive after you suspect a malware infection, you can also scrub a flash chip in the same case. That firmware needs a different level of protection, is what a proprietary firmware vendor would tell you. Because you have no means at all to trust the firmware and restore it. With open-source firmware, however, you have the free- dom to treat things differently.
Nico