On 16.02.19 16:08, Frank Beuth wrote:
On Sat, Feb 16, 2019 at 05:23:40PM +0300, Sergej Ivanov wrote:
To make a real write protection on your spi flash you may go two ways after setting region protection and configuration bits in your flash
Where are the write protection bits for the flash set, in which menu / config file? That is my question.
What Sergej suggested would have to be done out of band and not by coreboot. You can configure your flash chip to protect itself, which is unlike most firmware does it.
Generally, what locking options you have depend much on your hardware. Hence, there is no generic solution in coreboot. Plus, coreboot is more a firmware framework than a firmware. It can only "boot" programs from flash and not your OS from disk. So you need a coreboot "payload" to do the latter and sometimes it's up to that payload to do such locking.
So if somebody tells you that coreboot doesn't have an option to lock the flash chip, that might actually be true for their combination of coreboot + payload and hardware.
The only option in coreboot itself that I know is the LOCK_SPI_FLASH_RO Kconfig. It should be available for all boards that use one of the fol- lowing Intel PCHs and a directly attached SPI flash: o Ibex Peak, o Cougar Point, o Panther Point, o Lynx Point, o Lynx Point-LP (integrated into a Haswell SoC). This can easily be extended to support any newer Intel chipset.
Beside that, I know there are locking options in the FILO payload. And I suspect HEADS to do something about it, too. Google uses the block pro- tection of the flash chip on their ChromeBooks/Boxes. They have the WP pin controllable with a screw/switch/security chip. So if you got one of these, it would be wise to make use of that.
Nico