Hi guys,
We've been using SMM only for security chipset lockdown enablement via coreboot payload (VaultBoot) and have tested it on x11ssh-tf (KabyLake) back in 2019 and it works well: ✓
https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/scrip...
So it's confirmed that users are able to control where or when to enable BIOS LOCK in KabyLake. But it didn't work when I tested coreboot on a coffeelake machine (x11sch) last year. All lockdown is enabled by default regardless of whether CHIPSET_LOCKDOWN_COREBOOT is set or not. IIRC, it is locked down even if I try to disable it via FSP params:
https://github.com/intel/FSP/blob/master/CoffeeLakeFspBinPkg/Fsp.bsf#L737
I've been looking into the leaked material from Insyde lately and found out that the NDA'ed FSP seems able to enable/disable any locks out there:
https://twitter.com/citypw/status/1580541897604751361
Is this a bug or a feature that intends not to allow users to disable BIOS lock (others as well) via Intel' public FSP binary blobs?
Thanks,
regards Shawn
[1] FSP-S Issues https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/changes/28/36328...