[coreboot] SPI controller and Lock bits

Youness Alaoui kakaroto at kakaroto.homelinux.net
Mon Oct 1 23:08:43 CEST 2018


Oh boy, lots of emails to answer! So first, thanks for everyone who
shared their input, I very much appreciate it.

> I think you can decide what hardware your products include, right? I
meant dedicated hardware on the mainboard.

Yes, but I'm currently looking for a solution to existing hardware,
not for the next laptop Purism produces. And by 'dedicated hardware' I
thought you meant only allow users to update their BIOS using an
external SPI flasher, which would be impractical of course.

> >
> > It's not just the part. A single simple part like that has all kinds of
> > follow-on effects that are not obvious unless you've been at a company
> > which designs and builds consumer electronics.
>
> Thank you for the perspective. I do understand that changing one
> component can affect others.
>
> Purism isn't a typical laptop company. The addition of hardware
> switches, to control webcam, mic and Wi-Fi, is one of the USPs for
> their Librem models. These undoubtedly had knock-on effects for the
> BOM. Purism was undeterred by that. In that context...
>
> I'm just asking for one more switch.
>
> So, Youness and others at Purism: if you are reading this, please do
> spec a momentary switch to control flashing on future Librems. Your
> security-conscious users will thank you for it.

Yes, I already suggested it for the next iteration. It wouldn't be a
switch though, but rather a low profile 90-degrees jumper on the
motherboard.
As for your question earlier about someone forgetting it. I would
assume that it would be easy to have the Heads menu show a big warning
to the user if it's left unprotected (I assume there would be a way to
detect if WP# is 1/0 through a GPIO (or other method) without being
able to use that GPIO to override the WP# value).
Right now, if you boot into linux while ignoring tampering, you get
your ttys in red, as a huge and very visible warning.
Also, yes Sam, you did understand me perfectly, thanks!


>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot



More information about the coreboot mailing list