[coreboot] SPI controller and Lock bits
Martin Kepplinger
martink at posteo.de
Tue Oct 2 13:01:04 CEST 2018
Am 26.09.2018 01:30 schrieb Youness Alaoui:
> Hi,
>
> I'm trying to add a way to lock the SPI flash to be read-only via
> software *after* coreboot boots. The scenario is basically with using
> Heads, you could authenticate to it (with a yubikey/nitrokey/librem
> key) then be able to flash a new rom (update your BIOS), but once you
> boot an OS, Heads would first lock the flash so it can't be written
> to.
> This should add some security to avoid any malware writing to the
> flash, or someone booting into a USB stick and using that to flash a
> malicious BIOS, but still gives the user the freedom of updating their
> flash whenever they want to.
>
I might be wrong, but since Heads already authenticates to you via TOTP,
this wouldn't really add extra security, wouldn't it?
More information about the coreboot
mailing list