[coreboot] SPI controller and Lock bits

Martin Kepplinger martink at posteo.de
Tue Oct 2 13:01:04 CEST 2018

Am 26.09.2018 01:30 schrieb Youness Alaoui:
> Hi,
> I'm trying to add a way to lock the SPI flash to be read-only via
> software *after* coreboot boots. The scenario is basically with using
> Heads, you could authenticate to it (with a yubikey/nitrokey/librem
> key) then be able to flash a new rom (update your BIOS), but once you
> boot an OS, Heads would first lock the flash so it can't be written
> to.
> This should add some security to avoid any malware writing to the
> flash, or someone booting into a USB stick and using that to flash a
> malicious BIOS, but still gives the user the freedom of updating their
> flash whenever they want to.

I might be wrong, but since Heads already authenticates to you via TOTP,
this wouldn't really add extra security, wouldn't it?

More information about the coreboot mailing list