To make a real write protection on your spi flash you may go two ways after setting region protection and configuration bits in your flash
1) Write a SMM handler, that will prevent software to set high level on SPI #WP/WE pin (that can be done it it connected to chipset) absolute chipset-specific, also possibly this will be a mainboard specific task. Or 2) After flashing coreboot with setted up protection bits you can disconnect #WP/WE pin from mainboard and hardwire it to ground. Second way is a bit simple, but you may lost hibernation/S3 on amd and lost memory training data on intel FSP based boards. The final decision is yours. сб, 16 февр. 2019 г., 15:31 Frank Beuth secli...@boxdan.com: > On Thu, Feb 14, 2019 at 12:21:36PM -0500, Matt B wrote: > >For Coreboot afaik the only two methods available are to flash with a > >programmer or to flash internally from linux with iomem=relaxed. > > On another mailing list, someone commented "I would never use Coreboot, > because > it would let malware flash your bios from within Linux." (paraphrased) > > I'm reasonably sure that this is not true and security-conscious users can > disable internal flashing, but I haven't been able to find any mention of > such > a setting in the documentation. > > How can users disable internal flashing? > _______________________________________________ > coreboot mailing list -- coreboot@coreboot.org > To unsubscribe send an email to coreboot-le...@coreboot.org >
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org