From e180fed3e2b561cbe0bd2e922588adf06a6c4edb Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 10 Sep 2024 13:46:08 -0400 Subject: [PATCH] WP_NOTES.md: add some more links to past discussions and Platform Chipset Locking(PR0) to lock SPI access from Heads prior of kexec to main OS Signed-off-by: Thierry Laurion --- WP_NOTES.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/WP_NOTES.md b/WP_NOTES.md index 25fcbdec..5ff46a78 100644 --- a/WP_NOTES.md +++ b/WP_NOTES.md @@ -1,6 +1,6 @@ Flashrom was passed to flashprog under https://github.com/linuxboot/heads/pull/1769 -Thoe are notes for @i-c-o-n and others wanting to move WP forward but track issues and users +Those are notes for @i-c-o-n and others wanting to move WP forward but track issues and users The problem with WP is that it is desired but even if partial write protection regions is present, WP is widely unused. @@ -13,5 +13,10 @@ Some random notes since support is incomplete (depends on chips, really) - Documented https://docs.dasharo.com/variants/asus_kgpe_d16/spi-wp/ - WP still unused +Alternative, as suggested by @i-c-o-n is Chipset Platform Locking (PR0) which is enforced at platform's chipset level for a boot +- This is implemented and enforced on <= Haswell from this PR merged : https://github.com/linuxboot/heads/pull/1373 +- Non-upstreamed work has been made from @root-hardenedvault work in vaultboot downstream fork of Heads at https://github.com/hardenedvault/vaultboot/blob/master/patches/coreboot/0001-x11.patch +- Discussion point under flashrom-> flashprog PR under https://github.com/linuxboot/heads/pull/1769/files/f8eb0a27c3dcb17a8c6fcb85dd7f03e8513798ae#r1752395865 tagging @i-c-o-n + Not sure what is the way forward here, but lets keep this file in tree to track improvements over time.