On Mon, Apr 18, 2016 at 8:48 AM, Trammell Hudson <[email protected]> wrote:
> I'm curious why this is an option, especially since it seems almost tailor > made to re-create the Snorlax or Prince Harming vulnerabilities > (VU#577140): > > Flash ROM locking on S3 resume > > 1. Don't lock ROM sections on S3 resume (LOCK_SPI_ON_RESUME_NONE) (NEW) > 2. Lock all flash ROM sections on S3 resume (LOCK_SPI_ON_RESUME_RO) (NEW) > 3. Lock and disable reads all flash ROM sections on S3 resume > (LOCK_SPI_ON_RESUME_NO_ACCESS) (NEW) > Maybe the default just needs to be changed to LOCK_SPI_ON_RESUME_RO? LOCK_SPI_ON_RESUME_NONE is probably intended for developers who need to re-flash their systems a lot and might not want to rely on external programmers (especially for laptop development).
-- coreboot mailing list: [email protected] https://www.coreboot.org/mailman/listinfo/coreboot
