Am 26.09.2018 01:30 schrieb Youness Alaoui:
Hi,
I'm trying to add a way to lock the SPI flash to be read-only via
software *after* coreboot boots. The scenario is basically with using
Heads, you could authenticate to it (with a yubikey/nitrokey/librem
key) then be able to flash a new rom (update your BIOS), but once you
boot an OS, Heads would first lock the flash so it can't be written
to.
This should add some security to avoid any malware writing to the
flash, or someone booting into a USB stick and using that to flash a
malicious BIOS, but still gives the user the freedom of updating their
flash whenever they want to.
I might be wrong, but since Heads already authenticates to you via TOTP,
this wouldn't really add extra security, wouldn't it?
--
coreboot mailing list: [email protected]
https://mail.coreboot.org/mailman/listinfo/coreboot
