Hi guys, We've been using SMM only for security chipset lockdown enablement via coreboot payload (VaultBoot) and have tested it on x11ssh-tf (KabyLake) back in 2019 and it works well: ✓
https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/scripts/harbian_fw/hardenedboot_skylake_kabylake.patch So it's confirmed that users are able to control where or when to enable BIOS LOCK in KabyLake. But it didn't work when I tested coreboot on a coffeelake machine (x11sch) last year. All lockdown is enabled by default regardless of whether CHIPSET_LOCKDOWN_COREBOOT is set or not. IIRC, it is locked down even if I try to disable it via FSP params: https://github.com/intel/FSP/blob/master/CoffeeLakeFspBinPkg/Fsp.bsf#L737 I've been looking into the leaked material from Insyde lately and found out that the NDA'ed FSP seems able to enable/disable any locks out there: https://twitter.com/citypw/status/1580541897604751361 Is this a bug or a feature that intends not to allow users to disable BIOS lock (others as well) via Intel' public FSP binary blobs? Thanks, regards Shawn [1] FSP-S Issues https://review.coreboot.org/plugins/gitiles/coreboot/+/refs/changes/28/36328/5/Documentation/fsp/fsp-s_discussion.md _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
