Write protection could be applied today with Nlnet funded related work inside of dasharo/flashrom, to protect at least coreboot's bootblock region.
But from current documentation, bootblock being near the end of CBFS, but not at a fixed area is problematic for internal firmware upgrades, locking 64kb of space that could lead to brick if coreboot version upgrades are to be applied.
To be tested and documentation at least referred for people willing to sacrifice internal flashing of Heads when a coreboot version bump touching bootblock changes occurred (still untested on my side).
To be addressed when dasharo/flashrom includes kgpe-d16 ast1000 support, currently missing so that flashrom used under Heads is not causing any regression.
https://osresearch.net/Heads-threat-model/#write-protecting-the-bios-chip-advanced
Write protection could be applied today with Nlnet funded related work inside of dasharo/flashrom, to protect at least coreboot's bootblock region.
But from current documentation, bootblock being near the end of CBFS, but not at a fixed area is problematic for internal firmware upgrades, locking 64kb of space that could lead to brick if coreboot version upgrades are to be applied.
To be tested and documentation at least referred for people willing to sacrifice internal flashing of Heads when a coreboot version bump touching bootblock changes occurred (still untested on my side).
To be addressed when dasharo/flashrom includes kgpe-d16 ast1000 support, currently missing so that flashrom used under Heads is not causing any regression.