[qubes-users] Qubes AEM: write protecting BIOS is not possible

The [Qubes AEM docs](GitHub - QubesOS/qubes-antievilmaid: Qubes component: antievilmaid) recommend:

Some hints: connect the write protect pin on BIOS flash chip to ground
(prevents attacker from booting their own software which would bypass
BIOS protections and overwrite it) and make sure physically accessing
the chip will be tamper-evident by eg. covering the screws holding
laptop body together in glitter and taking high-res photos, then
examining before each use.

However, the given suggestion will do nothing on most laptops, providing a false sense of security.

The reason is that many/most BIOS flash chips require the SRWD and block protect bits to be set **in software** before the **hardware** write protect pins will do anything.

Unfortunately, Flashrom does not currently support setting these bits, though there is an open proposal to add support:

1 Like