Hello,
i woulnd be aware of any documentation regarding this, except this:
https://coreboot.org/status/kconfig-options.html
The option you want to set while configuring coreboot is, depending on
your goal:
INTEL_CHIPSET_LOCKDOWN
and:
LOCK_SPI_FLASH_NO_ACCESS
Quote from the Documentation:
Select this if you want to protect the firmware flash against all
further accesses (with the exception of the memory mapped BIOS re-
gion which is always readable). The locking will take place during
the chipset lockdown, which is either triggered by coreboot (when
INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
by the payload or the OS).
NOTE: If you trigger the chipset lockdown unconditionally,
you won't be able to write to the flash chip using the
internal programmer any more.
As you can see, depending on how you configure it, imo coreboot is a lot
more secure then stock BIOS, not to mention the fact that it is
opensource , and you can do a lot of fun stuff with payloads, like 2fa
und full disk encryption, which also prevents Evil-Maid attacks at /boot.
Personally, i just like the idea of controlling my own devices, the
security is a nice added benefit tough.;)
I only really go down the security rabbithole with older architectures
like Sandy/Ivy bridge, im not convinced its worth the effort with new,
fully blobbed architectures personally.
Also, keep in mind that if it comes to Evil Maid attacks, the best one
can do is take care of the low hanging fruits.There are just so many
options, and while you also could prevent reflashing the BIOS-chip
externally , i wouldnt be aware of any practical ways of preventing
stuff like hardware-keyloggers in your keyboard etc. Of course, one can
always glue in all screws, or fill the holes with glitter-glue, so any
modifications would be visible.
cheers