[amluto]

But, if your firmware cares about preventing flashable rootkits, then these registers should be locked such that you can only flash from SMM or during initial boot. The fact that AFUEFI works at all on a System76 laptop is a bad sign IMO.

[jackpot51]

It absolutely is locked, and needs to be unlocked and flashed while in EFI mode.

[amluto]

What do you mean “in EFI mode”? Do you mean EFI Boot Services or something else? I’m trying to understand what makes AFUEFI special that causes it to be able to write the SPI flash when regular software can’t. If I understand your blog post right, AFUEFI run like any other .efi program, which seems insufficiently locked down to me.