As an aside, I am trying to understand the rationale for this kernel option. In order for an attacker to use Flashrom to perform internal flashing, they would have to have root level access. But if they have root level access, then they can modify the kernel to disable CONFIG_STRICT_DEVMEM and CONFIG_IO_STRICT_DEVMEM. I suppose the need for the attacker to do that, and perhaps also to reboot the computer, has the benefit to the defender that these extra steps would slow the attacker down and make their attack less stealthy.
The issue isnât one of security, itâs one of licensing. Coreboot on broadwell systems only works with an âMRCâ binary, which is only created by Google for their chromebook machines. The file isnât available for download publicly and itâs not licensed so it can be redistributed by us. So basically providing those files would be equivalent to âpiracyâ (copyright infringement) or at the very least a license violation. Thatâs why we donât and canât provide those files and thatâs why we instead provide a script which will download the chromebook recovery image directly from googleâs servers and extract the coreboot image in it, then extract the MRC file from it.
As far as I know, flashrom works fine with recent kernels even without the iomem=relaxed option. I havenât seen any kernel versions in which flashrom doesnât work (either with iomem=relaxed or without it for recent versions).