Re-enable Firmware Write Protection?

Installing MrChromebox’s firmware requires us to disable FW write protection, whether it’s software or hardware. However, I’m wondering if it’s advisable (or even possible) to re-enable FW write protection after installing the UEFI full-rom firmware, in order to restore Chromebook’s security model?

I understand that the memory map might be different than the one on this page ( so I might have to adjust the write protection range. Has anyone here tried re-enabling their WP?

There is no point when you can just boot any os from usb

Not when secure boot is enabled, I believe. If I understand it correctly, the read-only part of the firmware will serve as the TCB and will verify the read-write portion, which in turn will verify the bootloader, and then the OS. Thus, you can’t just boot any OS from USB without adding its signature first.

My question is more about that read-only part of the firmware. Since all of the firmware is RW, it is less protected in this model. Thus, is there some part of the MrChromebox’s UEFI firmware that could be set as RO?

There is no firmware verification in full rom

But isn’t SecureBoot implemented since 4.20?

That only verifies the os, not the firmware.