Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 7:
And again I am not happy about this change because it leads again to multiple threat models and ways how you do security as default coreboot security architecture.
I don't really understand your concerns here? Security should be configurable, since every feature comes with trade-offs and not everyone has the same requirements. That doesn't mean you can't have a single unified threat-model, it just means that threat model needs to separate out which configurations can protect against which threats. coreboot aims to be a firmware for everyone so we'll never want to force a single, rigid one-size-fits-all security model (for example, Chrome OS is not interested in measured boot and doesn't want it enabled). Instead we should provide a security toolbox that allows everyone to tune the security model to their requirements, and if someone has a need for measured-but-not-verified boot I see no reason why we shouldn't allow that (assuming it doesn't harm any other use case, which with a toughtful I don't think it should).
If you want to use measured boot without verified boot look into eltan's vendor implementation and use that instead.
I hope you aren't serious? We need less vendorcode fragementation, not more.