Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/38590 )
Change subject: vendorcode/eltan/security: Switch to vb2 vboot library ......................................................................
Patch Set 8:
(1 comment)
https://review.coreboot.org/c/coreboot/+/38590/2/src/vendorcode/eltan/securi... File src/vendorcode/eltan/security/verified_boot/vboot_check.c:
https://review.coreboot.org/c/coreboot/+/38590/2/src/vendorcode/eltan/securi... PS2, Line 17: #define NEED_VB20_INTERNALS /* Peeking into vb2_shared_data */
Yeah, I don't see anything here that you couldn't achieve with standard vboot. […]
I think we look at the vboot library (not the complete solution) in a different way. As far as we are concerned it is a crypto library for use in coreboot. For a large part it indeed serves the purpose. We can create hashes etc.
However there is one are that is not covered and that is signature verification, and the related key import. We have no problems to provide a key with a vboot wrapper but we would like to be able to verify the signature of a random datablock. Basically this has nothing to do with vboot itself. The datablock may not even be included in coreboot image. This can be e.g. an FPGA image that we need to program.
We can't do this as a fixed hash as in this case the image would need to be fixed on coreboot build and that's what we want to avoid.