Amol N Sukerkar has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32153 )
Change subject: src/security/vboot: When VBOOT Stage Verification is enabled, boot ROMSTAGE and POSTCAR from Read-Only region. ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/#/c/32153/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/#/c/32153/1//COMMIT_MSG@13 PS1, Line 13: RAMSTAGE. RAMSTAGE authenticates PAYLOAD.
Where is this assumption coming from? It's not correct.
This is Intel enhancement. Here, we make use of VBOOT 2.1 libraries to verify each stage as opposed verifying the entire partition in verstage. So, when ramstage executes, it loads the payload in DRAM, then authenticates using VBOOT 2.1 library (uses VB2_ID to identify the corrsponding SHA256 hash stored in VBLOCK), authenticates it and then payload is launched. Corresponding VBOOT utilities are added into vboot_reference repo. Currently in the process of getting all the permissions so I can raise a code review there. I also added you to the documentation review. I need to fix the links so figures are visible in md file.