[coreboot-gerrit] Change in ...coreboot[master]: security/vboot: Do not check for RW partitions if not part of the image

2 Mar 2019


      Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/31662 )
Change subject: security/vboot: Do not check for RW partitions if not part of the image
......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/#/c/31662/1/src/security/vboot/vboot_logic.c 
File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/#/c/31662/1/src/security/vboot/vboot_logic.c@330 
PS1, Line 330: 	if (!IS_ENABLED(CONFIG_VBOOT_SLOTS_RW_A))
...
What I actually would like to have is a RW_A only (no RW_B due to flash space constraints and even n […]
I mean, a hacky but easy way to do it would be to just have coreboot present the same section as both "A" and "B" to vboot. Since we got this all abstracted out via is_slot_a(), if you just change that to always return true when VBOOT_SLOTS_RW_AB is not true, that should get you most of the way there. (There may be some oddities like when the verification fails vboot will first try "the other slot" which ends up being the same slot again before falling back to recovery, but that shouldn't really matter much.)
That should allow the VBOOT_SLOTS_RW_A-only configuration to work, but it still wouldn't work if that one is also disabled (i.e. the "RO-only" configuration which should really be called "RW-only without recovery"). In order to do that right I think we have to revisit the config and Makefile stuff set up in CB:27714 because the way it was done there doesn't make all that much sense. Rather than "disabling RW_A", I think what you really want to do is "disable recovery"... so rather than two Kconfigs for "slot A enabled" and "slot A and B enabled", you'd rather want to options that say "slot B enabled" and "recovery enabled" (implying that slot A is always enabled).
Then you would have to decide how the FMAP looks like when both slot B and recovery are disabled. I think the cleanest way would still be to have both a COREBOOT section (for the root-of-trust stuff, e.g. bootblock and verstage) and a FW_MAIN_A section (for the later stages). The only real difference to "recovery enabled" is that your COREBOOT section can be much smaller because it doesn't need to have a second copy of all the later stages. Splitting them up also allows you to write-protect the root of trust (and, honestly, using vboot without that doesn't make a lot of sense anyway).
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/31662
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I07b8ec97be7db63b7ccddb3f33e0f741bed8acd8
Gerrit-Change-Number: 31662
Gerrit-PatchSet: 1
Gerrit-Owner: Werner Zeh werner.zeh@siemens.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Joel Kitching kitching@google.com
Gerrit-Reviewer: Philipp Deppenwiese zaolin.daisuki@gmail.com
Gerrit-Reviewer: Werner Zeh werner.zeh@siemens.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Julius Werner jwerner@chromium.org
Gerrit-CC: Paul Menzel paulepanter@users.sourceforge.net
Gerrit-Comment-Date: Sat, 02 Mar 2019 00:43:15 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Werner Zeh werner.zeh@siemens.com
Comment-In-Reply-To: Aaron Durbin adurbin@chromium.org
Comment-In-Reply-To: Julius Werner jwerner@chromium.org
Gerrit-MessageType: comment

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in ...coreboot[master]: security/vboot: Do not check for RW partitions if not part of the image