David Hendricks has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32153 )
Change subject: src/security/vboot: When VBOOT Stage Verification is enabled, boot ROMSTAGE and POSTCAR from Read-Only region. ......................................................................
Patch Set 2:
Patch Set 2:
This seems like a pretty huge change to the way vboot operates that is incompatible with most (all?) implementations on the last several generations of platforms. From a practical standpoint it also means that you won't be able to update core silicon init modules (e.g. MRC), which is a pretty huge change.
Judging by the test case, this seems to have something to do with graphics. What is the requirement here? If there is some sort of graphics/display ACM, then you might want to look into some of the measured launch support that Philipp (cc'd) has added for TXT.
Oops, I forgot to point at Philipp's measured boot patch: https://review.coreboot.org/c/coreboot/+/29547