Paul Menzel has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/32159 )
Change subject: Documentation/security/vboot: Add logic to verify stage/blob using VBOOT 2.1 library ......................................................................
Patch Set 1:
(51 comments)
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG@7 PS1, Line 7: Documentation/security/vboot: Add logic to verify stage/blob using Commit messages summaries have to fit on one line.
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG@7 PS1, Line 7: Documentation/security/vboot: Add logic to verify stage/blob using : VBOOT 2.1 library Maybe:
security: Document logic to verify stag/blob using vboot 2.1
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG@8 PS1, Line 8: VBOOT vboot
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG@10 PS1, Line 10: Added Add
https://review.coreboot.org/#/c/32159/1//COMMIT_MSG@11 PS1, Line 11: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/index.md File Documentation/security/index.md:
https://review.coreboot.org/#/c/32159/1/Documentation/security/index.md@8 PS1, Line 8: VBOOT vboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... File Documentation/security/vboot/verified_boot_21.md:
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 1: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 1: Coreboot lowercase: coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 8: Bootguard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 10: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 11: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 11: This document describes the mechanism implemented in Coreboot using Google VBOOT Please add a blank line above to separate the paragraphs.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 11: VBOOT vboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 12: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 12: Root root
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 13: Trust trust
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 13: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 16: VBOOT vboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 16: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 20: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 22: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 24: ACM As this is documentation, please also give the full name or link to the corresponding documentation.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 24: measured in TPM) by a piece of firmware (ACM) which itself is verified by Intel : CPU microcode Verified by microcode?
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 26: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 28: Authenticated Code module Please move that above.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 29: PolicyManifest(BtG BPM) Ditto.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 29: Manifest(BtG KM) Add a space before (.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 29: in in the
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 35: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 26: BootGuard are: 1. Use Intel FSP-T with Coreboot bootloader. It contains the : logic of correctly handling BtGuard enabled state. 2. Integrate ACM : (Authenticated Code module) binary in bootloader image. 3. Generate BtGuard Key : Manifest(BtG KM) and BtGuard Boot PolicyManifest(BtG BPM) and embed them in : bootloader image. a. BtG KM contains the hash of the key used for signing BtG : BPM. BtG KM is signed by the key whose hash is embedded in field-programmable : fuses. b. BtG BPM contains the hash of initial stage of boot loader. It also : stores other policies related to Intel TXT, BtG DMA protection etc. 4. Add : entries for CPU microcode patch, ACM, BtG KM and BtG BPM in FIT table. 5. : Update BootGuard related field-programmable fuses on the test platform. Please format this as a list.
- a
- b
- c
- …
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 41: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 41: 2.0 Below you use 2.1
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 42: has been is
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 42: feature has been described here, : https://www.coreboot.org/git-docs/Intel/vboot.html Make it a link.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 45: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 51: Coreboot coreboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 63: , Please use a dot.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 64: Root of Trust root of trust
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 64: - Some hardware designs cannot support ‘read-only’ flash region as Root of Trust Please add a blank line above.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 65: BootGuard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 68: Remove or align all lines.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 75: One space for consistency.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 76: Bootguard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 78: Bootguard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 79: ) Remove.
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 80: VBOOT vboot
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 86: Bootguard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 88: Bootguard Boot Guard
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 89: GBB Elaborate what GBB is?
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 90: verified verifies?
https://review.coreboot.org/#/c/32159/1/Documentation/security/vboot/verifie... PS1, Line 92: This is done to ensure maximum security. That sounds like marketing speech?