Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
Patch Set 75:
BTW: This patch does not compile on Apollo Lake when both TPM_MEASURED_BOOT and VBOOT are selected at the same time. This is because Alollo Lake selects VBOOT_STARTS_IN_BOOTBLOCK and now tss.c is added to the bootblock while the tpm driver is not. So there is a linker error right now:
uild/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tpm_process_command': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:44: undefined reference to `tis_sendrecv' build/bootblock/security/tpm/tss/tcg-2.0/tss.o: In function `tlcl_lib_init': coreboot/src/security/tpm/tss/tcg-2.0/tss.c:198: undefined reference to `tis_init' coreboot/src/security/tpm/tss/tcg-2.0/tss.c:203: undefined reference to `tis_open'
Was it meant to have these two options (TPM_MEASURED_BOOT and VBOOT) now exclusive?
It means an "bootblock-$(CONFIG_LPC_TPM) += tis.c" may need to be added into each Makefile.inc of tpm implementations.
Or similar statements.
Not possible when bootblock is not large enough. This is where you originaly come from. The alternative would be to provide empty stubs just for the bootblock as the functions in question are not needed in this case. I will upload a patch soon.
Does Apollo Lake have a separate verstage if VBOOT is enabled?
Yes.
Addressed in https://review.coreboot.org/c/coreboot/+/39971