Bill XIE has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )
Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................
Patch Set 6:
(5 comments)
Thanks for your instructions, Julius! I am going to improve this patch progressively, from easier points to harder ones.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... File src/security/tpm/Makefile.inc:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/Makefile.i... PS5, Line 10: CONFIG_VBOOT
Just remove the conditional linking here (make it verstage-y and postcar-y) rather than making it mo […]
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 25: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT)
We should make vboot library primitives (like hash functions) available unconditionally, so you shou […]
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/tpm/tspi/tspi.... PS5, Line 246: #if CONFIG(VBOOT) || CONFIG(VBOOT_MEASURED_BOOT)
...here too.
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h File src/security/vboot/misc.h:
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 130: static inline int vboot_crtm_is_set(void)
Does this need to be externally accessible anyway? I think you can keep this local to crtm.c.
Resolved as you pointed out.
https://review.coreboot.org/c/coreboot/+/35077/5/src/security/vboot/misc.h@1... PS5, Line 139: __PRE_RAM__
We use if (ENV_ROMSTAGE_OR_BEFORE) for this kind of stuff now (see Kyösti's recent patches).
Resolved as you pointed out.