[coreboot-gerrit] Change in coreboot[master]: security/vboot: Decouple measured boot from verified boot

Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35077 )

Change subject: security/vboot: Decouple measured boot from verified boot ......................................................................

Patch Set 39:

(1 comment)

https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c File src/lib/cbfs.c:

https://review.coreboot.org/c/coreboot/+/35077/5/src/lib/cbfs.c@330 PS5, Line 330: #if !CONFIG(VBOOT) && CONFIG(VBOOT_MEASURED_BOOT)

Now the problem is that the bootblock on some platform is too small to contain the code to initializ […]

In general I think it's perfectly fine to just not support certain platforms for now if you don't need them.

But I also think this is yet another sign that the approach of doing all the TPM init in the bootblock is not that great, and the other approach I have outlined may be better: just record the hashes you were planning to write to the TPM in the TCPA log during early stages, and then later update the TPM to match in ramstage. This way you only need the TPM drivers in ramstage and can save all that code size in the earlier stages, I think it is a lot more efficient approach overall. What do you think?