Aaron Durbin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/31662 )
Change subject: security/vboot: Do not check for RW partitions if not part of the image ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/#/c/31662/1/src/security/vboot/vboot_logic.c File src/security/vboot/vboot_logic.c:
https://review.coreboot.org/#/c/31662/1/src/security/vboot/vboot_logic.c@330 PS1, Line 330: if (!IS_ENABLED(CONFIG_VBOOT_SLOTS_RW_A)) Can we have a Kconfig which is more explicit?
config VBOOT_NO_RW_SLOTS bool default y if !VBOOT_SLOTS_RW_A
Then is the code we can explicitly test for CONFIG_VBOOT_NO_RW_SLOTS?
This will work but you are using recovery mode as a proxy (with implicit semantics) for your desired behavior. You can't really count on the behavior not changing in the future.
But I believe you're going down this path to only do measured boot? Do we need verified boot and verstage to do that? vboot seems like a big hammer for measured boot.