1 comment:
File src/vendorcode/eltan/security/verified_boot/vboot_check.c:
Patch Set #2, Line 17: #define NEED_VB20_INTERNALS /* Peeking into vb2_shared_data */
Let me explain what we are trying to do at a high level. […]
Yeah, I don't see anything here that you couldn't achieve with standard vboot. You should not design a custom solution for this, what we have essentially does what you want already.
You do not need a TPM to run vboot. The TPM is only used for rollback protection and developer mode. If you don't want either of those features, just select CONFIG_VBOOT_MOCK_SECDATA and the TPM stuff will be mocked out.
The existing vboot already starts from a write-protected read-only part and then chains into an updateable read-write part, where the read-write part is signed by keys in the read-only part. Sounds like this is exactly the system you're looking for, so why don't you just use it?
To view, visit change 38590. To unsubscribe, or for help writing mail filters, visit settings.