Bill XIE has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/34977 )
Change subject: security/vboot: Boot to Recovery Mode if no RW slot present ......................................................................
security/vboot: Boot to Recovery Mode if no RW slot present
Currently, even if there is no RW slot present, vboot will still try to find one to boot, result in an infinite boot loop.
This change explicitly allows a coreboot build with vboot but without RW slot to make use of vboot only for measured boot, by performing "Recovery mode" boot, with stages and payloads in the RO slot.
Change-Id: Ica98afd6aeb5328515df0c11e974cc9b3e8cdde1 Signed-off-by: Bill XIE persmule@hardenedlinux.org --- M src/security/vboot/vboot_logic.c 1 file changed, 3 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/77/34977/1
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 7f00df5..48fd6db 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -347,7 +347,9 @@ "Initializing measured boot mode failed!"); }
- if (get_recovery_mode_switch()) { + /* Boot to Recovery Mode if no RW slot present */ + if (!CONFIG(VBOOT_SLOTS_RW_A) || + get_recovery_mode_switch()) { ctx.flags |= VB2_CONTEXT_FORCE_RECOVERY_MODE; if (CONFIG(VBOOT_DISABLE_DEV_ON_RECOVERY)) ctx.flags |= VB2_CONTEXT_DISABLE_DEVELOPER_MODE;