Furquan Shaikh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/38403 )
Change subject: soc/intel/common/block/xdci: Add override for vboot policy ......................................................................
Patch Set 3:
(2 comments)
https://review.coreboot.org/c/coreboot/+/38403/3/src/mainboard/facebook/mono... File src/mainboard/facebook/monolith/Kconfig:
PS3: Can you please add mainboard changes in a separate CL?
https://review.coreboot.org/c/coreboot/+/38403/3/src/soc/intel/common/block/... File src/soc/intel/common/block/xdci/Kconfig:
https://review.coreboot.org/c/coreboot/+/38403/3/src/soc/intel/common/block/... PS3, Line 6: XDCI_VBOOT_FORCE_ENABLE How about adding a config to src/security/vboot/Kconfig "VBOOT_ALWAYS_ALLOW_XDCI" which can be checked by vboot_can_enable_udc() to decide if XDCI should be enabled:
diff --git a/src/security/vboot/vboot_common.c b/src/security/vboot/vboot_common.c index 458ed87982a..5e7282323a0 100644 --- a/src/security/vboot/vboot_common.c +++ b/src/security/vboot/vboot_common.c @@ -27,6 +27,10 @@ /* Check if it is okay to enable USB Device Controller (UDC). */ int vboot_can_enable_udc(void) { + /* Allow XHCI in all vboot modes. */ + if (CONFIG(VBOOT_ALWAYS_ALLOW_XDCI)) + return 1; + /* Always disable if not in developer mode */ if (!vboot_developer_mode_enabled()) return 0;
This will help other vboot platforms too in case they care about implementing this policy. Also, this config can be auto-selected if !CHROMEOS since currently CHROMEOS is probably the only one that cares about disabling XDCI in non-developer mode.