Attention is currently required from: Christian Walter, Michał Żygowski, Yu-Ping Wu.
Michał Żygowski has uploaded a new patch set (#5) to the change originally created by Filip Lewiński. ( https://review.coreboot.org/c/coreboot/+/82695?usp=email )
The following approvals got outdated and were removed: Verified+1 by build bot (Jenkins)
Change subject: security: Allow vboot when INTEL_TXT enabled ......................................................................
security: Allow vboot when INTEL_TXT enabled
INTEL_TXT mandates usage of TPM_MEASURED_BOOT_INIT_BOOTBLOCK, which is not compatible with VBOOT. This essentially making VBOOT and INTEL_TXT mutually exclusive, but they do not have to be.
Do not call tpm_setup in bootblock_main if vboot starts in bootblock, it would only start the TPM slightly faster. Most platforms probably start vboot in bootblock, so there will be no loss of tpm_setup state.
If vboot does not start in bootblock and TPM_MEASURED_BOOT_INIT_BOOTBLOCK is enabled, skip the tpm_setup and simply initialize the TLCL library.
TEST=Run VP4670 with INTEL_TXT and VBOOT enabled.
Change-Id: I19dc3d910c23fcfd8732465c488f47dd86a96781 Signed-off-by: Michał Żygowski michal.zygowski@3mdeb.com --- M src/lib/bootblock.c M src/security/tpm/Kconfig M src/security/vboot/tpm_common.c 3 files changed, 19 insertions(+), 2 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/95/82695/5