Werner Zeh has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/31662
Change subject: security/vboot: Do not check for RW partitions if not part of the image ......................................................................
security/vboot: Do not check for RW partitions if not part of the image
In the setup where measured boot is used with read-only partition only there is no RW_A or RW_B partition in the flash. In this case it makes no sense to let VBOOT check for these partitions just to fail and then fall back to recovery mode. Instead set the flag VB2_CONTEXT_RECOVERY_MODE right away so that VBOOT starts in recovery mode any time. This kind of bypasses VBOOT logic but is still suitable to have a pure measured boot scheme enabled. In addition it avoids the first two reboots due to missing RW_A and RW_B.
Change-Id: I07b8ec97be7db63b7ccddb3f33e0f741bed8acd8 Signed-off-by: Werner Zeh werner.zeh@siemens.com --- M src/security/vboot/vboot_logic.c 1 file changed, 6 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/62/31662/1
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index 8c3ba80..89934b9 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -324,6 +324,12 @@ die("Initializing measured boot mode failed!"); }
+ /* Skip checking for RW_A and RW_B if these partitions are not included + in the image. Instead proceed with recovery mode which uses RO + partition only. */ + if (!IS_ENABLED(CONFIG_VBOOT_SLOTS_RW_A)) + ctx.flags |= VB2_CONTEXT_RECOVERY_MODE; + if (IS_ENABLED(CONFIG_VBOOT_PHYSICAL_DEV_SWITCH) && get_developer_mode_switch()) ctx.flags |= VB2_CONTEXT_FORCE_DEVELOPER_MODE;