[S] Change in coreboot[main]: security: Allow vboot when INTEL_TXT enabled - coreboot-gerrit

31 Jan 2025


      Attention is currently required from: Christian Walter, Filip Lewiński, Michał Żygowski.
Julius Werner has posted comments on this change by Filip Lewiński. ( https://review.coreboot.org/c/coreboot/+/82695?usp=email )
Change subject: security: Allow vboot when INTEL_TXT enabled
......................................................................
Patch Set 12:
(4 comments)
File src/lib/bootblock.c:
https://review.coreboot.org/c/coreboot/+/82695/comment/2e8143fe_081bb993?usp... :
PS12, Line 65: 	 */
nit: not sure this comment explains anything that isn't obvious here tbh, and since this function is a very central piece of code and none of the other calls are commented it feels a bit odd and out of place here
File src/security/intel/txt/Kconfig:
https://review.coreboot.org/c/coreboot/+/82695/comment/0f0fa208_8e4a83b0?usp... :
PS12, Line 19: 	select TPM_STARTUP_IGNORE_POSTINIT
Sorry, I don't understand why we need these changes here now. Doesn't the change you make to `vboot_setup_tpm()` make `VBOOT_STARTS_IN_BOOTBLOCK` compatible with `TPM_MEASURED_BOOT_INIT_BOOTBLOCK`? So why are you still adding the `&& !VBOOT_STARTS_IN_BOOTBLOCK` here?
Also, doesn't that change ensure that the TPM doesn't get initialized twice anymore (because vboot will not try to initialize it again)? So why do you still have the `TPM_STARTUP_IGNORE_POSTINIT` here?
I think you can just leave this file as it was, and your changes to the other files alone should be enough to make this patch work.
File src/security/vboot/tpm_common.c:
https://review.coreboot.org/c/coreboot/+/82695/comment/37891da8_e06d0137?usp... :
PS12, Line 20:  probe for TPM. 
This doesn't probe for TPM, `tpm_setup()` does. The whole point here is that we don't need to probe again because we know we already did.
https://review.coreboot.org/c/coreboot/+/82695/comment/a9bb1f06_9229fba0?usp... :
PS12, Line 27: 			printk(BIOS_ERR, "TPM Error (%#x): Can't initialize.\n", rc);
nit: this seems a bit redundant here since we know `tpm_setup()` was already called and would've already printed this (and logged the post code). I think you can literally just make this
```
if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK))
  return tlcl_lib_init();
```
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/82695?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings?usp=email

Gerrit-MessageType: comment
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I19dc3d910c23fcfd8732465c488f47dd86a96781
Gerrit-Change-Number: 82695
Gerrit-PatchSet: 12
Gerrit-Owner: Filip Lewiński filip.lewinski@3mdeb.com
Gerrit-Reviewer: Christian Walter christian.walter@9elements.com
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Arthur Heymans arthur@aheymans.xyz
Gerrit-CC: Julius Werner jwerner@chromium.org
Gerrit-CC: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-CC: Paul Menzel paulepanter@mailbox.org
Gerrit-Attention: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Attention: Filip Lewiński filip.lewinski@3mdeb.com
Gerrit-Attention: Christian Walter christian.walter@9elements.com
Gerrit-Comment-Date: Sat, 01 Feb 2025 01:31:39 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No