Attention is currently required from: Christian Walter, Filip Lewiński, Michał Żygowski, Yu-Ping Wu.

Julius Werner has posted comments on this change by Filip Lewiński. ( https://review.coreboot.org/c/coreboot/+/82695?usp=email )

Change subject: security: Allow vboot when INTEL_TXT enabled ......................................................................

Patch Set 5:

(1 comment)

File src/lib/bootblock.c:

https://review.coreboot.org/c/coreboot/+/82695/comment/0c7d301e_c41c7b07?usp... : PS5, Line 62: if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK) && !CONFIG(VBOOT_STARTS_IN_BOOTBLOCK)) { No, sorry, this doesn't make sense. You're mixing different things together here.

I think there are essentially two ways to solve your problem (allowing TXT with vboot): the first is what I originally assumed you were going for and tried to help you do with my suggestion. In that case, the TPM would always be initialized here (before vboot runs), and vboot would need to be able to work with that. For that approach you do not want to add any extra conditions here, you just want the change in vboot_setup_tpm().

Another option would be to not initialize it here and instead rely on vboot initializing it before romstage, which seems to be what you're going for here. That may also be an option (I don't actually know why INTEL_TXT depends on TPM_MEASURED_BOOT_INIT_BOOTBLOCK, unfortunately Arthur didn't provide any explanation for CB:52969, so that may or may not be safe). If you wanted to do that, I would suggest not trying to modify what TPM_MEASURED_BOOT_INIT_BOOTBLOCK does (because it seems to suggest pretty clearly that it inits the TPM here), and instead just change INTEL_TXT to not depend on it in the vboot case. So you could just change the Kconfig line for INTEL_TXT to `select TPM_MEASURED_BOOT_INIT_BOOTBLOCK if TPM_MEASURED_BOOT && !VBOOT_STARTS_IN_BOOTBLOCK`.