Attention is currently required from: Christian Walter, Julius Werner, Michał Żygowski.

Filip Lewiński has posted comments on this change by Filip Lewiński. ( https://review.coreboot.org/c/coreboot/+/82695?usp=email )

Change subject: security: Allow vboot when INTEL_TXT enabled ......................................................................

Patch Set 12:

(3 comments)

File src/lib/bootblock.c:

https://review.coreboot.org/c/coreboot/+/82695/comment/df5b050b_a64871ac?usp... : PS5, Line 62: if (CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK) && !CONFIG(VBOOT_STARTS_IN_BOOTBLOCK)) {

Sorry, I'm still not really following to be honest. […]

@jwerner@chromium.org Thank you for your detailed feedback and patience in this discussion. To address your concerns:

* I've added `&& !VBOOT_STARTS_IN_BOOTBLOCK` and `select TPM_STARTUP_IGNORE_POSTINIT` to the [Intel TXT Kconfig option](https://review.coreboot.org/c/coreboot/+/82695/12/src/security/intel/txt/Kco...)

* I've removed the `!STARTS_IN_BOOTBLOCK` from [bootblock.c](https://review.coreboot.org/c/coreboot/+/82695/12/src/lib/bootblock.c#66)

File src/security/tpm/Kconfig:

https://review.coreboot.org/c/coreboot/+/82695/comment/99e2e257_06247098?usp... : PS9, Line 125: depends on TPM_MEASURED_BOOT

This is still going to clash with the "vboot in PSP" thing the AMD CPUs are doing, so since you prob […]

[Done](https://review.coreboot.org/c/coreboot/+/82695/12/src/security/tpm/Kconfig#1...)

File src/security/vboot/tpm_common.c:

https://review.coreboot.org/c/coreboot/+/82695/comment/0d3d0b66_0cda20ce?usp... : PS9, Line 24: && !CONFIG(VBOOT_STARTS_IN_BOOTBLOCK)

I don't really understand the second part here? Even in the VBOOT_STARTS_IN_BOOTBLOCK case, the MEAS […]

[Removed](https://review.coreboot.org/c/coreboot/+/82695/12/src/security/vboot/tpm_com...) the redundant condition