hi Nico,
On Thu, Aug 22, 2024 at 4:39 AM Nico Huber nico.h@gmx.de wrote:
On 22.08.24 11:17, Nico Huber via coreboot wrote:
There seems to be one exception where we can't just disabled it, I will write about that in a separate mail.
What we also discussed yesterday was one particularly painful case where the hardware only accepts a psp-verstage (which we need to boot coreboot) that is vendor signed. Please correct me if I'm wrong, I'm not familiar with the platform.
yes, I was referring to the AMD Picasso platform and google/zork mainboard
This seems to be a very special case because the verstage runs in a different environment, and at least in my theory has less compatibility issues than the general bootblock/romstage case. So I suggest to treat this case separately from other compati- bility efforts. This might be a case where we could consider a a special vboot submodule pointer just for this platform / the affected boards.
In the past when I've had to workaround this issue, it required reverting/partially reverting some coreboot patches as well as rolling back the vboot submodule pointer. It would be a bit of a pain to special-case things just for this one mainboard.
And we could also evaluate other options, e.g. dropping vboot support upstream for these particular boards. If that's doable? e.g. does this psp-verstage live in RO? if it does, can we get one signed that doesn't do vboot?
a non-vboot signed PSP verstage (which would essentially just be the bootblock then) is not a workaround I'd considered before, but definitely worth looking into.
Also, when such partially tivoized hardware is hard to support upstream, shouldn't we make owners aware of it? Suggest to buy or even switch to something else? and consequently drop support?
IMO this is an AMD bug in the PSP bootloader that should be fixed there. Picasso is the only platform with this issue; Cezanne and Mendocino have no issues booting with either unsigned PSP verstage, or without vboot at all.
For me, this bug just highlighted how tightly coupled coreboot and vboot are, and spurred the discussion of whether that's problematic and something we want to change going forward
Nico