Am Mi., 18. Nov. 2020 um 22:03 Uhr schrieb Nico Huber <nico.h@gmx.de>:

The vboot dependency has been a PITA for a while. I'll happily accept
patches that make it less of a pain even if that means a little more
maintenance effort. I'd even accept a local hash implementation.

That's an option. That isn't what was proposed though. The proposal was "I don't need this, it annoys me, let's drop it".

But I wonder, if that were a policy, would vboot have
such implementations? I'm sure they weren't the first. Maybe there
were even concerns about external code?

Suitable license (rules out everything GNU for GPL3+, OpenSSL + offspring for their advertising clause or tomcrypt for not having a license), somewhat recently maintained (rules out libtomcrypt and SPARK crypto), suitable for embedded purposes (rules out Java implementations). Exactly the issues coreboot would face when selecting an implementation to copy. Just that by the time coreboot had to consider hashing data, vboot existed, it ticked the right boxes, and some people with overlap to coreboot were familiar with it.

Patrick

Google Germany GmbH, ABC-Str. 19, 20354 Hamburg
Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado