Open letter to coreboot leadership
I have spent some time helping out sort some fundamentals on the tree to bring up that new amd/picasso platforms. During the reviews I found some proceedings there somewhat alarming, so I am hoping for coreboot leadership and trademark holder to make some clear statements on the topic.
Now, I may know a bit more than I can write here in public, I try defer from disclosing information received in private emails and stick with the information that can be found in gerrit review commits. In short; appers it has been decided verstage will run on PSP instead of x86 cores.
So which of the following approaches do You find acceptable:
a) Platform shall use proprietary ARM TrustZone instead of vboot for any cryptographics and measurements of firmware. This may be the AMD endorsed way of doing things.
b) Platform shall use vboot, built and signed internally at AMD, for the Security Processor (aka PSP), using their choice of proprietary tools. While GPL compliance may say build scripts are to be published in such case (IANAL!!), that does not mean the used compiler is available for purchase on open market.
c) Platform shall use vboot, built using an extended __and published__ coreboot toolchain. Built PSP vboot binary shall be reproducible and signed with OEM key. Community developers will not be able to run custom verstage builds, but are able to audit integrity of the source.
d) Platform shall use vboot, built using an extended __and published__ coreboot toolchain. Built PSP vboot binary should be reproducible. Community developers are able to run custom verstage builds, but state of PSP/TPM/etc may reveal to the OS that sections of the firmware does not originate from the OEM, as detected by the lack of signage or use of insecure key published for experimental use only. User experience or DRM might suffer.
e) Platform shall use vboot, built using an extended __and published__ coreboot toolchain. Developers can run whatever they want on PSP, without OS ever noticing it.
f) Something else in between the presented choices or outside of them?
Regards, Kyösti Mälkki