On 08.08.2019 08:28, Persmule wrote: > Hi Michal, > > > > On Wednesday, August 7, 2019 10:06 AM, Michal Zygowski > <michal.zygow...@3mdeb.com> wrote: > >> Here is an >> example:https://github.com/coreboot/coreboot/blob/master/src/mainboard/lenovo/x220/vboot-rwa.fmd >> >> >> Vboot is responsible for firmware verification (checks firmware >> signature blocks). The TPM measurements are only an extension to >> Vboot logic adopted in coreboot. In order to have verified boot, at >> least one RW partition must exists. > > Is it possible to omit RW sections completely, letting vboot always > boot into "system recovery" (in the RO section) which is actually used > for normal boot? > (I believe that stages and payloads in the RO section will be measured > too when booting into "system recovery". Please correct me if I am wrong.) Yes, if you are interested entirely in measured boot mode only, the RO section is sufficient. > >> for Measured boot, only single CBFS is fine. to support verified and >> measured boot, one RW partition is sufficient. The example linked >> above has the minimal fmap layout for verified and measured boot for >> Lenovo x220. SMMSTORE is optional as well as RW_VPD and RO_VPD >> (depends on use case). SI_GBE region is mandatory for vPRO platforms >> to support Gigabit Ethernet, SI_ME and SI_DESC are Intel ME and Flash >> descriptor regions, also mandatory. > > Besides, at least how many bytes should be retained for the GBB section? The GBB is much greater since ChromeOS recovery bitmaps resides there. For non-ChromeOS devices (like many Lenovo laptops implement in coreboot) I saw min 120KiB (0x1e000). Should be sufficient. Example fmap description of flash with RO section: https://github.com/coreboot/coreboot/blob/master/src/mainboard/ocp/wedge100s/vboot-ro.fmd (probably you would like to adjust some offsets and sizes) > > > _______________________________________________ > coreboot mailing list -- coreboot@coreboot.org > To unsubscribe send an email to coreboot-le...@coreboot.org
-- Michał Żygowski Firmware Engineer http://3mdeb.com | @3mdeb_com
_______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org