Dear coreboot community, as some of you may have heard from the OSFC already, there are plans at Intel to restructure the way FSP is executed [1]. The main goal is to switch to an operation mode where only Intel signed FSP binaries can be executed. This comes, according to the current plans, with an architectural change that will affect coreboot's execution flow. In this proposed, changed execution flow a new FSP component will be loaded at reset vector and do the verification of the following FSP components like FSP-T, FSP-M and FSP-S. Then, the execution flow will continue in FSP and calls to coreboot code shall happen. In this new flow, no self-built FSP binaries can be executed anymore as they are not signed by Intel.
I want to start a discussion with the community and Intel to see if we can come up with something better than this approach which will not heavily change the coreboot architecture but nevertheless provide a level of confidentiality for Intel's FSP blobs. You all are warmly welcome to participate in this discussion. Feel free to forward this invitation to anyone who might be interested. The call is planned for December 3th at 7 pm CET and will be hosted on Google Meet [2]. Feel free to join and let's have a constructive discussion. Werner [1] https://www.osfc.io/2025/talks/intel-r-signed-fsp-and-verified-boot/ [2] https://meet.google.com/kgh-nquh-usm _______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
