Shelley Chen has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46434 )
Change subject: mrc_cache: Add TPM Hash verification ......................................................................
Patch Set 8:
(3 comments)
https://review.coreboot.org/c/coreboot/+/46434/2/src/drivers/mrc_cache/mrc_c... File src/drivers/mrc_cache/mrc_cache.c:
https://review.coreboot.org/c/coreboot/+/46434/2/src/drivers/mrc_cache/mrc_c... PS2, Line 189: // NOTE: we need to create the hash from both data and metadata values
But... you aren't here? ;) Unless I'm missing something. […]
Done. Sorry, the note was a todo for me, but yes, just hashing the data makes things much simpler.
https://review.coreboot.org/c/coreboot/+/46434/2/src/security/vboot/mrc_cach... File src/security/vboot/mrc_cache_hash_tpm.c:
https://review.coreboot.org/c/coreboot/+/46434/2/src/security/vboot/mrc_cach... PS2, Line 59: if (antirollback_lock_space_hash(hash_idx)) {
This shouldn't be done on updating, because updating doesn't happen on every boot. […]
Ack. Removing this block of code as Julius said, it'll get locked when jumping to kernel anyway.
https://review.coreboot.org/c/coreboot/+/46434/5/src/security/vboot/mrc_cach... File src/security/vboot/mrc_cache_hash_tpm.c:
https://review.coreboot.org/c/coreboot/+/46434/5/src/security/vboot/mrc_cach... PS5, Line 58: /* Lock TPM space */
Why is this the correct place to lock the space? Shouldn't that be a separate policy for when we sho […]
Removed locking of TPM as Julius said that it'll get locked when jumping to depthcharge.