Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36027 )
Change subject: nb/intel/nehalem: Add a VBOOT TPM init workaround ......................................................................
Patch Set 5:
Patch Set 5: Code-Review-1
This is really undermining basic assumptions in vboot (e.g. that the firmware TPM NVRAM space is always writable during firmware verification, so I would rather not go in this direction, even behind a Kconfig. One of the vboot platform requirements is that the platform can reset itself, including the TPM. If a platform can't do that, then it can't fully run vboot (it should set MOCK_SECDATA instead).
Setting MOCK_SECDATA is currently not an option with TPM enabled as even with MOCK_SECDATA a different path will be taken on TPM init failure. A new Kconfig option NO_TPM_IN_VBOOT could be added to work around it maybe?
This is just a way to skip the init the second time VBOOT runs after the soft reset as the init command returns failure if already initialized. Another way to work around this issue is to only run verstage after the reset and therefore running the RO romstage (partially) before reset.
The last option is to use VBOOT_STARTS_IN_ROMSTAGE, but that's my least preferred option as being able to update the romstage, even if compatibility is at stake with the option described above, is a big plus.
Can you explain more about why/when this reset is needed? Why can't you just reset the whole board (including TPM) in that case instead?
I don't have any useful documentation for this hardware in this regard and the raminit has been reversed engineered, with close to no useful comments. From what I can tell it needs to program some (PLL or other?) settings that only get updated/work after a special reset command that only resets the CPU. Using other reset types don't seem to do the trick and also reset those needed settings. Not issuing that reset also results in raminit failures. I doubt it is possible to work around it.