Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46772 )
Change subject: security/vboot: fix policy digest for nvmem spaces ......................................................................
Patch Set 3:
(2 comments)
Thanks!
https://review.coreboot.org/c/coreboot/+/46772/3/src/security/vboot/secdata_... File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/46772/3/src/security/vboot/secdata_... PS3, Line 111: #if CONFIG(CHROMEOS) You don't need to add this, just update the code with the new version. Recovery mode is a general vboot concept and the digests used are the same with and without CONFIG(CHROMEOS). If anyone ever has a need to use a different policy here we can add a new Kconfig for that later, but for now we should reflect the policy that was originally intended here (and that's still used by the TPM1 code), which is to allow deleting this space in any flavor of recovery mode. (This is also consistent with the fact that we don't lock the spaces in recovery mode and don't disable platform hierarchy, regardless of whether CONFIG(CHROMEOS) is enabled or not.)
https://review.coreboot.org/c/coreboot/+/46772/3/src/security/vboot/secdata_... PS3, Line 118: * 1) all zeros = initial, unextended state, nit: Just to make things easier to reconstruct for people maybe also write each result digest here (because those are the inputs you need for trunks_client and presumably most similar tools)?