Attention is currently required from: Christian Walter, Filip Lewiński, Michał Żygowski.
Julius Werner has posted comments on this change by Filip Lewiński. ( https://review.coreboot.org/c/coreboot/+/82695?usp=email )
Change subject: security/intel/txt: Handle TPM properly when vboot enabled ......................................................................
Patch Set 4:
(1 comment)
Patchset:
PS4:
and then in ramstage again
It's not run in ramstage for vboot, though. `drivers/tpm/tpm.c` (somewhat badly named, it should really be `tpm_init_in_ramstage.c`) is only linked in for `CONFIG_TPM_INIT_RAMSTAGE`, which depends on `!VBOOT`.
I don't think any approach that runs `tpm_setup()` twice is a good idea. I think the best solution here is probably to just guard the `tpm_setup()` call in `vboot_setup_tpm()` with `if (!CONFIG(TPM_MEASURED_IN_BOOTBLOCK))`. That means you'll not quite get the right TPM setup error when TPM communication failed, but vboot should still go into recovery on account of not being able to read secdata so it probably doesn't make too much of a difference.