Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/46511 )
Change subject: security/vboot: Add new TPM NVRAM index MRC_RW_HASH_NV_INDEX ......................................................................
Patch Set 8:
(1 comment)
https://review.coreboot.org/c/coreboot/+/46511/8/src/security/vboot/secdata_... File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/46511/8/src/security/vboot/secdata_... PS8, Line 194: RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data)); First of all, this still says REC_HASH.
Second, I'm not sure this is really necessary. The space gets automatically created on first use anyway. The reason we still do this here for the recovery space, I think, is to make sure the space is created at some point (with the right permissions) so no attacker gets a chance to create the same space with weaker permissions before we ever did. But for normal mode, I don't think that's a concern (we're not sure when the device will first boot in recovery mode, that might be a long time after shipping, but we can be sure it was booted at least once in normal mode before anything bad could happen).