Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/30811 )
Change subject: lib/prog_loaders.c: Add prog_locate_hook() for measured and verified boot. ......................................................................
Patch Set 1:
(1 comment)
https://review.coreboot.org/#/c/30811/1//COMMIT_MSG Commit Message:
https://review.coreboot.org/#/c/30811/1//COMMIT_MSG@9 PS1, Line 9: Before
It seems odd to do it before loading, is there any reason to? […]
Since x86 images are executed in place I'm pretty sure there's no way to avoid TOCTOU there (unless you know some details about how the SPI controller caches memory-mapped accesses that can be used to guarantee that).
For other architectures, this would be possible if you measure the stage after it was loaded into memory, but I think Philipp was trying to avoid that to avoid the disparity of measuring pre-verification stages as they are stored in CBFS and post-verification stages as they appear in memory (see my comment in https://review.coreboot.org/c/coreboot/+/29547/36/src/security/vboot/vboot_c...).
Also, any attacker that has the ability of manipulating the data returned from the SPI ROM on the fly most likely also has the ability to take complete control of the boot process and put any hashes they want into the TPM, so whether protecting against TOCTOU really has a value here may be doubtful. (Then again, that argument could be brought against measuring firmware in the TPM as a whole too, I guess, which is why I never really understood the point of the whole concept. ;) )