Attention is currently required from: Tim Crawford, Christian Walter, Julius Werner.
Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/74138 )
Change subject: security/tpm: Handle S3 resume logging ......................................................................
Patch Set 1:
(1 comment)
Commit Message:
https://review.coreboot.org/c/coreboot/+/74138/comment/28889636_b3813185 PS1, Line 10: are reset, so the eventlog needs to be reset too.
Uhh... they really shouldn't be. The TPM is supposed to save state (including PCRs) when going into S3 and restore that state on resume. That's what the s3resume argument to tpm_setup() is for.
If this doesn't work on your board it's probably a problem with that board that needs to be fixed. I know that it works on our Chromebooks, at least. (I'm not entirely sure who sends the TPM2_Shutdown(STATE) command in that case, whether that comes from some SMM handler or the kernel. If it's the kernel maybe there's some extra driver setting you need to enable to get that to work...)
I see. Could it be that on S3 resume the SRTM should not measure components on the S3 resume path? Or how should the eventlog / measuring be handled on S3 resume?
"This transition is a resume from an S3 suspend state. Host Platform Reset and TPM_INIT are asserted. The SRTM issues the TPM2_Startup(STATE) command, loading the previously saved state, without re-measuring Pre-OS components. The SRTM passes control to the OS. If there are any changes to the Host Platform’s components or configuration, measuring these changes is the responsibility of the OS."