Attention is currently required from: Michał Żygowski, Maciej Pijanowski, Christian Walter, Krystian Hebel, Yu-Ping Wu, Sergii Dmytruk.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/68750 )
Change subject: security/tpm: make use of PCRs configurable via Kconfig ......................................................................
Patch Set 4:
(2 comments)
File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/68750/comment/5e8cab53_e7b7eb3d PS4, Line 171: NEED_VBOOT_COMPATIBILITY As mentioned in the earlier patch I don't think we need the NEED_VBOOT_COMPATIBILITY option (and I think it's generally just a bad, unspecific name for an option). I'd recommend just using CHROMEOS here.
https://review.coreboot.org/c/coreboot/+/68750/comment/83e50aa9_06d66d88 PS4, Line 172: default 1 So then boot mode and HWID are overlapping? That's probably not a good idea either...
Why not just move both of these far out of the way (aren't there PCRs that are explicitly reserved for non-standard use, like 11 or 12 or something like that?), I think it would be better if we just find one new spot for both of them now where they can stay long term rather than risk having to move them again later (isn't PCR1 also standardized for something?).