Christian Walter has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/34510 )
Change subject: security/vboot: Add Support for Intel PTT ......................................................................
Patch Set 12:
(2 comments)
Patch Set 6: Code-Review-1
VBOOT_MOCK_SECDATA is actually used if you want to do VBOOT without a TPM. We just stub every function (except the NVRAM read) and go with it. When Intel PTT is used, we do not have access to NVRAM, but we can e.g. extend PCRs. So we can do a verified and measured boot with PTT, if we do not use the NVRAM for antirollback. So in my opinion it's a different functionality and should not be merged with VBOOT_MOCK_SECDATA.
Well, in that case we'll need to add clean new options to model this difference, though. I don't want if (TPM_VENDOR_DETAILS) splattered all over vboot code. "secdata" specifically refers to NVRAM spaces, so keeping that name for things that ignore NVRAM spaces makes sense. We only used it to guard some other things because we never had a case where those things were available but NVRAM is not. Maybe it's as simple as switching those to check (CONFIG(TPM1) || CONFIG(TPM2)) instead? (It would probably be a good idea to split the non-secdata TPM stuff into a separate file, then.)
So i merged it into secdata_mock
https://review.coreboot.org/c/coreboot/+/34510/12/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/34510/12/src/security/vboot/Kconfig... PS12, Line 22: select VBOOT_MOCK_SECDATA if HAVE_INTEL_PTT
Can we move this select (and the comment below) in the INTEL_PTT Kconfig instead? (Or if you want to […]
Ack
https://review.coreboot.org/c/coreboot/+/34510/12/src/security/vboot/secdata... File src/security/vboot/secdata_mock.c:
https://review.coreboot.org/c/coreboot/+/34510/12/src/security/vboot/secdata... PS12, Line 72: #if CONFIG(TPM2)
Please don't just hack this in here, make it clean. […]
Ack