Attention is currently required from: Miriam Polzer, Andrey Pronin, Yu-Ping Wu. Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59097 )
Change subject: security/vboot: Add NVRAM counter for TPM 2.0 ......................................................................
Patch Set 6:
(4 comments)
Patchset:
PS6:
LGTM now but it would be good if Andrey also takes a look.
Done
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/59097/comment/b4ce648b_143044eb PS3, Line 150: .TPMA_NV_NO_DA = 1,
you can still fail auth, but trying to authenticate with an owner auth, or passing some random passw […]
Ack
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/59097/comment/ec905773_10519d34 PS6, Line 120: TPMA_NV_WRITE_STCLEAR
probably doesn't hurt, but needs a bit of analysis. […]
Well if an attacker takes control in the middle of a rollback before the counter is incremented, we have bigger problems anyway.
https://review.coreboot.org/c/coreboot/+/59097/comment/621b0bb4_a57f1f5f PS6, Line 385: enterprise_rollback_create_counter
ok, if this is per design, works for me.
Ack