We actually have two options here:

* When VBOOT_STARTS_IN_ROMSTAGE is enabled, disallow USE_RECOVERY_MRC_CACHE.
  AFAIK this would regenerate the recovery MRC training data on each recovery mode boot.
  Pro: slow.  Con: safe.

* When VBOOT_STARTS_IN_ROMSTAGE is enabled, disallow FSP2_0_USES_TPM_MRC_HASH.
  This would use the recovery MRC cache as normal, without the save-hash-in-TPM functionality.
  Pro: fast.  Con: less safe.

View Change

2 comments:

• Commit Message:

  • Patch Set #2, Line 14:

     TPM will be initialized whenever
      verstage is executed, depending on how the device is configured
    

    Correct. Even without any change, currently, it would do the memory retraining in recovery mode. […]

    OK, let's just disable the combination of Kconfig options as suggested.

• File src/security/vboot/secdata_tpm.c:

  • Patch Set #3, Line 453: CONFIG(VBOOT_STARTS_IN_ROMSTAGE))

    I wouldn't recommend killing the support which is used by multiple platforms btw

    I think we still need to consider killing VBOOT_STARTS_IN_ROMSTAGE. It causes many edge cases that are a hassle to handle, given that this option is not used for any of our modern boards.

To view, visit change 31837. To unsubscribe, or for help writing mail filters, visit settings.