Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/31597 )
Change subject: security/vboot: Add fmap measurements ......................................................................
Patch Set 11:
(2 comments)
https://review.coreboot.org/#/c/31597/11/src/security/vboot/vboot_crtm.c File src/security/vboot/vboot_crtm.c:
https://review.coreboot.org/#/c/31597/11/src/security/vboot/vboot_crtm.c@139 PS11, Line 139: fmap_locate_area_as_rdev("SI_ME", &fmap) == 0) just wondering, does fmap_locate_area_as_rdev properly return non-zero when locked?
https://review.coreboot.org/#/c/31597/11/src/security/vboot/vboot_crtm.c@133 PS11, Line 133: /* IFD measurements (optional) */ : if (fmap_locate_area_as_rdev("SI_DESC", &fmap) == 0) : if (tpm_measure_region(&fmap, TPM_CRTM_PCR, : "Intel Flash Descriptor") != TPM_SUCCESS) : return VB2_ERROR_UNKNOWN; : : if (fmap_locate_area_as_rdev("SI_ME", &fmap) == 0) : if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, : "Intel ME") != TPM_SUCCESS) : return VB2_ERROR_UNKNOWN; : : if (fmap_locate_area_as_rdev("SI_EC", &fmap) == 0) : if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, : "EC firmware") != TPM_SUCCESS) : return VB2_ERROR_UNKNOWN; : : if (fmap_locate_area_as_rdev("SI_GBE", &fmap) == 0) : if (tpm_measure_region(&fmap, TPM_CRTM_PCR, : "Intel GbE") != TPM_SUCCESS) : return VB2_ERROR_UNKNOWN; : : if (fmap_locate_area_as_rdev("SI_PDR", &fmap) == 0) : if (tpm_measure_region(&fmap, TPM_RUNTIME_DATA_PCR, : "Platform Data") != TPM_SUCCESS) : return VB2_ERROR_UNKNOWN; these are Intel specific. Is is the best location or would a soc_tpm_measure_region hook be a better idea?