Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36027 )
Change subject: nb/intel/nehalem: Add a VBOOT TPM init workaround ......................................................................
Patch Set 5:
Setting MOCK_SECDATA is currently not an option with TPM enabled as even with MOCK_SECDATA a different path will be taken on TPM init failure. A new Kconfig option NO_TPM_IN_VBOOT could be added to work around it maybe?
Yes, maybe we should do that. In CB:34510 we just assumed that everyone who has TPM1 || TPM2 enabled in Kconfig would want the TPM initialization to happen in vboot. But maybe we should insert a separate VBOOT_USE_TPM option in-between to decouple that and allow platforms to override if necessary. (I assume just running completely without TPM support is not an option for your use case?)
This is just a way to skip the init the second time VBOOT runs after the soft reset as the init command returns failure if already initialized. Another way to work around this issue is to only run verstage after the reset and therefore running the RO romstage (partially) before reset.
This could be reasonable but do you have a clean way to do that? I don't think there's a way for platforms to override the vboot_locator that decides when to run vboot, and I don't think we'd want to add that either.
The last option is to use VBOOT_STARTS_IN_ROMSTAGE, but that's my least preferred option as being able to update the romstage, even if compatibility is at stake with the option described above, is a big plus.
I think this would honestly be one of the better options to solve this, sounds like that platform just doesn't work well with the early vboot model.
Another really hacky option might be to make sure vboot_platform_is_resuming() returns true for the second boot, and pretend it's an S3 resume. That's not any better than this patch, but at least it would contain those hacks within the platform.