Attention is currently required from: Andrey Pronin, Christian Walter, Julius Werner, Paul Menzel, Yi Chou, Yu-Ping Wu.

Hello Andrey Pronin, Christian Walter, Julius Werner, Yu-Ping Wu, build bot (Jenkins),

I'd like you to reexamine a change. Please visit

https://review.coreboot.org/c/coreboot/+/79437?usp=email

to look at the new patch set (#7).

Change subject: vboot: Add firmware PCR support ......................................................................

vboot: Add firmware PCR support

To verify the boot chain, we will need to extend the PCR with the firmware version. And the server will be able to attest the firmware version of devices.

The "firmware version" here is the RW firmware anti-rollback version, determined by the ChromeOS's signing infra, and will be verified in vb2api_fw_phase3, by comparing it with the version stored in the TPM. This version will be increased when there is critical vulnerability in the RW firmware.

According to [1], PCRs 8-15 usage is defined by Static OS. Therefore PCR_FW_VER is chosen to be within that range. Ideally the existing PCR_BOOT_MODE and PCR_HWID should also be allocated in the same range, but unfortunately it's too late to fix them. Because PCRs 11 and 13 have been used for other purposes in ChromeOS, here PCR_FW_VER is set to 10.

[1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_...

BUG=b:248610274 TEST=Boot the device, and check the PCR 10 BRANCH=none

Signed-off-by: Yi Chou yich@google.com Change-Id: I601ad31e8c893a8e9ae1a9cdd27193edce10ec61 --- M src/security/tpm/Kconfig M src/security/vboot/tpm_common.c M src/security/vboot/vboot_logic.c 3 files changed, 13 insertions(+), 2 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/37/79437/7