Attention is currently required from: Joel Kitching, Aaron Durbin. Andrey Pronin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/52919 )
Change subject: vboot/secdata_tpm: Create FWMP space in coreboot ......................................................................
Patch Set 7: Code-Review+1
(3 comments)
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/52919/comment/2e1fc2fb_75f6dfb6 PS1, Line 237: .TPMA_NV_OWNERWRITE = 1,
Done
as discussed on the doc, f/w can already modify this space by undefining and re-defining. so, PPWRITE doesn't add a new capability for it, so ok to have it. if we wanted to prevent f/w and recovery mode from modifying FWMP, we'd also need an unsatisfiable POLICY_DELETE
https://review.coreboot.org/c/coreboot/+/52919/comment/a7d713c7_f8d52aee PS1, Line 420: /* : * Set initial values of secdata_firmware space. : * kernel space is created in _factory_initialize_tpm(). : */ : vb2api_secdata_firmware_create(ctx);
No, shouldn't be. I think this was just put here to minimize duplication between TPM1/TPM2 parts.
to have some defaults if tlcl_self_test_full() or _factory_initialize_tpm() fail?
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/52919/comment/dcc62bdc_7988eea9 PS7, Line 13: <security/tpm/tss/tcg-2.0/tss_structures.h> curious: how did it work before this? we were already pulling TPMA_NV_* from somewhere... the only new thing added here is TPMA_NV_OWNERWRITE, other TPMA_NV_* were already present in the code
-
Andrey Pronin (Code Review)