Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/51923 )
Change subject: security/tpm: Add option to init TPM in bootblock
......................................................................
Patch Set 7:
(1 comment)
File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/c/coreboot/+/51923/comment/caf2f535_7a61d885
PS7, Line 187: && !CONFIG(TPM_MEASURED_BOOT_INIT_BOOTBLOCK)
Actually, is it a good idea to put that here? Most of the time when INIT_BOOTBLOCK is selected, the cache should be empty here anyway, so this is a no-op. But when it's not empty that means the bootblock loaded some other file before it got to the TPM init part (which is possible, for example, if hooks like bootblock_soc_init() load something). In that case, wouldn't you also want that measured? Otherwise the TCPA log doesn't match the PCR anymore.
Good call indeed. Thanks, I'll fix it
--
To view, visit
https://review.coreboot.org/c/coreboot/+/51923
To unsubscribe, or for help writing mail filters, visit
https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ifacba5d9ab19b47968b4f2ed5731ded4aac55022
Gerrit-Change-Number: 51923
Gerrit-PatchSet: 7
Gerrit-Owner: Arthur Heymans
arthur@aheymans.xyz
Gerrit-Reviewer: Angel Pons
th3fanbus@gmail.com
Gerrit-Reviewer: Arthur Heymans
arthur@aheymans.xyz
Gerrit-Reviewer: Christian Walter
christian.walter@9elements.com
Gerrit-Reviewer: Julius Werner
jwerner@chromium.org
Gerrit-Reviewer: Martin Roth
martinroth@google.com
Gerrit-Reviewer: Patrick Georgi
pgeorgi@google.com
Gerrit-Reviewer: Philipp Deppenwiese
zaolin.daisuki@gmail.com
Gerrit-Reviewer: build bot (Jenkins)
no-reply@coreboot.org
Gerrit-CC: 9elements QA
hardwaretestrobot@gmail.com
Gerrit-CC: Paul Menzel
paulepanter@mailbox.org
Gerrit-Comment-Date: Thu, 20 May 2021 07:08:07 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Julius Werner
jwerner@chromium.org
Gerrit-MessageType: comment
Arthur Heymans (Code Review)