Attention is currently required from: Andrey Pronin, Julius Werner, Yu-Ping Wu. Miriam Polzer has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59097 )

Change subject: security/vboot: Add NVRAM counter for TPM 2.0 ......................................................................

Patch Set 3:

(3 comments)

Patchset:

PS3: Thanks for the guidance, I'll try to test it on Monday when I'm at the office and can pick up a servo to disable write protection for another device.

File src/security/vboot/secdata_tpm.c:

https://review.coreboot.org/c/coreboot/+/59097/comment/ef459248_67ad5df2 PS3, Line 150: .TPMA_NV_NO_DA = 1,

Actually, now that I'm comparing this more with the ZTE counter space I'm also wondering why it has […]

NV_BITS makes it a bit index which is bit different from a counter.

Not sure why we would need NO_DA, as authorization can't really fail anyways. Out of curiousity, why is it needed for ZTE?

https://review.coreboot.org/c/coreboot/+/59097/comment/54232933_b67e0f8a PS3, Line 438: NULL, 0)

Soo... actually, wait a second. […]

I think recreating the counter wont help an attacker, it will start again at a higher ot the same value.

From the specification: "When an NV counter is created, the TPM shall initialize the 8-octet counter value with a number that is greater than any count value for any NV counter on the TPM since the time of TPM manufacture."

Or am I overlooking something here?