Change in coreboot[master]: security/vboot: Add NVRAM counter for TPM 2.0 - coreboot-gerrit

17 Nov 2021


      Attention is currently required from: Andrey Pronin, Yu-Ping Wu.
Miriam Polzer has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59097 )
Change subject: security/vboot: Add NVRAM counter for TPM 2.0
......................................................................
Patch Set 6:
(2 comments)
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/59097/comment/772dff53_277c3451 
PS6, Line 120: TPMA_NV_WRITE_STCLEAR
...
do we need the ability to WriteLock until reboot?
No I didn't have this initially. Julius suggested to add it in case we need it at some later point.
https://review.coreboot.org/c/coreboot/+/59097/comment/55b15735_c7d3ade3 
PS6, Line 385: enterprise_rollback_create_counter
...
adding it here only creates the counter on new devices, which didn't pass factory_initialize yet (ha […]
Yes, I was told that on ToT we should have firmware clean for new devices and if/when we merge this back, we can think about creating the counter for existing devices as well.
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/59097
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I511dba3b3461713ce20fb2bda9fced0fee6517e1
Gerrit-Change-Number: 59097
Gerrit-PatchSet: 6
Gerrit-Owner: Miriam Polzer mpolzer@google.com
Gerrit-Reviewer: Andrey Pronin apronin@chromium.org
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-Attention: Andrey Pronin apronin@chromium.org
Gerrit-Attention: Yu-Ping Wu yupingso@google.com
Gerrit-Comment-Date: Wed, 17 Nov 2021 06:21:16 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Andrey Pronin apronin@chromium.org
Gerrit-MessageType: comment