[M] Change in coreboot[main]: security/tpm: replace CONFIG(TPMx) checks with runtime check - coreboot-gerrit

21 Mar 2024


      Attention is currently required from: Christian Walter, Cliff Huang, Jan Samek, Jérémy Compostella, Krystian Hebel, Lance Zhao, Martin L Roth, Michał Żygowski, Sergii Dmytruk, Tim Wawrzynczak.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/69161?usp=email )
Change subject: security/tpm: replace CONFIG(TPMx) checks with runtime check
......................................................................
Patch Set 34:
(5 comments)
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/69161/comment/a853dc3b_d31f92ed :
PS34, Line 33: CONFIG(TPM1)
Here too
https://review.coreboot.org/c/coreboot/+/69161/comment/1c9cca67_4a5029ea :
PS34, Line 615: }
I think this would be cleaner as
```
tpm_result_t rc = tlcl_write(index, data, length);
if (tlcl_get_family() == TPM_1 && rc == TPM_MAXNVWRITES) {
  /* ...modified comment... */
  RETURN_ON_FAILURE(tpm_clear_and_reenable());
  rc = tlcl_write(index, data, length);
}
return rc;
```
https://review.coreboot.org/c/coreboot/+/69161/comment/706c4329_3bf3c369 :
PS34, Line 619: #if CONFIG(TPM1)
While you're rewriting all this, would you mind just separating the TPM version-specific stuff out into their own files (e.g. `secdata_tpm1.c` and `secdata_tpm2.c`, maybe with a `secdata_tpm_private.h` header for the internal shared macros and declarations)? If you do that and the `_factory_initialize_tpmX()` functions become non-static, you shouldn't need the `#if`s here anymore because references to the not configured versions should get compiled out.
https://review.coreboot.org/c/coreboot/+/69161/comment/930664ea_0e4f85bd :
PS34, Line 632: #if CONFIG(TPM1)
You shouldn't need these either, same reason.
File src/vendorcode/google/chromeos/cse_board_reset.c:
https://review.coreboot.org/c/coreboot/+/69161/comment/724c28f7_13564101 :
PS34, Line 25: 	 * probably get away with it.
There are many other places where we use `CONFIG(TPM_GOOGLE_...)` to mean that that version is the one actually used anyway. If the `CONFIG(TPM2)` here bothers you you can take it out, it's superfluous (already implied by CR50).
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/69161?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: Id9cc25aad8d1d7bfad12b7a92059b1b3641bbfa9
Gerrit-Change-Number: 69161
Gerrit-PatchSet: 34
Gerrit-Owner: Sergii Dmytruk sergii.dmytruk@3mdeb.com
Gerrit-Reviewer: Christian Walter christian.walter@9elements.com
Gerrit-Reviewer: Cliff Huang cliff.huang@intel.com
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Jérémy Compostella jeremy.compostella@intel.com
Gerrit-Reviewer: Krystian Hebel krystian.hebel@3mdeb.com
Gerrit-Reviewer: Lance Zhao lance.zhao@gmail.com
Gerrit-Reviewer: Martin L Roth gaumless@gmail.com
Gerrit-Reviewer: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Reviewer: Tim Wawrzynczak inforichland@gmail.com
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Jan Samek jan.samek@siemens.com
Gerrit-Attention: Lance Zhao lance.zhao@gmail.com
Gerrit-Attention: Cliff Huang cliff.huang@intel.com
Gerrit-Attention: Martin L Roth gaumless@gmail.com
Gerrit-Attention: Michał Żygowski michal.zygowski@3mdeb.com
Gerrit-Attention: Jérémy Compostella jeremy.compostella@intel.com
Gerrit-Attention: Christian Walter christian.walter@9elements.com
Gerrit-Attention: Tim Wawrzynczak inforichland@gmail.com
Gerrit-Attention: Krystian Hebel krystian.hebel@3mdeb.com
Gerrit-Attention: Jan Samek jan.samek@siemens.com
Gerrit-Attention: Sergii Dmytruk sergii.dmytruk@3mdeb.com
Gerrit-Comment-Date: Thu, 21 Mar 2024 00:51:52 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Gerrit-MessageType: comment