Attention is currently required from: Miriam Polzer, Julius Werner, Yu-Ping Wu. Andrey Pronin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59097 )
Change subject: security/vboot: Add NVRAM counter for TPM 2.0 ......................................................................
Patch Set 6:
(3 comments)
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/59097/comment/db197337_61717259 PS3, Line 150: .TPMA_NV_NO_DA = 1,
I don't know, maybe Andrey does. […]
you can still fail auth, but trying to authenticate with an owner auth, or passing some random password as authValue. it allows access with PH or authValue=NULL specifically. yes, in practice, access to it with different auth is unlikely, but NO_DA doesn't cost us anything.
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/59097/comment/313fbfa6_286b6552 PS6, Line 120: TPMA_NV_WRITE_STCLEAR
I was just thinking it doesn't hurt? Is there ever a reason not to set this flag (just in case the n […]
probably doesn't hurt, but needs a bit of analysis. is there any attack where an attacker can gain something by preventing the counter from incrementing (until reboot)? with WriteLock they can do just that.
https://review.coreboot.org/c/coreboot/+/59097/comment/25d96389_760178f0 PS6, Line 385: enterprise_rollback_create_counter
Yes, I was told that on ToT we should have firmware clean for new devices and if/when we merge this […]
ok, if this is per design, works for me.
-
Andrey Pronin (Code Review)