Change in coreboot[master]: chromeos/Kconfig: Add TPM20_CREATE_FWMP - coreboot-gerrit

5 May 2021


      Attention is currently required from: Andrey Pronin, Aseda Aboagye, Aaron Durbin.
Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/52919 )
Change subject: chromeos/Kconfig: Add TPM20_CREATE_FWMP
......................................................................
Patch Set 5:
(4 comments)
Patchset:
PS5:
...
I added a new API in vboot_reference. […]
You need to uprev the submodule. First, the vboot change needs to get merged. Then, go into your coreboot checkout, cd into 3rdparty/vboot, fetch and checkout the new updated main branch (you may need to add it separately as a remote first), then go back into the coreboot toplevel directory and you can check that in like a commit. See older patches like CB:47784
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/52919/comment/196abef7_ba4dca5f 
PS1, Line 243: 		rv = tlcl_define_space(FWMP_NV_INDEX, VB2_SECDATA_FWMP_MAX_SIZE,
...
I'm initializing the space now.
Well, reading through the TPM spec I guess it should actually return TPM_RC_NV_UNINITIALIZED, but that's not good either. We have special consideration for the FMWP not existing at all (BADINDEX) in depthcharge, but not for any other error code. See depthcharge/src/vboot/secdata_tpm.c#secdata_fwmp_read()
File src/security/vboot/secdata_tpm.c:
https://review.coreboot.org/c/coreboot/+/52919/comment/a69f1641_a0397001 
PS5, Line 200: VB2_SECDATA_FWMP_MAX_SIZE
Actually, thinking it through again this needs to be the size of the currently used FWMP structure, not MAX_SIZE (see explanation in CL:2875533 for the difference). That size should really come from the result of the create() function. Maybe we should reshuffle these set_xxx_space() functions a bit so they take the whole context pointer and call the respective create() function themselves so they can use that result right away (and maybe they should be called setup_xxx_space() or something? Just "set" sounds more like (over-)writing than creating...).
File src/vendorcode/google/chromeos/Kconfig:
https://review.coreboot.org/c/coreboot/+/52919/comment/1db82b80_2d24598a 
PS1, Line 95: config TPM20_CREATE_FWMP
...
(sorry, missed this comment earlier) I had the same question myself. […]
Let's just switch all boards over at once and avoid more fragmentation.
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/52919
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I1f566e00f11046ff9a9891c65660af50fbb83675
Gerrit-Change-Number: 52919
Gerrit-PatchSet: 5
Gerrit-Owner: Aseda Aboagye aaboagye@google.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Andrey Pronin apronin@chromium.org
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Julius Werner jwerner@chromium.org
Gerrit-Attention: Andrey Pronin apronin@chromium.org
Gerrit-Attention: Aseda Aboagye aaboagye@google.com
Gerrit-Attention: Aaron Durbin adurbin@chromium.org
Gerrit-Comment-Date: Wed, 05 May 2021 22:05:40 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Aseda Aboagye aaboagye@google.com
Comment-In-Reply-To: Julius Werner jwerner@chromium.org
Gerrit-MessageType: comment