Attention is currently required from: Andrey Pronin, Christian Walter, Paul Menzel, Yi Chou, Yu-Ping Wu.

Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/79437?usp=email )

Change subject: vboot: Add firmware PCR support ......................................................................

Patch Set 6:

(1 comment)

Commit Message:

https://review.coreboot.org/c/coreboot/+/79437/comment/286c0ffe_2e1da777 : PS6, Line 24: to 10 (and we plan to use PCR 12 for kernel version).

hmmm, those were discussed in go/cros-arm-widevine-cert […]

Well, I don't really see anything specifically talking about two separate PCRs in that doc. I think this is just a matter of us all starting with different assumptions and never really talking about it. I had always assumed we were talking about a single PCR (because the limited number of PCRs was mentioned as a potential concern earlier). Let's add +Andrey to see what he thinks.

Double-extend should no longer be a concern on future boards (especially not on Arm boards, it had only ever been an issue on x86). Even if it ever came up again we could still add a different hack to Ti50 that just counts the amount of times the PCR is extended and stops it after 2, so it's not like we'd be potentially locking out such workarounds completely. But it shouldn't be necessary anyway.