This doesn't make sense to me. By putting the PIN in memory you expose its value at all steps in the delivery process. Chromebooks have a very good mechanism for keys that can be personalized to an individual, see my talk at last year's linuxconf in berlin where I showed how you can make a chromebook boot only a chromeos you have signed personally.

Security is really hard to get right. I think you need to build on what's in the chromebook, not design your own addon, because that's almost certainly going to weaken security.

What are you trying to do here? Is the target software stack chromeos? Why the PIN?

We may want to drop coreboot list off this discussion but there are so many smart people on the coreboot list I wanted to give them a chance to respond too.