[coreboot-gerrit] Patch merged into coreboot/master: tpm2: use pcr0 dependent nvram space policy definitions

gerrit at coreboot.org gerrit at coreboot.org
Wed Jul 13 23:59:38 CEST 2016 

the following patch was just integrated into master:
commit 7ee057c700dd3481eae9a4b3ee13831798fe8ea5
Author: Vadim Bendebury <vbendeb at chromium.org>
Date:   Sun Jul 3 15:24:23 2016 -0700

    tpm2: use pcr0 dependent nvram space policy definitions
    
    The TPM2 specification allows defining NV ram spaces in a manner
    that makes it impossible to remove the space until a certain PCR is in
    a certain state.
    
    This comes in handy when defining spaces for rollback counters: make
    their removal depend on PCR0 being in the default state. Then extend
    PCR0 to any value. This guarantees that the spaces can not be deleted.
    
    Also, there is no need t create firmware and kernel rollback spaces
    with different privileges: they both can be created with the same set of
    properties, the firmware space could be locked by the RO firmware, and
    the kernel space could be locked by the RW firmware thus providing
    necessary privilege levels.
    
    BRANCH=none
    BUG=chrome-os-partner:50645, chrome-os-partner:55063
    TEST=with the rest of the patches applied it is possible to boot into
          Chrome OS maintaining two rollback counter spaces in the TPM NV
          ram locked at different phases of the boot process.
    
    Change-Id: I889b2c4c4831ae01c093f33c09b4d98a11d758da
    Signed-off-by: Martin Roth <martinroth at chromium.org>
    Original-Commit-Id: 36317f5e85107b1b2e732a5bb2a38295120560cd
    Original-Change-Id: I69e5ada65a5f15a8c04be9def92a8e1f4b753d9a
    Original-Signed-off-by: Vadim Bendebury <vbendeb at chromium.org>
    Original-Reviewed-on: https://chromium-review.googlesource.com/358094
    Original-Reviewed-by: Aaron Durbin <adurbin at chromium.org>
    Original-Reviewed-by: Julius Werner <jwerner at chromium.org>
    Reviewed-on: https://review.coreboot.org/15635
    Tested-by: build bot (Jenkins)
    Reviewed-by: Philipp Deppenwiese <zaolin.daisuki at googlemail.com>


See https://review.coreboot.org/15635 for details.

-gerrit

More information about the coreboot-gerrit mailing list