[coreboot-gerrit] Patch merged into coreboot/master: lib/tpm2: do not create all NVRAM spaces with the same set of attributes
gerrit at coreboot.org
gerrit at coreboot.org
Mon Nov 14 19:12:01 CET 2016
the following patch was just integrated into master:
commit 289ee8f0e9d8e40ace5e95a858d4e0d09bcb357c
Author: Vadim Bendebury <vbendeb at chromium.org>
Date: Fri Nov 11 09:36:50 2016 -0800
lib/tpm2: do not create all NVRAM spaces with the same set of attributes
The TPM spaces created by the RO need to have different attributes
depending on the space's use. The firmware rollback counter and MRC
hash spaces are created by the RO code and need to be protected at the
highest level: it should be impossible to delete or modify the space
once the RO exits, and it is how it is done before this patch.
The rest of the spaces should be possible to modify or recreate even
after the RO exits. Let's use different set of NVRAM space attributes
to achieve that, and set the 'pcr0 unchanged' policy only for the
firmware counter and MRC cache spaces.
The definitions of the attributes can be found in "Trusted Platform
Module Library Part 2: Structures", Revision 01.16, section "13.2
TPMA_NV (NV Index Attributes)."
CQ-DEPEND=CL:410127
BRANCH=none
BUG=chrome-os-partner:59651
TEST=verified that the reef system boots fine in both normal and
recovery modes; using tpmc confirmed that firmware, kernel and
MRC cache NVRAM spaces are readable in both and writeable only in
recovery mode.
Change-Id: I1a1d2459f56ec929c9a92b39175888b8d1bcda55
Signed-off-by: Vadim Bendebury <vbendeb at chromium.org>
Reviewed-on: https://review.coreboot.org/17388
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin at chromium.org>
Reviewed-by: Paul Menzel <paulepanter at users.sourceforge.net>
Reviewed-by: Andrey Pronin <apronin at chromium.org>
See https://review.coreboot.org/17388 for details.
-gerrit
More information about the coreboot-gerrit
mailing list