[coreboot-gerrit] Change in coreboot[master]: security/tpm: Set up generic TSPI

Tue Jan 23 03:07:51 CET 2018

Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/22106 )

Change subject: security/tpm: Set up generic TSPI
......................................................................

Patch Set 37:

(9 comments)

https://review.coreboot.org/#/c/22106/37/src/security/tpm/Makefile.inc
File src/security/tpm/Makefile.inc:

https://review.coreboot.org/#/c/22106/37/src/security/tpm/Makefile.inc@7
PS37, Line 7: ifeq ($(CONFIG_VBOOT),y)
> Why not just leave the conditionals out and compile it into all stages? It will be garbage collected […]
Yeah makes sense.

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c
File src/security/tpm/tspi/tspi.c:

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c@114
PS37, Line 114: 		if (IS_ENABLED(CONFIG_TPM_DEACTIVATE))
> Note that this won't deactivate an already activated TPM if you bury it down here, because it won't  […]
yep gonna fix that

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c@132
PS37, Line 132: 	    result != TPM_SUCCESS) {
> Can result even == TPM_SUCCESS here?
leftover. Will fix it

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c@137
PS37, Line 137: 		hard_reset();
> This will break vboot because it would now also be executed in the recovery path. […]
okay

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c@154
PS37, Line 154: #if IS_ENABLED(CONFIG_TPM)
> It's really confusing what this is doing here... […]
I totally agree.

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tspi/tspi.c@173
PS37, Line 173: **out_digest
> Why does this need to be a double pointer? And why do we need this wrapper at all, it does so little […]
Will fix it. IMHO the high level interface should be used instead of accessing the tss directly. Maybe in this case it is not really useful.

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tss/tcg-2.0/tss_structures.h
File src/security/tpm/tss/tcg-2.0/tss_structures.h:

https://review.coreboot.org/#/c/22106/37/src/security/tpm/tss/tcg-2.0/tss_structures.h@137
PS37, Line 137: #define REC_HASH_NV_INDEX               0x100b
> Note that these are vboot-specific, maybe they should go in a vboot file (like antirollback. […]
leftover, sure I will fix it

https://review.coreboot.org/#/c/22106/37/src/security/vboot/antirollback.h
File src/security/vboot/antirollback.h:

https://review.coreboot.org/#/c/22106/37/src/security/vboot/antirollback.h@60
PS37, Line 60: setup_tpm
> ...and while we're at it, this could also be clearer as vboot_setup_tpm().
This function is used as part of the TPM interface. So it is not vboot specific!

https://review.coreboot.org/#/c/22106/37/src/security/vboot/antirollback.h@63
PS37, Line 63: extend_pcr
> This should probably be namespaced in some way... […]
See above

-- 
To view, visit https://review.coreboot.org/22106
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I883c489801fce88e13952fe24b67315ab6bb1afb
Gerrit-Change-Number: 22106
Gerrit-PatchSet: 37
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Aaron Durbin <adurbin at chromium.org>
Gerrit-Reviewer: Julius Werner <jwerner at chromium.org>
Gerrit-Reviewer: Kyösti Mälkki <kyosti.malkki at gmail.com>
Gerrit-Reviewer: Patrick Rudolph <siro at das-labor.org>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Randall Spangler <randall at spanglers.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply at coreboot.org>
Gerrit-Comment-Date: Tue, 23 Jan 2018 02:07:51 +0000
Gerrit-HasComments: Yes
Gerrit-HasLabels: No
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180123/7bd9b751/attachment.html>