Disable TPM2 PCR banks which aren't used by coreboot #546
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Change-Id: I7117aa165596ea3b25d7582ebdad3a8591a72f38 Signed-off-by: Sergii Dmytruk <[email protected]>
|
So, we expect to have the correct PCR banks allocated after a reboot (after EDK2 disables the banks we don't want to have) ? |
|
There is a cold reboot to reconfigure TPM which EDK does automatically if active PCR banks don't match build-time configuration. The user should never see unsupported PCRs being enabled, if that's what you're asking. |
coreboot can only extend a single PCR bank of TPM2 and this change results in all available PCRs being extended. This is an alternative to making coreboot extend all active PCRs. Change-Id: I4e21ab77f191e9b36cb467cd61ad0a3e347035cb Signed-off-by: Sergii Dmytruk <[email protected]>
SergiiDmytruk
force-pushed
the
single-tpm2-pcr-bank
branch
from
8a68c4e to
1cb3194
Compare
krystian-hebel
approved these changes
Aug 14, 2024
There was a problem hiding this comment.
Approved, Dasharo/edk2#139 must be merged before this can land on dasharo.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
coreboot can only extend a single PCR bank of TPM2 and this change results in all available PCRs being extended.
This is implemented by passing hash mask to EDK2 because coreboot would need to implement
TPM2_PCR_Allocatecommand to select PCR banks on its own while EDK already has it. We're also primarily interested in solving this for EDK2 case anyway.This affects all Dasharo EDK2 boards, but can be limited to selected ones if some negative side-effects are expected.
See Dasharo/dasharo-issues#982 for context.
EDK PR: Dasharo/edk2#160