0f910e7db9
To verify the boot chain, we will need to extend the PCR with the firmware version. And the server will be able to attest the firmware version of devices. The "firmware version" here is the RW firmware anti-rollback version, determined by the ChromeOS's signing infra, and will be verified in vb2api_fw_phase3, by comparing it with the version stored in the TPM. This version will be increased when there is critical vulnerability in the RW firmware. According to [1], PCRs 8-15 usage is defined by Static OS. Therefore PCR_FW_VER is chosen to be within that range. Ideally the existing PCR_BOOT_MODE and PCR_HWID should also be allocated in the same range, but unfortunately it's too late to fix them. Because PCRs 11 and 13 have been used for other purposes in ChromeOS, here PCR_FW_VER is set to 10. [1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_05_3feb20.pdf BUG=b:248610274 TEST=Boot the device, and check the PCR 10 BRANCH=none Signed-off-by: Yi Chou <yich@google.com> Change-Id: I601ad31e8c893a8e9ae1a9cdd27193edce10ec61 Reviewed-on: https://review.coreboot.org/c/coreboot/+/79437 Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Yu-Ping Wu <yupingso@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> |
||
|---|---|---|
| .. | ||
| intel | ||
| lockdown | ||
| memory | ||
| tpm | ||
| vboot | ||
| Kconfig | ||
| Makefile.inc | ||