[Skiboot] [PATCH 8/8] libstb: Set TPM platform auth to random password
Nayna
nayna at linux.vnet.ibm.com
Fri Apr 10 06:50:35 AEST 2020
On 4/2/20 12:52 PM, Mauro S. M. Rodrigues wrote:
> From: Ryan Grimm <grimm at linux.ibm.com>
>
> Set in core/init.c before trustedboot_exit_boot_services.
>
> Signed-off-by: Ryan Grimm <grimm at linux.ibm.com>
> ---
> core/init.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git core/init.c core/init.c
> index bff4e968aa..63e3f97a3b 100644
> --- core/init.c
> +++ core/init.c
> @@ -38,6 +38,7 @@
> #include <vas.h>
> #include <libstb/secureboot.h>
> #include <libstb/trustedboot.h>
> +#include <libstb/tss2/tssskiboot.h>
> #include <phys-map.h>
> #include <imc.h>
> #include <dts.h>
> @@ -556,6 +557,8 @@ void __noreturn load_and_boot_kernel(bool is_reboot)
>
> load_initramfs();
>
> + tss_set_platform_auth();
This is ignoring the error if unable to set the Platform Auth.. I think
skiboot should halt boot if it fails here.
While testing secvar, we realized that in case of fast-reboot, this is
getting attempted again, which fails in current scenario because of
error in reinitializing the TPM. That might have to be fixed separately
as trusted boot issue.
However, it also raised the question that is it the right place to set
the platform auth here in skiboot ? Any thoughts from ultravisor team
based on their use case ? If no other requirements, should it be set
immediately after sevcar initialization ?
Thanks & Regards,
- Nayna
More information about the Skiboot
mailing list