Enable PCR_Reset
In order to support a kernel hardened version of hibernation, we'll want
to use PCR23 (or some other TBD volatile resettable PCR) as part of the
policy in sealing the hibernate key. This gives the kernel a mechanism
to create TPM signatures that a rogue usermode cannot duplicate.
To make this all work, we need the PCR to be resettable. Enable the
PCR_Reset capability, which allows (PC standard) resetting of PCRs 16,
23, and 24 (see s_initAttributes). This feature consumes 364 bytes of
RW flash space, and no RAM, at present leaving 7972 bytes of RW flash
available.
BUG=b:213601712
TEST=make
Change-Id: If7f10c771c65ebebef8de76d605e6b6ccfb294b4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/tpm2/+/3373466
Tested-by: Evan Green <evgreen@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Evan Green <evgreen@chromium.org>
1 file changed