> On a related topic, is there a reason to wait to enable the TPM? Looking > at src/northbridge/intel/sandybridge/romstage.c, it isn't enabled until > after the MRC cache has been read from the read-write portions of the > flash chip, which could potentially compromise the root of trust.
No, I think that's just the way it grew historically. Note that init_tpm() is part of older code which is not using src/lib/tlcl.c and isn't really part of the way the main vboot code uses the TPM. (Also, in vboot the TPM is just used for lockable NVRAM storage, it's not really part of the root of trust.) -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
