[U-Boot] [PATCH 1/3] tpm: Add function to load keys via their parent's SHA1 hash

Simon Glass sjg at chromium.org
Wed Mar 22 13:05:53 UTC 2017


On 20 March 2017 at 03:28, Mario Six <mario.six at gdsys.cc> wrote:
> If we want to load a key into a TPM, we need to know the designated parent
> key's handle, so that the TPM is able to insert the key at the correct place in
> the key hierarchy.
>
> However, if we want to load a key whose designated parent key we also
> previously loaded ourselves, we first need to memorize this parent key's handle
> (since the handles for the key are chosen at random when they are inserted into
> the TPM). If we are, however, unable to do so, for example if the parent key is
> loaded into the TPM during production, and its child key during the actual
> boot, we must find a different mechanism to identify the parent key.
>
> To solve this problem, we add a function that allows U-Boot to load a key into
> the TPM using their designated parent key's SHA1 hash, and the corresponding
> auth data.
>
> Signed-off-by: Mario Six <mario.six at gdsys.cc>
> ---
>  cmd/tpm.c           | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
>  drivers/tpm/Kconfig |  8 ++++++++
>  include/tpm.h       | 12 ++++++++++++
>  lib/tpm.c           | 40 ++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 109 insertions(+)

Reviewed-by: Simon Glass <sjg at chromium.org>

Perhaps you don't need a new Kconfig option? Is that to save code space?


More information about the U-Boot mailing list