[U-Boot] [PATCH 1/3] tpm: Add function to load keys via their parent's SHA1 hash

Simon Glass sjg at chromium.org
Wed Mar 22 13:27:02 UTC 2017 

Hi Mario,

On 22 March 2017 at 07:20, Mario Six <mario.six at gdsys.cc> wrote:
> On Wed, Mar 22, 2017 at 2:05 PM, Simon Glass <sjg at chromium.org> wrote:
>> On 20 March 2017 at 03:28, Mario Six <mario.six at gdsys.cc> wrote:
>>> If we want to load a key into a TPM, we need to know the designated parent
>>> key's handle, so that the TPM is able to insert the key at the correct place in
>>> the key hierarchy.
>>>
>>> However, if we want to load a key whose designated parent key we also
>>> previously loaded ourselves, we first need to memorize this parent key's handle
>>> (since the handles for the key are chosen at random when they are inserted into
>>> the TPM). If we are, however, unable to do so, for example if the parent key is
>>> loaded into the TPM during production, and its child key during the actual
>>> boot, we must find a different mechanism to identify the parent key.
>>>
>>> To solve this problem, we add a function that allows U-Boot to load a key into
>>> the TPM using their designated parent key's SHA1 hash, and the corresponding
>>> auth data.
>>>
>>> Signed-off-by: Mario Six <mario.six at gdsys.cc>
>>> ---
>>>  cmd/tpm.c           | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
>>>  drivers/tpm/Kconfig |  8 ++++++++
>>>  include/tpm.h       | 12 ++++++++++++
>>>  lib/tpm.c           | 40 ++++++++++++++++++++++++++++++++++++++++
>>>  4 files changed, 109 insertions(+)
>>
>> Reviewed-by: Simon Glass <sjg at chromium.org>
>>
>> Perhaps you don't need a new Kconfig option? Is that to save code space?
>>
>>
>
> Yes, it's primarily to save code space. I haven't really investigated how much
> this option does impact the overall size, but since every recent addition to
> the TPM library was guarded with a new Kconfig option, I thought it was prudent
> to emulate that.
>
> If you think it's overkill, I can drop the option, and just have it
> compiled in by default.

I think for now it is overkill, and I'm happy to just include the new
functionality always. We have a sandbox tpm emulator - can we use that
to write tests?

Regards,
Simon

More information about the U-Boot mailing list