[PATCH 2/2] efi: Add basic EFI_TCG2_PROTOCOL support
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Nov 4 19:52:30 CET 2020
Hi Simon,
On Wed, Nov 04, 2020 at 11:08:42AM -0700, Simon Glass wrote:
> Hi Ilias,
>
> On Wed, 4 Nov 2020 at 06:48, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > Since U-boot EFI implementation is getting richer it makes sense to
> > add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
> > available on the device.
> >
> > This is the initial implementation of the protocol which only adds
> > support for GetCapability(). It's limited in the newer and safer
> > TPMv2 devices.
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > The protocol requires mode that GetCapability to be usable.
> > I intend to add support for GetEventLog() and HashLogExtendEvent() once
> > this gets reviewed/merged
> > include/efi_loader.h | 2 +
> > include/efi_tcg2.h | 91 ++++++++
> > include/tpm-v2.h | 48 ++++
> > lib/efi_loader/Kconfig | 8 +
> > lib/efi_loader/Makefile | 1 +
> > lib/efi_loader/efi_setup.c | 7 +
> > lib/efi_loader/efi_tcg2.c | 460 +++++++++++++++++++++++++++++++++++++
> > 7 files changed, 617 insertions(+)
> > create mode 100644 include/efi_tcg2.h
> > create mode 100644 lib/efi_loader/efi_tcg2.c
>
> How can we add tests for this? We have a basic TPM emulator available
> so perhaps it could be used to create a sandbox test?
I assume you refer to drivers/tpm/tpm2_tis_sandbox.c right?
I did check this before posting but it only supports TPM_CAP_TPM_PROPERTIES(0x6).
The GetCapability() also uses TPM_CAP_PCRS(0x5).
I don't really know if it's worth extending that, since the patches that will follow
implementing GetEventLog() and HashLogExtendEvent() are a lot more demanding on the TPM.
Maybe look into some software TPM?
On my side I tested this on an armv8 with fTPM and and EFI application [1]
[1] https://github.com/apalos/efi-tpm2-utils
Regards
/Ilias
>
> Regards,
> Simon
More information about the U-Boot
mailing list