[PATCH 2/2] efi: Add basic EFI_TCG2_PROTOCOL support

Ilias Apalodimas ilias.apalodimas at linaro.org
Thu Nov 5 01:33:12 CET 2020 

On Wed, Nov 04, 2020 at 03:02:06PM -0700, Simon Glass wrote:
> Hi Ilias,
> 
> On Wed, 4 Nov 2020 at 11:52, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > Hi Simon,
> >
> > On Wed, Nov 04, 2020 at 11:08:42AM -0700, Simon Glass wrote:
> > > Hi Ilias,
> > >
> > > On Wed, 4 Nov 2020 at 06:48, Ilias Apalodimas
> > > <ilias.apalodimas at linaro.org> wrote:
> > > >
> > > > Since U-boot EFI implementation is getting richer it makes sense to
> > > > add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM
> > > > available on the device.
> > > >
> > > > This is the initial implementation of the protocol which only adds
> > > > support for GetCapability(). It's limited in the newer and safer
> > > > TPMv2 devices.
> > > >
> > > > Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > > > ---
> > > > The protocol requires mode that GetCapability to be usable.
> > > > I intend to add support for GetEventLog() and HashLogExtendEvent() once
> > > > this gets reviewed/merged
> > > >  include/efi_loader.h       |   2 +
> > > >  include/efi_tcg2.h         |  91 ++++++++
> > > >  include/tpm-v2.h           |  48 ++++
> > > >  lib/efi_loader/Kconfig     |   8 +
> > > >  lib/efi_loader/Makefile    |   1 +
> > > >  lib/efi_loader/efi_setup.c |   7 +
> > > >  lib/efi_loader/efi_tcg2.c  | 460 +++++++++++++++++++++++++++++++++++++
> > > >  7 files changed, 617 insertions(+)
> > > >  create mode 100644 include/efi_tcg2.h
> > > >  create mode 100644 lib/efi_loader/efi_tcg2.c
> > >
> > > How can we add tests for this? We have a basic TPM emulator available
> > > so perhaps it could be used to create a sandbox test?
> >
> > I assume you refer to drivers/tpm/tpm2_tis_sandbox.c right?
> > I did check this before posting but it only supports TPM_CAP_TPM_PROPERTIES(0x6).
> > The GetCapability() also uses TPM_CAP_PCRS(0x5).
> > I don't really know if it's worth extending that, since the patches that will follow
> > implementing GetEventLog() and HashLogExtendEvent() are a lot more demanding on the TPM.
> >
> 
> The benefit is that we get fast unit tests for the code in U-Boot.
> 
> > Maybe look into some software TPM?
> 
> The things we use are not that complicated. I think bringing in
> something simple would be OK, but it needs to just cover what we need.

Sure. Let me check tpm2_tis_sandbox.c a bit more before we go ahead exploring 
other posibilities and see how far we can get.

An alternative over here would be to use QEMU + OP-TEE + fTPM
once and if QEMU gets an RPMB emulation available (needed for fTPM) or
QEMU with softwareTPM.
I think the latter is easier and not strictly bound to Arm architecture.


> 
> > On my side I tested this on an armv8 with fTPM and and EFI application [1]
> >
> > [1] https://github.com/apalos/efi-tpm2-utils
> 
> We can probably put some of that code in U-Boot if you are amenable.
> Heinrich has added tests for most/all of the U-Boot EFI functionality.
> 

That repo is not my code. I just fixed the arm64 compilation and used it during my development.
If the licence permits it, we can indeed use some of the code in our selftests.

Regards
/Ilias

More information about the U-Boot mailing list