[PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities

Ilias Apalodimas ilias.apalodimas at linaro.org
Tue May 9 15:49:40 CEST 2023


Hi Eddie

On Thu, 16 Mar 2023 at 10:32, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi Eddie,
>
> Apologies for the late reply, I am now getting back on this.
> There are some failures on the CI wrt to sandbox here [0].  Can you have a
> look ?
> Also I believe some of the existing tests are wrong because they are
> using PCR0 (which is always going to be extended).  Can you also pick up
> [1] with your series?
>
>
> [0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471
> [1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004

I did manage to figure this out. You need this [0] with your patches.
Keep in mind that
("efi_loader: fix EFI_ENTRY point on get_active_pcr_banks ") needs to
be squashed with your patches as it's causing U-Boot to crash on
selftests.

You don't really need ("tpm: clean up tpm_init usage ") this is a WIP
i am exploring.  I'll go ahead and send the remaining patches and cc
you.  Once/if those are accepted, you can resend your series with the
fix I mentioned

[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commits/eddie
Regards
/Ilias
>
> Thanks
> /Ilias
>
> On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote:
> > The driver needs to support getting the PCRs in the capabilities
> > command. Fix various other things and support the max number
> > of PCRs for TPM2.
> > Remove the !SANDBOX dependency for EFI TCG2 as well.
> >
> > Signed-off-by: Eddie James <eajames at linux.ibm.com>
> > Reviewed-by: Simon Glass <sjg at chromium.org>
> > Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> > ---
> > Changes since v8:
> >  - Use >= for checking the property against TPM2_PROPERTIES_OFFSET
> >
> > Changes since v5:
> >  - Remove the !SANDBOX dependency for EFI TCG2
> >
> >  drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
> >  lib/efi_loader/Kconfig         |   2 -
> >  2 files changed, 72 insertions(+), 30 deletions(-)
> >
> > diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
> > index e4004cfcca..d15a28d9fc 100644
> > --- a/drivers/tpm/tpm2_tis_sandbox.c
> > +++ b/drivers/tpm/tpm2_tis_sandbox.c
> > @@ -22,11 +22,6 @@ enum tpm2_hierarchy {
> >       TPM2_HIERARCHY_NB,
> >  };
> >
> > -/* Subset of supported capabilities */
> > -enum tpm2_capability {
> > -     TPM_CAP_TPM_PROPERTIES = 0x6,
> > -};
> > -
> >  /* Subset of supported properties */
> >  #define TPM2_PROPERTIES_OFFSET 0x0000020E
> >
> > @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property {
> >       TPM2_PROPERTY_NB,
> >  };
> >
> > -#define SANDBOX_TPM_PCR_NB 1
> > +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
> > +#define SANDBOX_TPM_PCR_SELECT_MAX   ((SANDBOX_TPM_PCR_NB + 7) / 8)
> >
> >  /*
> >   * Information about our TPM emulation. This is preserved in the sandbox
> > @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >       int i, j;
> >
> >       /* TPM2_GetProperty */
> > -     u32 capability, property, property_count;
> > +     u32 capability, property, property_count, val;
> >
> >       /* TPM2_PCR_Read/Extend variables */
> >       int pcr_index = 0;
> > @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >       case TPM2_CC_GET_CAPABILITY:
> >               capability = get_unaligned_be32(sent);
> >               sent += sizeof(capability);
> > -             if (capability != TPM_CAP_TPM_PROPERTIES) {
> > -                     printf("Sandbox TPM only support TPM_CAPABILITIES\n");
> > -                     return TPM2_RC_HANDLE;
> > -             }
> > -
> >               property = get_unaligned_be32(sent);
> >               sent += sizeof(property);
> > -             property -= TPM2_PROPERTIES_OFFSET;
> > -
> >               property_count = get_unaligned_be32(sent);
> >               sent += sizeof(property_count);
> > -             if (!property_count ||
> > -                 property + property_count > TPM2_PROPERTY_NB) {
> > +
> > +             switch (capability) {
> > +             case TPM2_CAP_PCRS:
> > +                     break;
> > +             case TPM2_CAP_TPM_PROPERTIES:
> > +                     if (!property_count) {
> > +                             rc = TPM2_RC_HANDLE;
> > +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> > +                                                          tag, rc);
> > +                     }
> > +
> > +                     if (property >= TPM2_PROPERTIES_OFFSET &&
> > +                         ((property - TPM2_PROPERTIES_OFFSET) +
> > +                          property_count > TPM2_PROPERTY_NB)) {
> > +                             rc = TPM2_RC_HANDLE;
> > +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> > +                                                          tag, rc);
> > +                     }
> > +                     break;
> > +             default:
> > +                     printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
> > +                            "TPM2_CAP_TPM_PROPERTIES\n");
> >                       rc = TPM2_RC_HANDLE;
> >                       return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
> >               }
> > @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >               put_unaligned_be32(capability, recv);
> >               recv += sizeof(capability);
> >
> > -             /* Give the number of properties that follow */
> > -             put_unaligned_be32(property_count, recv);
> > -             recv += sizeof(property_count);
> > -
> > -             /* Fill with the properties */
> > -             for (i = 0; i < property_count; i++) {
> > -                     put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
> > -                                        i, recv);
> > -                     recv += sizeof(property);
> > -                     put_unaligned_be32(tpm->properties[property + i],
> > -                                        recv);
> > -                     recv += sizeof(property);
> > +             switch (capability) {
> > +             case TPM2_CAP_PCRS:
> > +                     /* Give the number of algorithms supported - just SHA256 */
> > +                     put_unaligned_be32(1, recv);
> > +                     recv += sizeof(u32);
> > +
> > +                     /* Give SHA256 algorithm */
> > +                     put_unaligned_be16(TPM2_ALG_SHA256, recv);
> > +                     recv += sizeof(u16);
> > +
> > +                     /* Select the PCRs supported */
> > +                     *recv = SANDBOX_TPM_PCR_SELECT_MAX;
> > +                     recv++;
> > +
> > +                     /* Activate all the PCR bits */
> > +                     for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
> > +                             *recv = 0xff;
> > +                             recv++;
> > +                     }
> > +                     break;
> > +             case TPM2_CAP_TPM_PROPERTIES:
> > +                     /* Give the number of properties that follow */
> > +                     put_unaligned_be32(property_count, recv);
> > +                     recv += sizeof(property_count);
> > +
> > +                     /* Fill with the properties */
> > +                     for (i = 0; i < property_count; i++) {
> > +                             put_unaligned_be32(property + i, recv);
> > +                             recv += sizeof(property);
> > +                             if (property >= TPM2_PROPERTIES_OFFSET) {
> > +                                     val = tpm->properties[(property -
> > +                                             TPM2_PROPERTIES_OFFSET) + i];
> > +                             } else {
> > +                                     switch (property) {
> > +                                     case TPM2_PT_PCR_COUNT:
> > +                                             val = SANDBOX_TPM_PCR_NB;
> > +                                             break;
> > +                                     default:
> > +                                             val = 0xffffffff;
> > +                                             break;
> > +                                     }
> > +                             }
> > +
> > +                             put_unaligned_be32(val, recv);
> > +                             recv += sizeof(property);
> > +                     }
> > +                     break;
> >               }
> >
> >               /* Add trailing \0 */
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index c5835e6ef6..605719d2b6 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL
> >       bool "EFI_TCG2_PROTOCOL support"
> >       default y
> >       depends on TPM_V2
> > -     # Sandbox TPM currently fails on GetCapabilities needed for TCG2
> > -     depends on !SANDBOX
> >       select SHA1
> >       select SHA256
> >       select SHA384
> > --
> > 2.31.1
> >
>
>


More information about the U-Boot mailing list