TPM setup on a RPI Compute Module 4
Jonas Kvinge
jonaski at opensuse.org
Wed Jan 31 13:42:22 CET 2024
Hi,
I have a CM4 with a sourcekit io board and a pi3g lets trust TPM. It's
running Raspberry Pi OS Bookworm.
tpm2_pcrread shows zeros for all pcr's. My understanding is that the tpm
needs to be setup on boot so the pcr values are populated.
So how can I best fill in the values for the TPM?
I've tried to build a custom u-boot with the boot.scr following the
instructions on
https://github.com/joholl/rpi4-uboot-tpm/blob/ad31306ce2f2d52f0572385bfc8bac33cb1f1f68/README.md#setting-up-and-configuring
tpm2 init
tpm2 start TPM2_SU_CLEAR
mmc read $loadaddr 0x800 0x80000
hash sha256 $loadaddr *0x10000000
tpm2 pcr_extend 4 0x10000000
setenv kernel_comp_addr_r 0x0A000000
setenv kernel_comp_size 8194604
fdt addr ${fdt_addr} && fdt get value bootargs /chosen bootargs
fatload mmc 0:1 ${kernel_addr_r} kernel8.img
booti ${kernel_addr_r} - ${fdt_addr}
To create the image I use:
./tools/mkimage -A arm64 -T script -C none -n "Boot script" -d boot.scr
boot.scr.uimg
However, when I use the "mmc read" command, the kernel no longer boots,
it goes into an infinite reboot.
I've also tried building u-boot with CONFIG_MEASURED_BOOT according
https://docs.u-boot.org/en/latest/usage/measured_boot.html
But then all the pcr's from 0-7 have the identical sha256 values, how come?
Jonas
More information about the U-Boot
mailing list