[PATCH 0/3] TPM PCR Management update proposal
Benjamin BARATTE
benjamin.baratte at st.com
Mon Jul 15 15:33:13 CEST 2024
By testing U-Boot EFI Measured boot with ST33KTPM2X32DKG9, the
EFI_TCG2_PROTOCOL is not able to register due to TPM PCR management.
This version of dTPM support SHA1, SHA256, SHA384, SHA3_256, SHA3_384
which make 5 possibles PCR banks avaiables but only 2 at a time are
supported.
The tpm2_get_pcr_info() exit in error with this dTPM as it's supports
more hash algo than U-Boot. But this is irrelevant as the hash
algorithm used depends on the dTPM active PCR bank and not the returns
of the TPM2_CAP_PCRS which list all possible banks.
The series of patch propose to list exhaustively all the TPM hash
algorithms by the specification 1.59, all dTPM to supports more algo
than U-Boot does.
In case of dTPM configuration of PCR bank not supported by U-Boot, a
warning message will be generated and the PCR bank will not be updated.
This will not change the boot process anyway.
By highlighing this, I have seen that the commit e7505b3:
tpm: allow the user to select the compiled algorithms tries to provide
more flexibility in the embedded hash algorithms by reducing the mapping
from TPM2_ALG_SHAxxx to the U-Boot supported algo. But it should extend
all tests of the TPM2_ALG_SHAxxx in the lib/tpm_tcg2.c and Kconfig shall
no longer enable all the hash algorithm.
Benjamin BARATTE (3):
tpm: update tpm hash algorithm according to tpm2.0 spec 1.59
tpm: remove check on pcr bank count
tpm_tcg2: hash algo optimization
include/tpm-v2.h | 43 +++++++++++++++++++++++++++++-------------
lib/efi_loader/Kconfig | 4 ----
lib/tpm-v2.c | 8 --------
lib/tpm_tcg2.c | 38 +++++++++++++++++++++++++++++++++++++
4 files changed, 68 insertions(+), 25 deletions(-)
--
2.34.1
ST Restricted
More information about the U-Boot
mailing list