[PATCH 2/9] tpm: Avoid code bloat when not using EFI_TCG2_PROTOCOL

[Heinrich Schuchardt]

On 6/5/24 05:25, Simon Glass wrote:
> It does not make sense to enable all SHA algorithms unless they are
> needed. It bloats the code and in this case, causes chromebook_link to
> fail to build.

Why would chromebook_link fail to build?
Is TPM used by U-Boot on that board at all?

>
> Add a condition to TPM to correct this. Note that the original commit
> combines refactoring and new features, which makes it hard to see what
> is going on.
>
> Fixes: 97707f12fda tpm: Support boot measurements
>
> Signed-off-by: Simon Glass <sjg at chromium.org>
> ---
>
>   lib/Kconfig | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 189e6eb31aa..70b32362ada 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -438,10 +438,10 @@ config TPM
>   	bool "Trusted Platform Module (TPM) Support"
>   	depends on DM
>   	imply DM_RNG
> -	select SHA1
> -	select SHA256
> -	select SHA384
> -	select SHA512
> +	select SHA1 if EFI_TCG2_PROTOCOL
> +	select SHA256 if EFI_TCG2_PROTOCOL
> +	select SHA384 if EFI_TCG2_PROTOCOL
> +	select SHA512 if EFI_TCG2_PROTOCOL

You need to consider CONFIG_MEASURED_BOOT which allows measured boot in
the non-UEFI case.

Please, take into account

lib/tpm-v1.c:20:
#error "TPM_AUTH_SESSIONS require SHA1 to be configured, too"

This #error should be replaced by a Kconfig constraint.

I would prefer the select statements to be in lib/efi_loader/Kconfig
under EFI_TCG2_PROTOCOL.

@Ilias, Eddie:

Why do we require SHA1 which is considered insecure?

Shouldn't we change tpm2_supported_algorithms[] to include only
algorithms selected in the configuration? This would allow replacing all
the select statements in Simon's patch by imply.

Best regards

Heinrich

>   	help
>   	  This enables support for TPMs which can be used to provide security
>   	  features for your board. The TPM can be connected via LPC or I2C