[PATCH 2/9] tpm: Avoid code bloat when not using EFI_TCG2_PROTOCOL

Simon Glass sjg at chromium.org
Wed Jun 12 22:24:30 CEST 2024 

Hi Heinrich,

On Tue, 4 Jun 2024 at 22:15, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 6/5/24 05:25, Simon Glass wrote:
> > It does not make sense to enable all SHA algorithms unless they are
> > needed. It bloats the code and in this case, causes chromebook_link to
> > fail to build.
>
> Why would chromebook_link fail to build?

Because U-Boot suddenly grew a lot due to that commit. It broke out of
the bounds of its SPI-flash region.

> Is TPM used by U-Boot on that board at all?

Yes, but only for tests.

>
> >
> > Add a condition to TPM to correct this. Note that the original commit
> > combines refactoring and new features, which makes it hard to see what
> > is going on.
> >
> > Fixes: 97707f12fda tpm: Support boot measurements
> >
> > Signed-off-by: Simon Glass <sjg at chromium.org>
> > ---
> >
> >   lib/Kconfig | 8 ++++----
> >   1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/lib/Kconfig b/lib/Kconfig
> > index 189e6eb31aa..70b32362ada 100644
> > --- a/lib/Kconfig
> > +++ b/lib/Kconfig
> > @@ -438,10 +438,10 @@ config TPM
> >       bool "Trusted Platform Module (TPM) Support"
> >       depends on DM
> >       imply DM_RNG
> > -     select SHA1
> > -     select SHA256
> > -     select SHA384
> > -     select SHA512
> > +     select SHA1 if EFI_TCG2_PROTOCOL
> > +     select SHA256 if EFI_TCG2_PROTOCOL
> > +     select SHA384 if EFI_TCG2_PROTOCOL
> > +     select SHA512 if EFI_TCG2_PROTOCOL
>
> You need to consider CONFIG_MEASURED_BOOT which allows measured boot in
> the non-UEFI case.
>
> Please, take into account
>
> lib/tpm-v1.c:20:
> #error "TPM_AUTH_SESSIONS require SHA1 to be configured, too"
>
> This #error should be replaced by a Kconfig constraint.
>
> I would prefer the select statements to be in lib/efi_loader/Kconfig
> under EFI_TCG2_PROTOCOL.
>
> @Ilias, Eddie:
>
> Why do we require SHA1 which is considered insecure?
>
> Shouldn't we change tpm2_supported_algorithms[] to include only
> algorithms selected in the configuration? This would allow replacing all
> the select statements in Simon's patch by imply.

I attempted that in v2.

>
> Best regards
>
> Heinrich
>
> >       help
> >         This enables support for TPMs which can be used to provide security
> >         features for your board. The TPM can be connected via LPC or I2C
>

Regards,
Simon

More information about the U-Boot mailing list