[PATCH 0/7] The great TCG deduplication saga
Ilias Apalodimas
ilias.apalodimas at linaro.org
Sat Jun 22 16:35:36 CEST 2024
Hi all,
A while back some TPM measured boot code was moved out of EFI in order to
support !EFI boot methods, e.g bootm, booti etc.
Back then we decided to move the code in the TPM subsystem directly.
In hindsight, we should have created a different library file that hosts
all the TCG specific bits, but better late than never!
Since the algorithms that the TPM supports are only known at runtime, we
unconditionally enabled all hashing algorithms. Simon reported some breakage
lately due to size limitations and he wanted to remove some of the supported
algorithms from those configs. But that's not always safe depending on what
the user expects the TPM to do.
If MEASURED_BOOT or EFI_TCG2_PROTOCOL is enabled our Kconfig will enable
all supported hashing algorithms. Nothing changes there.
This is an attempt to allow users to add a TPM and not enable measured boot
via EFI or bootm and at the same time, control the compiled algorithms for
size reasons, without shooting themselves in the foot.
Functionality has been added that checks the TPM active PCRs banks against
the one U-Boot was compiled with. If all the active PCRs banks are not
enabled refuse to extend a PCR but otherwise leave the TPM functional.
patches #1, #2 have been reposted and are fixes from the code moving
patches #3, #5 get rid of duplicat header entries
patch #4 moves the TCG code out of the TPM in its own file
patch #6 refactors a function so we can use it in both TCG & TPM now
and finally patch #7 adds the desired functionality
The u-boot CI seems happy, my internal CI that tests EFI measured boot in
various scenarios is happy and the EFI eventlog hasn't changed at all pre/post
patches.
I haven't manged to test bootm etc, but that code hasn't changed at all and the CI
tests are passing. Eddie any chance you can test it?
Ilias Apalodimas (7):
tpm: fix the return code, if the eventlog buffer is full
efi_loader: fix the return values on efi_tcg
efi_loader: remove duplicate TCG algo definitions
tpm: Move TCG into a separate library
efi_loader: remove unneeded header files
tpm: Untangle tpm2_get_pcr_info()
tpm: allow the user to select the compiled algorithms
boot/Kconfig | 4 +
boot/bootm.c | 1 +
include/efi_tcg2.h | 9 +-
include/tpm-v2.h | 541 +++++++--------------------
include/tpm_tcg2.h | 349 +++++++++++++++++
lib/Kconfig | 6 +-
lib/Makefile | 2 +
lib/efi_loader/efi_tcg2.c | 124 +++---
lib/tpm-v2.c | 767 +++-----------------------------------
lib/tpm_tcg2.c | 732 ++++++++++++++++++++++++++++++++++++
10 files changed, 1335 insertions(+), 1200 deletions(-)
create mode 100644 include/tpm_tcg2.h
create mode 100644 lib/tpm_tcg2.c
--
2.45.2
More information about the U-Boot
mailing list