[PATCH 2/2] tpm: get tpm event log from bloblist

Raymond Mao raymond.mao at linaro.org
Thu Jan 2 18:13:12 CET 2025 

Hi Tom,

On Thu, 2 Jan 2025 at 11:53, Tom Rini <trini at konsulko.com> wrote:

> On Thu, Jan 02, 2025 at 11:00:02AM -0500, Raymond Mao wrote:
> > Hi Tom,
> >
> > On Thu, 2 Jan 2025 at 10:48, Tom Rini <trini at konsulko.com> wrote:
> >
> > > On Thu, Jan 02, 2025 at 10:25:15AM -0500, Raymond Mao wrote:
> > >
> > > [snip]
> > > > As I said, we need an kconfig here to decide whether a user should
> look
> > > for
> > > > TPM log (and all other handoff information defined by the Firmware
> > > Handoff
> > > > specification) from the bloblist or not.
> > > > We don't have such kconfig now.
> > >
> > > We do we need this knob? I don't think that we do. The case of bloblist
> > > not existing where we looked for it needs to work. And the case of the
> > > bloblist not having an entry needs to work (or if it *must* exist,
> > > that's a separate option to add, ie CONFIG_TPM_BLOBLIST_LOG_REQUIRED).
> > >
> > I think this kconfig should not be only for TPM log, but for all general
> > blob tags which are required to be handed over.
> > User should have a choice to hand over *all* required handoff data from a
> > blobllist (if exists) or to stay in each data's own legacy way (from DT
> or
> > whatever)
> > Aka, the switch should be general and "one for all", otherwise, we have
> to
> > add multiple CONFIG_XXX_BLOBLIST_REQUIRED in the future.
>
> Since we're just getting this effort really moving forward now, I'd
> like to go with the assumption that bloblists will be complete if
> passed. So if the TPM code wants to do:
> if (IS_ENABLED(CONFIG_BLOBLIST))
>   ... no event log found ... hang("No eventlog in bloblist!") ...
> That's fine and how we can enforce requirements. But we don't know for
> certain what a previous to U-Boot stage will or will not have done. It
> could be TF-A, it could be U-Boot, it could be something else. We also
> don't have a list of strictly required tags, so that too is perhaps part
> of the problem.
>
>
OK. I can update my patch with this logic as a temporary solution.

Actually the tags before "BLOBLISTT_AREA_TF = 0x100" can be regarded as
strictly-required, and, when any of them does not exist, another kconfig
can be introduced for the behaviour whether to hang or to fall back to each
one's legacy handoff method. Both kconfigs can be general and one-for-all.
But yes, I agree we can solve this later when we have a clearer picture.

Thanks and regards,
Raymond

More information about the U-Boot mailing list