Pull request for tpm-master-07012025

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Jan 8 08:19:33 CET 2025 

The following changes since commit 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72:

  Prepare v2025.01 (2025-01-06 18:54:44 -0600)

are available in the Git repository at:

  https://source.denx.de/u-boot/custodians/u-boot-tpm/ tags/tpm-master-07012025

for you to fetch changes up to 70a3f0efa1a8ac5e13bb06660f602deb75360dc8:

  tpm: update descriptions in tpm headers (2025-01-07 15:45:52 +0200)

The CI at https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/24102
showed no errors. Also my internal CI that tests replaying the TF-A generated
EventLog passed with no issues.

Please pull!
/Ilias
----------------------------------------------------------------
A few changes for the TPM subsystem wrt to EventLong creation and measurements.

Generally speaking it's insecure for a TPM to not cap all the active PCRs
when performing measurements.
Up to now we had code querying the active PCR banks on the fly and reason
whether it should perform a measurement or not. Since a TPM requires a reset
to change the active PCR banks, it's easier and faster to store them in an
array in the device private data and check against that.

This relates to an interesting feature some bootloaders have. For example
TF-A can't extend a PCR since it has no TPM drivers, but can produce an
EventLog that U-Boot can replay on the hardware once that comes up.
The supported hash algorithms of the TF-A generated Eventlog are generated
at compile time. When trying to replay an EventLog the TPM active PCR banks
and the created EventLog algorithms must agree. We used to report an error
but that changed in commit 97707f12fdab ("tpm: Support boot measurements").

This PR also brings up the old behavior and an error is reported now while
printing a human readable list of the mismatched algorithms.

----------------------------------------------------------------
Heinrich Schuchardt (1):
      tpm: update descriptions in tpm headers

Ilias Apalodimas (7):
      tpm: Rename tpm2_is_active_pcr()
      tpm: Rename tpm2_allow_extend()
      tpm: Don't create an EventLog if algorithms are misconfigured
      tpm: Keep the active PCRs in the chip private data
      tpm: Simplify tcg2_create_digest()
      tpm: Simplify tcg2_log_init()
      tpm: Don't replay an EventLog if tcg2_log_parse() fails

Raymond Mao (3):
      tpm: refactor tcg2_get_pcr_info()
      tpm: add flag in hash_algo_list and API to check if algorithm is supported
      tpm: add kconfig control in tcg2_create_digest()

 include/tpm-common.h |  16 ++++-
 include/tpm-v2.h     |  99 ++++++++++++++++++++-------
 include/tpm_tcg2.h   |  12 ++--
 lib/tpm-v2.c         |  72 +++++++++++++++++--
 lib/tpm_tcg2.c       | 190 +++++++++++++++++++++++++++------------------------
 5 files changed, 258 insertions(+), 131 deletions(-)

More information about the U-Boot mailing list