[PATCH] tpm: Export the function to set up the TPM log

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Jun 11 22:58:16 CEST 2025 

Hi Simon,

On Thu, 5 Jun 2025 at 20:29, Simon Glass <sjg at chromium.org> wrote:

> Hi Ilias,
>
> On Sat, 24 May 2025 at 12:24, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > On Sat, 24 May 2025 at 20:59, Ilias Apalodimas
> > <ilias.apalodimas at linaro.org> wrote:
> > >
> > > Thanks Tom
> > >
> > > On Sat, 24 May 2025 at 17:26, Tom Rini <trini at konsulko.com> wrote:
> > > >
> > > > On Sat, May 24, 2025 at 08:13:46AM -0600, Simon Glass wrote:
> > > >
> > > > > In some cases, we may wish to set up the TPM log under full
> control of
> > > > > a driver in U-Boot. Export the required function to make this
> possible.
> > > > >
> > > > > This avoids calling the weak function tcg2_platform_get_log() when
> the
> > > > > caller already knows where the log is.
> > >
> > > This doesn't make too much sense to me. If the caller knows where the
> > > log is, he needs to replay it in hardware.  Which also means you need
> > > to check the logs vs the active PCR banks.
> > >
> > > This has all been abstracted in tcg2_measurement_init().
> > > The UEFI subsystem calls tcg2_log_prepare_buffer(), but that's a
> > > remnant from when measured boot was only supported in EFI. I was
> > > planning to get rid of it and call tcg2_measurement_init() from EFI as
> > > well.
> > >
> > > Is there a reason you can't use that? Is it slowing down the boot time
> > > significantly?
> > >
> >
> > Oh and looking at it a bit closer, calling tcg2_log_init() doesn't add
> > an EV_S_CRTM_VERSION event which makes the generated eventlog violate
> > the spec. So that function should just remain static
>
> My intent here is to have U-Boot setup the TPM and start measurements.
>
> If you look at tcg2_log_prepare_buffer(), it calls the weak function
> tcg2_platform_get_log() to try to find a log, then looks for some
> devicetree properties. None of that code is useful for my case and it
> makes things quite confusing.


Why? Whjat's the confusing part. It tried to replay an EventLog and
confiure the hardware correctly, if the PCRs are not exten

The event is added by the caller in my
> case, but I suppose we could change that with a bit more refactoring.
>

Do the PCRs match the eventlog at that point?


> If it helps, the code which calls into the TPM layer is something like
> this:
>
> struct tcg2_event_log *elog = &priv->elog;
>
> blob = bloblist_add(BLOBLISTT_TPM_EVLOG, priv->tpm_log_size,
>                     ALIGN_LOG2);
> if (!blob)
>         return log_msg_ret("sps", -ENOSPC);
>
> elog->log = blob;
> elog->log_size = priv->tpm_log_size;
> ret = tcg2_log_init(tpm, elog);
> if (ret)
>         return log_msg_ret("spi", ret);
>
> ret = tpm_auto_start(tpm);
> if (ret)
>         return log_msg_ret("spa", ret);
>
> ret = tcg2_measure_event(tpm, elog, 0, EV_S_CRTM_VERSION,
>                          strlen(version_string) + 1, version_string);
> if (ret) {
>         tcg2_measurement_term(tpm, elog, true);
>         return log_msg_ret("spe", ret);
> }
>

I really prefer to keep the unified version. Searching and replaying an
EventLog is something that is already working for TF-A.
I don't want to create special cases. tcg2_log_prepare_buffer() seems to
match what you want to do here.

Thanks
/Ilias

>
> [..]
>
> Regards,
> Simon
>

More information about the U-Boot mailing list