[PATCH v2 4/5] tpm2: add sm3 256 hash support

Heiko Schocher hs at nabladev.com
Wed Nov 12 05:46:16 CET 2025 

Hello Ilias,

On 11.11.25 10:34, Ilias Apalodimas wrote:
> Hi Heiko,
> 
> This all looks reasonable.
> There's one place I forgot to mention though.   tcg2_hash_pe_image()
> also needs SM3 support.

I take a look!

> The easier way to test that SM3 is working is boot your device and
> look at the PCR measurements
> - 'tpm2_pcrread' -- The SM3 bank should be != 0
> - tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
> should also include SM3

I give it a try ...

Thanks!

bye,
Heiko
> 
> Thanks
> /Ilias
> 
> On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <hs at nabladev.com> wrote:
>>
>> add sm3 256 hash support, so TPM2 chips which report
>> 5 pcrs with sm3 hash do not fail with:
>>
>>    u-boot=> tpm2 autostart
>>    tpm2_get_pcr_info: too many pcrs: 5
>>    Error: -90
>>
>> Signed-off-by: Heiko Schocher <hs at nabladev.com>
>>
>> ---
>>
>> Changes in v2:
>> add comments from Ilias
>> - use ARRAY_SIZE(hash_algo_list) instead of a fix number
>>    in tpm2_get_pcr_info() for the count of supported hashes
>>    in U-Boot.
>> - add SM3 hash in tpm_tcg2
>>
>>   cmd/tpm-v2.c     |  1 +
>>   include/tpm-v2.h | 12 ++++++++++++
>>   lib/tpm-v2.c     |  4 ++--
>>   lib/tpm_tcg2.c   |  9 +++++++++
>>   4 files changed, 24 insertions(+), 2 deletions(-)
>>
>> diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
>> index 346e21d27bb..847b2691581 100644
>> --- a/cmd/tpm-v2.c
>> +++ b/cmd/tpm-v2.c
>> @@ -589,6 +589,7 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
>>   "        * sha256\n"
>>   "        * sha384\n"
>>   "        * sha512\n"
>> +"        * sm3_256\n"
>>   "    <on|off> is one of:\n"
>>   "        * on  - Select all available PCRs associated with the specified\n"
>>   "                algorithm (bank)\n"
>> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
>> index f3eb2ef5643..a776d24d71f 100644
>> --- a/include/tpm-v2.h
>> +++ b/include/tpm-v2.h
>> @@ -345,6 +345,18 @@ static const struct digest_info hash_algo_list[] = {
>>                  false,
>>   #endif
>>          },
>> +       {
>> +               "sm3_256",
>> +               TPM2_ALG_SM3_256,
>> +               TCG2_BOOT_HASH_ALG_SM3_256,
>> +               TPM2_SM3_256_DIGEST_SIZE,
>> +#if IS_ENABLED(CONFIG_SM3)
>> +               true,
>> +#else
>> +               false,
>> +#endif
>> +       },
>> +
>>   };
>>
>>   /* NV index attributes */
>> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
>> index 5b21c57ae42..f443b738f82 100644
>> --- a/lib/tpm-v2.c
>> +++ b/lib/tpm-v2.c
>> @@ -686,10 +686,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs)
>>
>>          pcrs->count = get_unaligned_be32(response);
>>          /*
>> -        * We only support 4 algorithms for now so check against that
>> +        * check against the supported algorithms in hash_algo_list,
>>           * instead of TPM2_NUM_PCR_BANKS
>>           */
>> -       if (pcrs->count > 4 || pcrs->count < 1) {
>> +       if (pcrs->count > ARRAY_SIZE(hash_algo_list) || pcrs->count < 1) {
>>                  printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
>>                  return -EMSGSIZE;
>>          }
>> diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c
>> index c314b401d0b..d41228f75a9 100644
>> --- a/lib/tpm_tcg2.c
>> +++ b/lib/tpm_tcg2.c
>> @@ -12,6 +12,7 @@
>>   #include <u-boot/sha1.h>
>>   #include <u-boot/sha256.h>
>>   #include <u-boot/sha512.h>
>> +#include <u-boot/sm3.h>
>>   #include <version_string.h>
>>   #include <asm/io.h>
>>   #include <linux/bitops.h>
>> @@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 *input, u32 length,
>>                          sha512_finish(&ctx_512, final);
>>                          len = TPM2_SHA512_DIGEST_SIZE;
>>                          break;
>> +#endif
>> +#if IS_ENABLED(CONFIG_SM3)
>> +               case TPM2_ALG_SM3_256:
>> +                       sm3_hash(input, length, final);
>> +                       len = TPM2_SM3_256_DIGEST_SIZE;
>> +                       break;
>>   #endif
>>                  default:
>>                          printf("%s: unsupported algorithm %x\n", __func__,
>> @@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log *elog,
>>                          case TPM2_ALG_SHA256:
>>                          case TPM2_ALG_SHA384:
>>                          case TPM2_ALG_SHA512:
>> +                       case TPM2_ALG_SM3_256:
>>                                  len = tpm2_algorithm_to_len(algo);
>>                                  break;
>>                          default:
>> @@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct tcg2_event_log *elog,
>>                  case TPM2_ALG_SHA256:
>>                  case TPM2_ALG_SHA384:
>>                  case TPM2_ALG_SHA512:
>> +               case TPM2_ALG_SM3_256:
>>                          len = get_unaligned_le16(&event->digest_sizes[i].digest_size);
>>                          if (tpm2_algorithm_to_len(algo) != len) {
>>                                  log_err("EventLog invalid algorithm length\n");
>> --
>> 2.20.1
>>

-- 
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office at nabladev.com
Geschäftsführer : Stefano Babic

More information about the U-Boot mailing list