[PATCH v3 0/6] Add support for SM3 secure hash

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Nov 19 08:18:34 CET 2025 

Hi Heiko,

On Wed, 19 Nov 2025 at 07:40, Heiko Schocher <hs at nabladev.com> wrote:
>
> Hi Raymond, Ilias,
>
> On 18.11.25 16:11, Raymond Mao wrote:
> > Hi Heiko,
> >
> > On Mon, Nov 17, 2025 at 11:30 PM Heiko Schocher <hs at nabladev.com <mailto:hs at nabladev.com>> wrote:
> >
> >
> >     Add SM3 secure hash, as specified by OSCCA GM/T 0004-2012 SM3 and described
> >     at https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3-02
> >     <https://datatracker.ietf.org/doc/html/draft-sca-cfrg-sm3-02>
> >
> >     TPMv2 defines hash algo sm3_256, which is currently
> >     not supported and prevented TPMv2 chip with newer
> >     firmware to work with U-Boot. Seen this on a ST33TPHF2XI2C
> >
> >          u-boot=> tpm2 init
> >          u-boot=> tpm2 autostart
> >          tpm2_get_pcr_info: too many pcrs: 5
> >          Error: -90
> >          u-boot=>
> >
> >     Implement sm3 hash, so we can fix this problem.
> >
> >
> > Did you add a Measured Boot CI test for SM3 on any boards? The QEMU test with swtpm I added might
> > not work since it does not support SM3 (Currently it is configured to SHA256 only) .
>
> Not yet, I have to look how I can setup this, as Ilias also mentioned
> that. Any chance to setup this with QEMU and swptm ? Ah, if I see it
> correct no SM3 support yet in swtpm ?

Yes that's the problem. swtpm does not support SM3 and I can't test
locally. If you just boot any OS, the measurements should appear since
the functionality is supported by all the major distros and OE.

Regards
/Ilias
>
> bye,
> Heiko
> >
> > Raymond
> >
> >     Azure build:
> >     https://dev.azure.com/hs0298/hs/_build/results?buildId=194&view=results
> >     <https://dev.azure.com/hs0298/hs/_build/results?buildId=194&view=results>
> >
> >     Changes in v3:
> >     Added Reviewed-by from Ilias
> >     rebased series to
> >     commit: 69cc92d6869 ("Merge tag 'efi-2026-01-rc3' of
> >     https://source.denx.de/u-boot/custodians/u-boot-efi
> >     <https://source.denx.de/u-boot/custodians/u-boot-efi>")
> >     add comments from Ilias
> >     - use sizeof(*sctx) instead of sizeof(struct sm3_context)
> >     - use output[] instead of output[SM3_DIGEST_SIZE] comment from Ilias
> >        This leaded to CI error:
> >        +lib/sm3.c:241:50: error: argument 2 of type ‘uint8_t[]’ {aka ‘unsigned char[]’} with
> >     mismatched bound [-Werror=array-parameter=]
> >        +  241 | void sm3_final(struct sm3_context *sctx, uint8_t output[])
> >        +      |                                          ~~~~~~~~^~~~~~~~
> >        see:
> >     https://dev.azure.com/hs0298/hs/_build/results?buildId=192&view=logs&j=182673a4-17b9-5c0c-69ad-98f742450579&t=34b689f8-3e29-5ffe-50ea-32bfe99f47c7&l=334
> >     <https://dev.azure.com/hs0298/hs/_build/results?buildId=192&view=logs&j=182673a4-17b9-5c0c-69ad-98f742450579&t=34b689f8-3e29-5ffe-50ea-32bfe99f47c7&l=334>
> >        so made this change back to v2 state of the series, to have the same
> >        arguments as the other hashes in lib/
> >     - seperate linux and U-Boot parts into 2 commits
> >     New in version 3 as Ilias recommended to split linux
> >     and U-boot changes.
> >     use CMD_TEST instead of DM_TEST, as Heinrich confirmed
> >     add comment from Ilias
> >     - add SM3 support in tcg2_hash_pe_image()
> >     Added Reviewed-by from Ilias
> >
> >     Changes in v2:
> >     rebase to
> >     6b27b688694: ("Merge branch 'master' of https://source.denx.de/u-boot/custodians/u-boot-sh
> >     <https://source.denx.de/u-boot/custodians/u-boot-sh>")
> >     add Ilias to Series-cc
> >     add sm3_hash to header file, so we can use it.
> >     add comments from Ilias
> >     - use ARRAY_SIZE(hash_algo_list) instead of a fix number
> >        in tpm2_get_pcr_info() for the count of supported hashes
> >        in U-Boot.
> >     - add SM3 hash in tpm_tcg2
> >     Added Reviewed-by tag from Heinrich
> >
> >     Heiko Schocher (6):
> >        lib: Import rol32 function from Linux
> >        lib: import sm3 256 hash parts from linux
> >        lib: sm3: implement U-Boot parts
> >        test: cmd: hash: add unit test for sm3_256
> >        tpm2: add sm3 256 hash support
> >        test: cmd: fix a typo in md5 test
> >
> >       MAINTAINERS               |   7 +
> >       boot/Kconfig              |   1 +
> >       cmd/Kconfig               |  15 ++
> >       cmd/Makefile              |   1 +
> >       cmd/sm3sum.c              |  48 ++++++
> >       cmd/tpm-v2.c              |   1 +
> >       common/hash.c             |  42 ++++-
> >       include/linux/bitops.h    |  11 ++
> >       include/tpm-v2.h          |  12 ++
> >       include/u-boot/sm3.h      |  35 +++++
> >       lib/Kconfig               |   7 +
> >       lib/Makefile              |   1 +
> >       lib/efi_loader/efi_tcg2.c |   3 +
> >       lib/sm3.c                 | 312 ++++++++++++++++++++++++++++++++++++++
> >       lib/tpm-v2.c              |   4 +-
> >       lib/tpm_tcg2.c            |   9 ++
> >       test/cmd/hash.c           |  49 +++++-
> >       17 files changed, 554 insertions(+), 4 deletions(-)
> >       create mode 100644 cmd/sm3sum.c
> >       create mode 100644 include/u-boot/sm3.h
> >       create mode 100644 lib/sm3.c
> >
> >     --
> >     2.20.1
> >
> >     base-commit: 69cc92d6869b8ff4591e5b8850872da34934bab9
> >
>
> --
> Nabla Software Engineering
> HRB 40522 Augsburg
> Phone: +49 821 45592596
> E-Mail: office at nabladev.com
> Geschäftsführer : Stefano Babic

More information about the U-Boot mailing list