u-boot.git/include/tpm-v2.h, branch master Unnamed repository; edit this file 'description' to name the repository. tpm2: add sm3 256 hash support 2025-12-04T15:38:58+00:00 Heiko Schocher hs@nabladev.com 2025-11-18T04:30:41+00:00 7c3f05ad51e4bc23dd4f411f28968f1d8f43099c add sm3 256 hash support, so TPM2 chips which report 5 pcrs with sm3 hash do not fail with: u-boot=> tpm2 autostart tpm2_get_pcr_info: too many pcrs: 5 Error: -90 Signed-off-by: Heiko Schocher <hs@nabladev.com> 
add sm3 256 hash support, so TPM2 chips which report
5 pcrs with sm3 hash do not fail with:

  u-boot=> tpm2 autostart
  tpm2_get_pcr_info: too many pcrs: 5
  Error: -90

Signed-off-by: Heiko Schocher <hs@nabladev.com>
cmd: tpm: Fix attempt to return value not in enum 2025-07-01T05:46:38+00:00 Andrew Goodbody andrew.goodbody@linaro.org 2025-06-30T10:23:39+00:00 1fde88de1609a046285675ab76e8ecd3e7792b2b The function tpm2_name_to_algorithm is defined as returning an enum for the algorithm specified but it also attempts to return an error on failure, but that error is not included in the enum. Add the error to the enum so that it can be returned. This issue was reported by Smatch. Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The function tpm2_name_to_algorithm is defined as returning an
enum for the algorithm specified but it also attempts to return
an error on failure, but that error is not included in the enum.
Add the error to the enum so that it can be returned.

This issue was reported by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add wrapper and helper APIs for PCR allocate 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:48+00:00 b6228b2e785df93fa4a1176d374976a9e2205924 Add PCR allocate wrapper APIs for using in tcg2 protocol. The wrapper proceeds a PCR allocate command, followed by a shutdown command. A system boot is required after two commands since TPM device needs a HW reset to activate the new algorithms config. Also, a helper function is included to determine the new bank mask for PCR allocation by combining the status of current active, supported and eventlog bank masks. A new kconfig is created. PCR allocate and system reboot only happens when the kconfig is selected, otherwise just exit with errors. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add PCR allocate wrapper APIs for using in tcg2 protocol.
The wrapper proceeds a PCR allocate command, followed by a
shutdown command.
A system boot is required after two commands since TPM device needs
a HW reset to activate the new algorithms config.
Also, a helper function is included to determine the new bank mask
for PCR allocation by combining the status of current active,
supported and eventlog bank masks.
A new kconfig is created. PCR allocate and system reboot only
happens when the kconfig is selected, otherwise just exit with
errors.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add TPM2_PCR_Allocate command 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:47+00:00 9d2bc92ba7bba25bb7827848aa4c51534aff904c TPM2_PCR_Allocate command is required to reconfigure a TPM device to enable or disable algorithms in run-time, thus this patch introduces the implementation of PCR allocate APIs and adds related cmd functions for testing. To test the feature, ensure that TPM is started up. Run pcr_allocate command to turn on/off an algorithm, multiple calls are supported and all changes will be cached: `tpm2 pcr_allocate <algorithm_name> <on|off>` Run startup command with argument 'off' to shutdown the TPM. `tpm2 startup TPM2_SU_CLEAR off` Reboot the board via `reset` to activate the changes. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
TPM2_PCR_Allocate command is required to reconfigure a TPM device
to enable or disable algorithms in run-time, thus this patch introduces
the implementation of PCR allocate APIs and adds related cmd functions
for testing.

To test the feature, ensure that TPM is started up.
Run pcr_allocate command to turn on/off an algorithm, multiple calls
are supported and all changes will be cached:
`tpm2 pcr_allocate <algorithm_name> <on|off>`
Run startup command with argument 'off' to shutdown the TPM.
`tpm2 startup TPM2_SU_CLEAR off`
Reboot the board via `reset` to activate the changes.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add TPM2_Shutdown command 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:46+00:00 6d8e52a6e350e1dbf450d02fccdb2ac2b0c036e4 TPM2_shutdown command is sharing same structure and logics with TPM2_startup, thus this patch extends the existing startup APIs and cmd functions to support shutdown instead of created new ones. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
TPM2_shutdown command is sharing same structure and logics with
TPM2_startup, thus this patch extends the existing startup APIs and
cmd functions to support shutdown instead of created new ones.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: update descriptions in tpm headers 2025-01-09T17:11:10+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2024-12-27T12:25:41+00:00 e587b6a8441f39015bda64d61ee5add142bcebb8 * Provide a link to 'TPM 2.0 Library Specification' * Remove outdated comment for TPM2_NUM_PCR_BANKS. The value 16 can be found in the current standard TCG TSS 2.0 Overview and Common Structures Specification 1.0, rev 10 * Describe some of the structures in Sphinx style. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
* Provide a link to 'TPM 2.0 Library Specification'
* Remove outdated comment for TPM2_NUM_PCR_BANKS.
  The value 16 can be found in the current standard
  TCG TSS 2.0 Overview and Common Structures Specification 1.0, rev 10
* Describe some of the structures in Sphinx style.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Keep the active PCRs in the chip private data 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:09+00:00 ffdbf775e71b8160a37ca65bfa38ed037807dbf2 We have a lot of code trying to reason about the active TPM PCRs when creating an EventLog. Since changing the active banks can't be done on the fly and requires a TPM reset, let's store them in the chip private data instead. Upcoming patches will use this during the EventLog creation. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We have a lot of code trying to reason about the active TPM PCRs
when creating an EventLog. Since changing the active banks can't
be done on the fly and requires a TPM reset,  let's store them
in the chip private data instead.

Upcoming patches will use this during the EventLog creation.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Don't create an EventLog if algorithms are misconfigured 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:08+00:00 8dc886ce314282de9d65fac1e8c68ee40d30f678 We already check the active banks vs what U-Boot was compiled with when trying to extend a PCR and we refuse to do so if the TPM active ones don't match the ones U-Boot supports. Do the same thing for the EventLog creation since extending will fail anyway and print a message so the user can figure out the missing algorithms. Co-developed-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We already check the active banks vs what U-Boot was compiled with when
trying to extend a PCR and we refuse to do so if the TPM active ones
don't match the ones U-Boot supports.

Do the same thing for the EventLog creation since extending will fail
anyway and print a message so the user can figure out the missing
algorithms.

Co-developed-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add flag in hash_algo_list and API to check if algorithm is supported 2025-01-07T13:45:51+00:00 Raymond Mao raymond.mao@linaro.org 2024-12-24T16:01:07+00:00 27891e85f3cb3912c737bf36276f830d9d02d6c8 Add a bool var into hash_algo_list to indicate whether the algorithm is supported or not and move the IS_ENABLED to only cover this var. So that we can have the name, hash, mask and size no matter the digest kconfigs are enabled or not. In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to identify an unsupported algorithm when they return 0. It is not the case now when hash_algo_list always provides algorithm size and mask, thus a new API is introduced to check if an algorithm is supported by U-Boot. Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add a bool var into hash_algo_list to indicate whether the algorithm
is supported or not and move the IS_ENABLED to only cover this var.
So that we can have the name, hash, mask and size no matter the
digest kconfigs are enabled or not.

In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to
identify an unsupported algorithm when they return 0.
It is not the case now when hash_algo_list always provides algorithm size
and mask, thus a new API is introduced to check if an algorithm is
supported by U-Boot.

Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Rename tpm2_allow_extend() 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:05+00:00 0698f1331f286d4ed04bc2345de59acd86ee634e When that function was introduced we were only using it to check if extending a PCR was allowed, so the name made sense. A few patches ago we used that function to reason about the EventLog creation and general usage of PCRs , so let's rename it to something more generic that makes more sense in all contexts. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
When that function was introduced we were only using it to check if
extending a PCR was allowed, so the name made sense. A few patches ago
we used that function to reason about the EventLog creation and general
usage of PCRs , so let's rename it to something more generic that makes
more sense in all contexts.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>