u-boot.git/lib/tpm-v2.c, branch next Unnamed repository; edit this file 'description' to name the repository. tpm2: add sm3 256 hash support 2025-12-04T15:38:58+00:00 Heiko Schocher hs@nabladev.com 2025-11-18T04:30:41+00:00 7c3f05ad51e4bc23dd4f411f28968f1d8f43099c add sm3 256 hash support, so TPM2 chips which report 5 pcrs with sm3 hash do not fail with: u-boot=> tpm2 autostart tpm2_get_pcr_info: too many pcrs: 5 Error: -90 Signed-off-by: Heiko Schocher <hs@nabladev.com> 
add sm3 256 hash support, so TPM2 chips which report
5 pcrs with sm3 hash do not fail with:

  u-boot=> tpm2 autostart
  tpm2_get_pcr_info: too many pcrs: 5
  Error: -90

Signed-off-by: Heiko Schocher <hs@nabladev.com>
tpm: Make use of TPM2_ALG_INVAL from enum 2025-07-01T05:46:38+00:00 Andrew Goodbody andrew.goodbody@linaro.org 2025-06-30T10:23:40+00:00 8280d2a77ffe72727ef1c729861231b523680dfb Now that the enum includes TPM2_ALG_INVAL, use that name in the code. Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Now that the enum includes TPM2_ALG_INVAL, use that name in the
code.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: PCR allocate during PCR extend to disable the unsupported algorithms 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:50+00:00 e7e166dabf129aae1fc57fe637ffc37d022ea45a During PCR extend process, if any unsupported algorithms are active, try to use PCR allocate to inactivate them. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
During PCR extend process, if any unsupported algorithms are active,
try to use PCR allocate to inactivate them.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add wrapper and helper APIs for PCR allocate 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:48+00:00 b6228b2e785df93fa4a1176d374976a9e2205924 Add PCR allocate wrapper APIs for using in tcg2 protocol. The wrapper proceeds a PCR allocate command, followed by a shutdown command. A system boot is required after two commands since TPM device needs a HW reset to activate the new algorithms config. Also, a helper function is included to determine the new bank mask for PCR allocation by combining the status of current active, supported and eventlog bank masks. A new kconfig is created. PCR allocate and system reboot only happens when the kconfig is selected, otherwise just exit with errors. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add PCR allocate wrapper APIs for using in tcg2 protocol.
The wrapper proceeds a PCR allocate command, followed by a
shutdown command.
A system boot is required after two commands since TPM device needs
a HW reset to activate the new algorithms config.
Also, a helper function is included to determine the new bank mask
for PCR allocation by combining the status of current active,
supported and eventlog bank masks.
A new kconfig is created. PCR allocate and system reboot only
happens when the kconfig is selected, otherwise just exit with
errors.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add TPM2_PCR_Allocate command 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:47+00:00 9d2bc92ba7bba25bb7827848aa4c51534aff904c TPM2_PCR_Allocate command is required to reconfigure a TPM device to enable or disable algorithms in run-time, thus this patch introduces the implementation of PCR allocate APIs and adds related cmd functions for testing. To test the feature, ensure that TPM is started up. Run pcr_allocate command to turn on/off an algorithm, multiple calls are supported and all changes will be cached: `tpm2 pcr_allocate <algorithm_name> <on|off>` Run startup command with argument 'off' to shutdown the TPM. `tpm2 startup TPM2_SU_CLEAR off` Reboot the board via `reset` to activate the changes. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
TPM2_PCR_Allocate command is required to reconfigure a TPM device
to enable or disable algorithms in run-time, thus this patch introduces
the implementation of PCR allocate APIs and adds related cmd functions
for testing.

To test the feature, ensure that TPM is started up.
Run pcr_allocate command to turn on/off an algorithm, multiple calls
are supported and all changes will be cached:
`tpm2 pcr_allocate <algorithm_name> <on|off>`
Run startup command with argument 'off' to shutdown the TPM.
`tpm2 startup TPM2_SU_CLEAR off`
Reboot the board via `reset` to activate the changes.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add TPM2_Shutdown command 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:46+00:00 6d8e52a6e350e1dbf450d02fccdb2ac2b0c036e4 TPM2_shutdown command is sharing same structure and logics with TPM2_startup, thus this patch extends the existing startup APIs and cmd functions to support shutdown instead of created new ones. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
TPM2_shutdown command is sharing same structure and logics with
TPM2_startup, thus this patch extends the existing startup APIs and
cmd functions to support shutdown instead of created new ones.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Keep the active PCRs in the chip private data 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:09+00:00 ffdbf775e71b8160a37ca65bfa38ed037807dbf2 We have a lot of code trying to reason about the active TPM PCRs when creating an EventLog. Since changing the active banks can't be done on the fly and requires a TPM reset, let's store them in the chip private data instead. Upcoming patches will use this during the EventLog creation. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We have a lot of code trying to reason about the active TPM PCRs
when creating an EventLog. Since changing the active banks can't
be done on the fly and requires a TPM reset,  let's store them
in the chip private data instead.

Upcoming patches will use this during the EventLog creation.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Don't create an EventLog if algorithms are misconfigured 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:08+00:00 8dc886ce314282de9d65fac1e8c68ee40d30f678 We already check the active banks vs what U-Boot was compiled with when trying to extend a PCR and we refuse to do so if the TPM active ones don't match the ones U-Boot supports. Do the same thing for the EventLog creation since extending will fail anyway and print a message so the user can figure out the missing algorithms. Co-developed-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We already check the active banks vs what U-Boot was compiled with when
trying to extend a PCR and we refuse to do so if the TPM active ones
don't match the ones U-Boot supports.

Do the same thing for the EventLog creation since extending will fail
anyway and print a message so the user can figure out the missing
algorithms.

Co-developed-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add flag in hash_algo_list and API to check if algorithm is supported 2025-01-07T13:45:51+00:00 Raymond Mao raymond.mao@linaro.org 2024-12-24T16:01:07+00:00 27891e85f3cb3912c737bf36276f830d9d02d6c8 Add a bool var into hash_algo_list to indicate whether the algorithm is supported or not and move the IS_ENABLED to only cover this var. So that we can have the name, hash, mask and size no matter the digest kconfigs are enabled or not. In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to identify an unsupported algorithm when they return 0. It is not the case now when hash_algo_list always provides algorithm size and mask, thus a new API is introduced to check if an algorithm is supported by U-Boot. Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add a bool var into hash_algo_list to indicate whether the algorithm
is supported or not and move the IS_ENABLED to only cover this var.
So that we can have the name, hash, mask and size no matter the
digest kconfigs are enabled or not.

In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to
identify an unsupported algorithm when they return 0.
It is not the case now when hash_algo_list always provides algorithm size
and mask, thus a new API is introduced to check if an algorithm is
supported by U-Boot.

Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Rename tpm2_allow_extend() 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:05+00:00 0698f1331f286d4ed04bc2345de59acd86ee634e When that function was introduced we were only using it to check if extending a PCR was allowed, so the name made sense. A few patches ago we used that function to reason about the EventLog creation and general usage of PCRs , so let's rename it to something more generic that makes more sense in all contexts. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
When that function was introduced we were only using it to check if
extending a PCR was allowed, so the name made sense. A few patches ago
we used that function to reason about the EventLog creation and general
usage of PCRs , so let's rename it to something more generic that makes
more sense in all contexts.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>