u-boot.git/lib/tpm_tcg2.c, branch master Unnamed repository; edit this file 'description' to name the repository. tpm2: add sm3 256 hash support 2025-12-04T15:38:58+00:00 Heiko Schocher hs@nabladev.com 2025-11-18T04:30:41+00:00 7c3f05ad51e4bc23dd4f411f28968f1d8f43099c add sm3 256 hash support, so TPM2 chips which report 5 pcrs with sm3 hash do not fail with: u-boot=> tpm2 autostart tpm2_get_pcr_info: too many pcrs: 5 Error: -90 Signed-off-by: Heiko Schocher <hs@nabladev.com> 
add sm3 256 hash support, so TPM2 chips which report
5 pcrs with sm3 hash do not fail with:

  u-boot=> tpm2 autostart
  tpm2_get_pcr_info: too many pcrs: 5
  Error: -90

Signed-off-by: Heiko Schocher <hs@nabladev.com>
tpm: get tpm event log from bloblist 2025-01-28T07:09:32+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:49:36+00:00 8895ff8ae2186b53b4a073966ef16b09c12a69b8 Get tpm event log from bloblist instead of FDT when bloblist is enabled and valid from previous boot stage. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Get tpm event log from bloblist instead of FDT when bloblist is
enabled and valid from previous boot stage.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add PCR allocate into the eventlog handling 2025-01-28T06:58:41+00:00 Raymond Mao raymond.mao@linaro.org 2025-01-27T14:58:49+00:00 d487c3283c83d1314f9736bdfc69391dbc347154 Get eventlog bank mask when parsing the eventlog from previous boot stage and invoke PCR allocate function based on it. PCR allocate will be proceeded if any dismatches observed among the active, supportted and eventlog bank masks to re-configurate the TPM with the proper algorithms and reboot the system. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Get eventlog bank mask when parsing the eventlog from previous
boot stage and invoke PCR allocate function based on it.
PCR allocate will be proceeded if any dismatches observed among
the active, supportted and eventlog bank masks to re-configurate
the TPM with the proper algorithms and reboot the system.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add kconfig control in tcg2_create_digest() 2025-01-07T13:45:52+00:00 Raymond Mao raymond.mao@linaro.org 2024-12-24T16:01:13+00:00 3a054eca73ad159f78908207a2970b6c0518a3cf To allow disabling algorithms for tcg2, in function tcg2_create_digest(), each hash algorithm operations should under the hash kconfig control to avoid building errors when the algorithm is disabled. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
To allow disabling algorithms for tcg2, in function
tcg2_create_digest(), each hash algorithm operations should under
the hash kconfig control to avoid building errors when the algorithm
is disabled.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Don't replay an EventLog if tcg2_log_parse() fails 2025-01-07T13:45:52+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:12+00:00 3dbd84cb10aa64478e7ce9d3ee32ce1f44c169f6 We used to stop replaying an EventLog if parsing failed, but that got lost in commit 97707f12fdab ("tpm: Support boot measurements"). When an EventLog is passed yo us from a previous bootloader, we want to validate it as much as we can and make sure the defined PCR banks of the log exist in our TPM and firmware so we can replay it if needed or use it as-in, in case the PCRs are already extended. So let's add the checks back and while at it simplify the logic of rejecting an EventLog. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We used to stop replaying an EventLog if parsing failed, but that got
lost in commit 97707f12fdab ("tpm: Support boot measurements").

When an EventLog is passed yo us from a previous bootloader, we want to
validate it as much as we can and make sure the defined PCR banks of
the log exist in our TPM and firmware so we can replay it if needed or
use it as-in, in case the PCRs are already extended.

So let's add the checks back and while at it simplify the logic of
rejecting an EventLog.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Simplify tcg2_log_init() 2025-01-07T13:45:52+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:11+00:00 05834d4b83f5987f158d7893a9f79706b6ff7045 A previous patch is storing the active PCR banks on the TPM private data. Instead of parsing them on the fly use the stored values. This allows us to simplify our checks during the log creation and parsing. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
A previous patch is storing the active PCR banks on the TPM private
data. Instead of parsing them on the fly use the stored values.
This allows us to simplify our checks during the log creation and
parsing.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Simplify tcg2_create_digest() 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:10+00:00 c575f28c8c33adc68ec1313d34b312c5be23d94c A previous patch is storing the active PCR banks on the TPM private data. Instead of parsing them on the fly use the stored values. This allows us to simplify our checks during the log creation and parsing. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
A previous patch is storing the active PCR banks on the TPM private
data. Instead of parsing them on the fly use the stored values.
This allows us to simplify our checks during the log creation and
parsing.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Don't create an EventLog if algorithms are misconfigured 2025-01-07T13:45:51+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-12-24T16:01:08+00:00 8dc886ce314282de9d65fac1e8c68ee40d30f678 We already check the active banks vs what U-Boot was compiled with when trying to extend a PCR and we refuse to do so if the TPM active ones don't match the ones U-Boot supports. Do the same thing for the EventLog creation since extending will fail anyway and print a message so the user can figure out the missing algorithms. Co-developed-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
We already check the active banks vs what U-Boot was compiled with when
trying to extend a PCR and we refuse to do so if the TPM active ones
don't match the ones U-Boot supports.

Do the same thing for the EventLog creation since extending will fail
anyway and print a message so the user can figure out the missing
algorithms.

Co-developed-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: add flag in hash_algo_list and API to check if algorithm is supported 2025-01-07T13:45:51+00:00 Raymond Mao raymond.mao@linaro.org 2024-12-24T16:01:07+00:00 27891e85f3cb3912c737bf36276f830d9d02d6c8 Add a bool var into hash_algo_list to indicate whether the algorithm is supported or not and move the IS_ENABLED to only cover this var. So that we can have the name, hash, mask and size no matter the digest kconfigs are enabled or not. In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to identify an unsupported algorithm when they return 0. It is not the case now when hash_algo_list always provides algorithm size and mask, thus a new API is introduced to check if an algorithm is supported by U-Boot. Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add a bool var into hash_algo_list to indicate whether the algorithm
is supported or not and move the IS_ENABLED to only cover this var.
So that we can have the name, hash, mask and size no matter the
digest kconfigs are enabled or not.

In before, tpm2_algorithm_to_len() and tcg2_algorithm_to_mask() are used to
identify an unsupported algorithm when they return 0.
It is not the case now when hash_algo_list always provides algorithm size
and mask, thus a new API is introduced to check if an algorithm is
supported by U-Boot.

Suggested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: refactor tcg2_get_pcr_info() 2025-01-07T13:45:51+00:00 Raymond Mao raymond.mao@linaro.org 2024-12-24T16:01:06+00:00 9f9797aaa8d4ea22a682e6cd28a9b3e5638d132f Rename the arguments of tcg2_get_pcr_info() to clarify they are bank masks, not PCR mask. Remove the unused local variable. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Rename the arguments of tcg2_get_pcr_info() to clarify
they are bank masks, not PCR mask.
Remove the unused local variable.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>