u-boot.git/lib, branch v2022.10-rc4 Unnamed repository; edit this file 'description' to name the repository. Merge tag 'tpm-03092022' of https://source.denx.de/u-boot/custodians/u-boot-tpm 2022-09-03T18:55:37+00:00 Tom Rini trini@konsulko.com 2022-09-03T18:55:37+00:00 427aa3c9b72b6672f714389a6f71b6cc2841d559 TPM fixes and state reporting 
TPM fixes and state reporting
tpm: Allow committing non-volatile data 2022-09-03T13:59:05+00:00 Simon Glass sjg@chromium.org 2022-08-31T03:05:38+00:00 5208ed187cb6314dc64657802e8e5bb5a5e3a7fb Add an option to tell the TPM to commit non-volatile data immediately it is changed, rather than waiting until later. This is needed in some situations, since if the device reboots it may not write the data. Add definitions for the rest of the Cr50 commands while we are here. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add an option to tell the TPM to commit non-volatile data immediately it
is changed, rather than waiting until later. This is needed in some
situations, since if the device reboots it may not write the data.

Add definitions for the rest of the Cr50 commands while we are here.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Implement state command for Cr50 2022-09-03T13:59:05+00:00 Simon Glass sjg@chromium.org 2022-08-31T03:05:37+00:00 4c57ec76b7254cf1743748b70239bddf6100237a Add a vendor-specific TPM2 command for this and implement it for Cr50. Note: This is not part of the TPM spec, but is a Cr50 extension. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add a vendor-specific TPM2 command for this and implement it for Cr50.
Note: This is not part of the TPM spec, but is a Cr50 extension.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Correct the define-space command in TPMv2 2022-09-03T13:54:04+00:00 Simon Glass sjg@chromium.org 2022-08-31T03:05:34+00:00 1c32eee38b3770cf68188a52b4a539a9e0758b84 The message format is incorrect. Fix it. Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The message format is incorrect. Fix it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Correct the permissions command in TPMv1 2022-09-03T13:54:02+00:00 Simon Glass sjg@chromium.org 2022-08-31T03:05:33+00:00 a0f3804a424d6efa3a9d380c769fbfd6391f9ed9 The offset here is incorrect. Fix it. Signed-off-by: Simon Glass <sjg@chromium.org> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The offset here is incorrect. Fix it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tpm: Require a digest source when extending the PCR 2022-09-03T13:53:58+00:00 Simon Glass sjg@chromium.org 2022-08-31T03:05:32+00:00 a557d258c6be49ec1253947a227189de149971df This feature is used for measured boot, so we can add a log entry to the TCPA with some information about where the digest comes from. It is not currently supported in the TPM drivers, but add it to the API so that code which expects it can signal its request. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
This feature is used for measured boot, so we can add a log entry to the
TCPA with some information about where the digest comes from. It is not
currently supported in the TPM drivers, but add it to the API so that
code which expects it can signal its request.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: fix display of NVMe EUI-64 2022-09-03T08:49:17+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-02-23T08:06:24+00:00 fbc04c0dab139c12ed61500fac3cc204009e8c54 UEFI specification 2.9A requires to display the EUI-64 "in hexadecimal format with byte 7 first (i.e., on the left) and byte 0 last". This is in contrast to what the NVMe specification wants. But it is what EDK II has been implementing. Here is an example with the patch applied: qemu-system-aarch64 -machine virt -cpu cortex-a72 -nographic \ -bios denx/u-boot.bin \ -device nvme,id=nvme1,serial=9ff81223 \ -device nvme-ns,bus=nvme1,drive=nvme1n0,eui64=0x123456789ABCDEF0 \ -drive file=arm64.img,if=none,format=raw,id=nvme1n0 => nvme scan => efidebug devices Device Path ==================== /VenHw(…)/NVMe(0x1,f0-de-bc-9a-78-56-34-12) Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
UEFI specification 2.9A requires to display the EUI-64 "in hexadecimal
format with byte 7 first (i.e., on the left) and byte 0 last".

This is in contrast to what the NVMe specification wants.
But it is what EDK II has been implementing.

Here is an example with the patch applied:

    qemu-system-aarch64 -machine virt -cpu cortex-a72 -nographic \
    -bios denx/u-boot.bin \
    -device nvme,id=nvme1,serial=9ff81223 \
    -device nvme-ns,bus=nvme1,drive=nvme1n0,eui64=0x123456789ABCDEF0 \
    -drive file=arm64.img,if=none,format=raw,id=nvme1n0

    => nvme scan
    => efidebug devices
    Device Path
    ====================
    /VenHw(…)/NVMe(0x1,f0-de-bc-9a-78-56-34-12)

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi: ECPT add EBBRv2.0 conformance profile 2022-09-03T08:13:26+00:00 Jose Marinho jose.marinho@arm.com 2021-12-17T12:55:05+00:00 648a8dcb39306ebd32353d6c503ac3b69e064190 Display the EBBRv2.0 conformance in the ECPT table. The EBBRv2.0 conformance profile is set in the ECPT if CONFIG_EFI_EBBR_2_0_CONFORMANCE=y. Signed-off-by: Jose Marinho <jose.marinho@arm.com> Add dependencies for CONFIG_EFI_EBBR_2_0_CONFORMANCE. Enable the setting by default. Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
Display the EBBRv2.0 conformance in the ECPT table.

The EBBRv2.0 conformance profile is set in the ECPT if
CONFIG_EFI_EBBR_2_0_CONFORMANCE=y.

Signed-off-by: Jose Marinho <jose.marinho@arm.com>

Add dependencies for CONFIG_EFI_EBBR_2_0_CONFORMANCE.
Enable the setting by default.
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi: Create ECPT table 2022-09-03T07:35:48+00:00 Jose Marinho jose.marinho@arm.com 2021-12-23T14:51:07+00:00 6b92c1735205eef308a9e33ec90330a3e6d27fc3 The ECPT table will be included in the UEFI specification 2.9+. The ECPT table was introduced in UEFI following the code-first path. The acceptance ticket can be viewed at: https://bugzilla.tianocore.org/show_bug.cgi?id=3591 The Conformance Profiles table is a UEFI configuration table that contains GUID of the UEFI profiles that the UEFI implementation conforms with. The ECPT table is created when CONFIG_EFI_ECPT=y. The config is set by default. Signed-off-by: Jose Marinho <jose.marinho@arm.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The ECPT table will be included in the UEFI specification 2.9+.
The ECPT table was introduced in UEFI following the code-first path. The
acceptance ticket can be viewed at:
	https://bugzilla.tianocore.org/show_bug.cgi?id=3591

The Conformance Profiles table is a UEFI configuration table that contains
GUID of the UEFI profiles that the UEFI implementation conforms with.

The ECPT table is created when CONFIG_EFI_ECPT=y.
The config is set by default.

Signed-off-by: Jose Marinho <jose.marinho@arm.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_selftest: on sandbox use host specific assembly 2022-09-03T06:16:09+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2022-09-02T00:46:37+00:00 2b7a6e013fe9c4f8c8ed29d79f6757f8c482dc72 The selftest checking the handling of exceptions in UEFI binaries is using assembly to provide an undefined instruction. On the sandbox the correct form of the instruction depends on the host architecture. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The selftest checking the handling of exceptions in UEFI binaries is using
assembly to provide an undefined instruction. On the sandbox the correct
form of the instruction depends on the host architecture.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>