On Wed, Nov 04, 2020 at 03:02:06PM -0700, Simon Glass wrote:
Hi Ilias,
On Wed, 4 Nov 2020 at 11:52, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Simon,
On Wed, Nov 04, 2020 at 11:08:42AM -0700, Simon Glass wrote:
Hi Ilias,
On Wed, 4 Nov 2020 at 06:48, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Since U-boot EFI implementation is getting richer it makes sense to add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM available on the device.
This is the initial implementation of the protocol which only adds support for GetCapability(). It's limited in the newer and safer TPMv2 devices.
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
The protocol requires mode that GetCapability to be usable. I intend to add support for GetEventLog() and HashLogExtendEvent() once this gets reviewed/merged include/efi_loader.h | 2 + include/efi_tcg2.h | 91 ++++++++ include/tpm-v2.h | 48 ++++ lib/efi_loader/Kconfig | 8 + lib/efi_loader/Makefile | 1 + lib/efi_loader/efi_setup.c | 7 + lib/efi_loader/efi_tcg2.c | 460 +++++++++++++++++++++++++++++++++++++ 7 files changed, 617 insertions(+) create mode 100644 include/efi_tcg2.h create mode 100644 lib/efi_loader/efi_tcg2.c
How can we add tests for this? We have a basic TPM emulator available so perhaps it could be used to create a sandbox test?
I assume you refer to drivers/tpm/tpm2_tis_sandbox.c right? I did check this before posting but it only supports TPM_CAP_TPM_PROPERTIES(0x6). The GetCapability() also uses TPM_CAP_PCRS(0x5). I don't really know if it's worth extending that, since the patches that will follow implementing GetEventLog() and HashLogExtendEvent() are a lot more demanding on the TPM.
The benefit is that we get fast unit tests for the code in U-Boot.
Maybe look into some software TPM?
The things we use are not that complicated. I think bringing in something simple would be OK, but it needs to just cover what we need.
Sure. Let me check tpm2_tis_sandbox.c a bit more before we go ahead exploring other posibilities and see how far we can get.
An alternative over here would be to use QEMU + OP-TEE + fTPM once and if QEMU gets an RPMB emulation available (needed for fTPM) or QEMU with softwareTPM. I think the latter is easier and not strictly bound to Arm architecture.
On my side I tested this on an armv8 with fTPM and and EFI application [1]
We can probably put some of that code in U-Boot if you are amenable. Heinrich has added tests for most/all of the U-Boot EFI functionality.
That repo is not my code. I just fixed the arm64 compilation and used it during my development. If the licence permits it, we can indeed use some of the code in our selftests.
Regards /Ilias