The following changes since commit 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72:
Prepare v2025.01 (2025-01-06 18:54:44 -0600)
are available in the Git repository at:
https://source.denx.de/u-boot/custodians/u-boot-tpm/ tags/tpm-master-07012025
for you to fetch changes up to 70a3f0efa1a8ac5e13bb06660f602deb75360dc8:
tpm: update descriptions in tpm headers (2025-01-07 15:45:52 +0200)
The CI at https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/24102 showed no errors. Also my internal CI that tests replaying the TF-A generated EventLog passed with no issues.
Please pull! /Ilias ---------------------------------------------------------------- A few changes for the TPM subsystem wrt to EventLong creation and measurements.
Generally speaking it's insecure for a TPM to not cap all the active PCRs when performing measurements. Up to now we had code querying the active PCR banks on the fly and reason whether it should perform a measurement or not. Since a TPM requires a reset to change the active PCR banks, it's easier and faster to store them in an array in the device private data and check against that.
This relates to an interesting feature some bootloaders have. For example TF-A can't extend a PCR since it has no TPM drivers, but can produce an EventLog that U-Boot can replay on the hardware once that comes up. The supported hash algorithms of the TF-A generated Eventlog are generated at compile time. When trying to replay an EventLog the TPM active PCR banks and the created EventLog algorithms must agree. We used to report an error but that changed in commit 97707f12fdab ("tpm: Support boot measurements").
This PR also brings up the old behavior and an error is reported now while printing a human readable list of the mismatched algorithms.
---------------------------------------------------------------- Heinrich Schuchardt (1): tpm: update descriptions in tpm headers
Ilias Apalodimas (7): tpm: Rename tpm2_is_active_pcr() tpm: Rename tpm2_allow_extend() tpm: Don't create an EventLog if algorithms are misconfigured tpm: Keep the active PCRs in the chip private data tpm: Simplify tcg2_create_digest() tpm: Simplify tcg2_log_init() tpm: Don't replay an EventLog if tcg2_log_parse() fails
Raymond Mao (3): tpm: refactor tcg2_get_pcr_info() tpm: add flag in hash_algo_list and API to check if algorithm is supported tpm: add kconfig control in tcg2_create_digest()
include/tpm-common.h | 16 ++++- include/tpm-v2.h | 99 ++++++++++++++++++++------- include/tpm_tcg2.h | 12 ++-- lib/tpm-v2.c | 72 +++++++++++++++++-- lib/tpm_tcg2.c | 190 +++++++++++++++++++++++++++------------------------ 5 files changed, 258 insertions(+), 131 deletions(-)