By testing U-Boot EFI Measured boot with ST33KTPM2X32DKG9, the EFI_TCG2_PROTOCOL is not able to register due to TPM PCR management. This version of dTPM support SHA1, SHA256, SHA384, SHA3_256, SHA3_384 which make 5 possibles PCR banks avaiables but only 2 at a time are supported.

The tpm2_get_pcr_info() exit in error with this dTPM as it's supports more hash algo than U-Boot. But this is irrelevant as the hash algorithm used depends on the dTPM active PCR bank and not the returns of the TPM2_CAP_PCRS which list all possible banks.

The series of patch propose to list exhaustively all the TPM hash algorithms by the specification 1.59, all dTPM to supports more algo than U-Boot does.

In case of dTPM configuration of PCR bank not supported by U-Boot, a warning message will be generated and the PCR bank will not be updated.

This will not change the boot process anyway.

By highlighing this, I have seen that the commit e7505b3: tpm: allow the user to select the compiled algorithms tries to provide more flexibility in the embedded hash algorithms by reducing the mapping from TPM2_ALG_SHAxxx to the U-Boot supported algo. But it should extend all tests of the TPM2_ALG_SHAxxx in the lib/tpm_tcg2.c and Kconfig shall no longer enable all the hash algorithm.

Benjamin BARATTE (3): tpm: update tpm hash algorithm according to tpm2.0 spec 1.59 tpm: remove check on pcr bank count tpm_tcg2: hash algo optimization

include/tpm-v2.h | 43 +++++++++++++++++++++++++++++------------- lib/efi_loader/Kconfig | 4 ---- lib/tpm-v2.c | 8 -------- lib/tpm_tcg2.c | 38 +++++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+), 25 deletions(-)

-- 2.34.1

ST Restricted