From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Eddie James <eajames@linux.ibm.com>
Cc: u-boot@lists.denx.de, sjg@chromium.org, xypron.glpk@gmx.de,
joel@jms.id.au
Subject: Re: [PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities
Date: Thu, 16 Mar 2023 10:32:51 +0200 [thread overview]
Message-ID: <ZBLUM3Co3Tjwlg5j@hera> (raw)
In-Reply-To: <20230308212537.1725343-3-eajames@linux.ibm.com>
Hi Eddie,
Apologies for the late reply, I am now getting back on this.
There are some failures on the CI wrt to sandbox here [0]. Can you have a
look ?
Also I believe some of the existing tests are wrong because they are
using PCR0 (which is always going to be extended). Can you also pick up
[1] with your series?
[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471
[1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004
Thanks
/Ilias
On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote:
> The driver needs to support getting the PCRs in the capabilities
> command. Fix various other things and support the max number
> of PCRs for TPM2.
> Remove the !SANDBOX dependency for EFI TCG2 as well.
>
> Signed-off-by: Eddie James <eajames@linux.ibm.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
> Changes since v8:
> - Use >= for checking the property against TPM2_PROPERTIES_OFFSET
>
> Changes since v5:
> - Remove the !SANDBOX dependency for EFI TCG2
>
> drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
> lib/efi_loader/Kconfig | 2 -
> 2 files changed, 72 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
> index e4004cfcca..d15a28d9fc 100644
> --- a/drivers/tpm/tpm2_tis_sandbox.c
> +++ b/drivers/tpm/tpm2_tis_sandbox.c
> @@ -22,11 +22,6 @@ enum tpm2_hierarchy {
> TPM2_HIERARCHY_NB,
> };
>
> -/* Subset of supported capabilities */
> -enum tpm2_capability {
> - TPM_CAP_TPM_PROPERTIES = 0x6,
> -};
> -
> /* Subset of supported properties */
> #define TPM2_PROPERTIES_OFFSET 0x0000020E
>
> @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property {
> TPM2_PROPERTY_NB,
> };
>
> -#define SANDBOX_TPM_PCR_NB 1
> +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
> +#define SANDBOX_TPM_PCR_SELECT_MAX ((SANDBOX_TPM_PCR_NB + 7) / 8)
>
> /*
> * Information about our TPM emulation. This is preserved in the sandbox
> @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> int i, j;
>
> /* TPM2_GetProperty */
> - u32 capability, property, property_count;
> + u32 capability, property, property_count, val;
>
> /* TPM2_PCR_Read/Extend variables */
> int pcr_index = 0;
> @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> case TPM2_CC_GET_CAPABILITY:
> capability = get_unaligned_be32(sent);
> sent += sizeof(capability);
> - if (capability != TPM_CAP_TPM_PROPERTIES) {
> - printf("Sandbox TPM only support TPM_CAPABILITIES\n");
> - return TPM2_RC_HANDLE;
> - }
> -
> property = get_unaligned_be32(sent);
> sent += sizeof(property);
> - property -= TPM2_PROPERTIES_OFFSET;
> -
> property_count = get_unaligned_be32(sent);
> sent += sizeof(property_count);
> - if (!property_count ||
> - property + property_count > TPM2_PROPERTY_NB) {
> +
> + switch (capability) {
> + case TPM2_CAP_PCRS:
> + break;
> + case TPM2_CAP_TPM_PROPERTIES:
> + if (!property_count) {
> + rc = TPM2_RC_HANDLE;
> + return sandbox_tpm2_fill_buf(recv, recv_len,
> + tag, rc);
> + }
> +
> + if (property >= TPM2_PROPERTIES_OFFSET &&
> + ((property - TPM2_PROPERTIES_OFFSET) +
> + property_count > TPM2_PROPERTY_NB)) {
> + rc = TPM2_RC_HANDLE;
> + return sandbox_tpm2_fill_buf(recv, recv_len,
> + tag, rc);
> + }
> + break;
> + default:
> + printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
> + "TPM2_CAP_TPM_PROPERTIES\n");
> rc = TPM2_RC_HANDLE;
> return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
> }
> @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> put_unaligned_be32(capability, recv);
> recv += sizeof(capability);
>
> - /* Give the number of properties that follow */
> - put_unaligned_be32(property_count, recv);
> - recv += sizeof(property_count);
> -
> - /* Fill with the properties */
> - for (i = 0; i < property_count; i++) {
> - put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
> - i, recv);
> - recv += sizeof(property);
> - put_unaligned_be32(tpm->properties[property + i],
> - recv);
> - recv += sizeof(property);
> + switch (capability) {
> + case TPM2_CAP_PCRS:
> + /* Give the number of algorithms supported - just SHA256 */
> + put_unaligned_be32(1, recv);
> + recv += sizeof(u32);
> +
> + /* Give SHA256 algorithm */
> + put_unaligned_be16(TPM2_ALG_SHA256, recv);
> + recv += sizeof(u16);
> +
> + /* Select the PCRs supported */
> + *recv = SANDBOX_TPM_PCR_SELECT_MAX;
> + recv++;
> +
> + /* Activate all the PCR bits */
> + for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
> + *recv = 0xff;
> + recv++;
> + }
> + break;
> + case TPM2_CAP_TPM_PROPERTIES:
> + /* Give the number of properties that follow */
> + put_unaligned_be32(property_count, recv);
> + recv += sizeof(property_count);
> +
> + /* Fill with the properties */
> + for (i = 0; i < property_count; i++) {
> + put_unaligned_be32(property + i, recv);
> + recv += sizeof(property);
> + if (property >= TPM2_PROPERTIES_OFFSET) {
> + val = tpm->properties[(property -
> + TPM2_PROPERTIES_OFFSET) + i];
> + } else {
> + switch (property) {
> + case TPM2_PT_PCR_COUNT:
> + val = SANDBOX_TPM_PCR_NB;
> + break;
> + default:
> + val = 0xffffffff;
> + break;
> + }
> + }
> +
> + put_unaligned_be32(val, recv);
> + recv += sizeof(property);
> + }
> + break;
> }
>
> /* Add trailing \0 */
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index c5835e6ef6..605719d2b6 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL
> bool "EFI_TCG2_PROTOCOL support"
> default y
> depends on TPM_V2
> - # Sandbox TPM currently fails on GetCapabilities needed for TCG2
> - depends on !SANDBOX
> select SHA1
> select SHA256
> select SHA384
> --
> 2.31.1
>
next prev parent reply other threads:[~2023-03-16 8:33 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-08 21:25 [PATCH v9 0/6] tpm: Support boot measurements Eddie James
2023-03-08 21:25 ` [PATCH v9 1/6] tpm: Fix spelling for tpmu_ha union Eddie James
2023-03-08 21:25 ` [PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities Eddie James
2023-03-16 8:32 ` Ilias Apalodimas [this message]
2023-05-09 13:49 ` Ilias Apalodimas
2023-03-08 21:25 ` [PATCH v9 3/6] tpm: Support boot measurements Eddie James
2023-04-06 9:18 ` Ilias Apalodimas
2023-04-10 16:18 ` Eddie James
2023-04-11 8:46 ` Ilias Apalodimas
2023-03-08 21:25 ` [PATCH v9 4/6] bootm: Support boot measurement Eddie James
2023-08-04 18:10 ` Sean Edmond
2023-08-07 14:43 ` Eddie James
2023-08-07 14:52 ` Ilias Apalodimas
2023-08-07 14:57 ` Eddie James
2023-03-08 21:25 ` [PATCH v9 5/6] test: Add sandbox TPM " Eddie James
2023-03-08 21:25 ` [PATCH v9 6/6] doc: Add measured boot documentation Eddie James
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZBLUM3Co3Tjwlg5j@hera \
--to=ilias.apalodimas@linaro.org \
--cc=eajames@linux.ibm.com \
--cc=joel@jms.id.au \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox