From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8C488C6FD1F for ; Thu, 16 Mar 2023 08:33:03 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3F582859DD; Thu, 16 Mar 2023 09:33:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lCqNdIMw"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F3743859FF; Thu, 16 Mar 2023 09:32:58 +0100 (CET) Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8DBE585947 for ; Thu, 16 Mar 2023 09:32:55 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ed1-x52e.google.com with SMTP id z21so4437388edb.4 for ; Thu, 16 Mar 2023 01:32:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1678955574; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=T5B31j1qajOpqIJmYMlSEemklwPsgf+Fu7HH7fiLIxU=; b=lCqNdIMwJ0UFv6udMkwUPnDORpXLFIOxpbfZGTX/BmHrPt77F5ihohP81RV4BSQ34a nJ3e2OHjNn4bo6PobqjNm066v/RRo8um4jiW/pFG6K7h2sCeBiJgPy7XQa5pHPoDdiv9 redzCyDEzfnpCkqorKmbSlkp1+EVV8Vjvk3lwxeyIKLWBPE2ZVAEtaoXTbVzthQBIYq5 kJxtUSNCuvrnNqRZ8lJlZBhTC9RPoM0nHL2WRwWE4q1aly+gtRjb+MuwIJh49qnMdwhs 8Q5YhUCAvaFgGUtO+tQCabUQqXGqfiCBhqcsekHvQ1EQqLx6Vz0G9OLp6NiHn4EKoNBg QPgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678955574; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=T5B31j1qajOpqIJmYMlSEemklwPsgf+Fu7HH7fiLIxU=; b=whNgxeGZN0ykaSaccNH+ncNMBTPGh2uzwihFLemNYdqUJ6n5/WVnazBDjMVGF1kdPh xruJI1QseUARVQYEj35jlTHLLytcwjLUVoh11OvAzn0fMO60LvT9FqTZTaohpIjjKd7P ivhBWFfQG6ZFXrROlegM7RukcICR+bt63J8FrsPEgF6P6rWKSqOthIcnau3RbGx1Wm7z FWg+Ef7sZMwkrQs7tyfBGvbNRlQ5TsHT96ZJKtvYoBTfpLMwF7xfGFZaUeQ3UxdVYTFQ VOXS2yLjV2Q9EjivCPhSMGTN3l+C65ItX6/xfIvnEZG/E+kGeGxPKQ5jYWb2+E0JA2UA hX2w== X-Gm-Message-State: AO0yUKVZgq3iqlrqcmkEN/n8CZnJjtaiMvzPQbEWphSfWoqaSb3ThYhT cMvCF5R6XoBMcGY5F//uwy7+3uHtuyTxK4fkKiI= X-Google-Smtp-Source: AK7set+V+SHKERrix/jFHZfed3HPBWXBaktAIokkcqv0BTaBoaKMRmdlzaRfwqOg5rn4AMWEjS1erg== X-Received: by 2002:aa7:db98:0:b0:4ac:d2b4:ec2c with SMTP id u24-20020aa7db98000000b004acd2b4ec2cmr5553180edt.29.1678955574098; Thu, 16 Mar 2023 01:32:54 -0700 (PDT) Received: from hera (ppp176092130041.access.hol.gr. [176.92.130.41]) by smtp.gmail.com with ESMTPSA id w3-20020a50c443000000b004c30e2fc6e5sm3490546edf.65.2023.03.16.01.32.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Mar 2023 01:32:53 -0700 (PDT) Date: Thu, 16 Mar 2023 10:32:51 +0200 From: Ilias Apalodimas To: Eddie James Cc: u-boot@lists.denx.de, sjg@chromium.org, xypron.glpk@gmx.de, joel@jms.id.au Subject: Re: [PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities Message-ID: References: <20230308212537.1725343-1-eajames@linux.ibm.com> <20230308212537.1725343-3-eajames@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230308212537.1725343-3-eajames@linux.ibm.com> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Hi Eddie, Apologies for the late reply, I am now getting back on this. There are some failures on the CI wrt to sandbox here [0]. Can you have a look ? Also I believe some of the existing tests are wrong because they are using PCR0 (which is always going to be extended). Can you also pick up [1] with your series? [0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471 [1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004 Thanks /Ilias On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote: > The driver needs to support getting the PCRs in the capabilities > command. Fix various other things and support the max number > of PCRs for TPM2. > Remove the !SANDBOX dependency for EFI TCG2 as well. > > Signed-off-by: Eddie James > Reviewed-by: Simon Glass > Acked-by: Ilias Apalodimas > --- > Changes since v8: > - Use >= for checking the property against TPM2_PROPERTIES_OFFSET > > Changes since v5: > - Remove the !SANDBOX dependency for EFI TCG2 > > drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++--------- > lib/efi_loader/Kconfig | 2 - > 2 files changed, 72 insertions(+), 30 deletions(-) > > diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c > index e4004cfcca..d15a28d9fc 100644 > --- a/drivers/tpm/tpm2_tis_sandbox.c > +++ b/drivers/tpm/tpm2_tis_sandbox.c > @@ -22,11 +22,6 @@ enum tpm2_hierarchy { > TPM2_HIERARCHY_NB, > }; > > -/* Subset of supported capabilities */ > -enum tpm2_capability { > - TPM_CAP_TPM_PROPERTIES = 0x6, > -}; > - > /* Subset of supported properties */ > #define TPM2_PROPERTIES_OFFSET 0x0000020E > > @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property { > TPM2_PROPERTY_NB, > }; > > -#define SANDBOX_TPM_PCR_NB 1 > +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS > +#define SANDBOX_TPM_PCR_SELECT_MAX ((SANDBOX_TPM_PCR_NB + 7) / 8) > > /* > * Information about our TPM emulation. This is preserved in the sandbox > @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf, > int i, j; > > /* TPM2_GetProperty */ > - u32 capability, property, property_count; > + u32 capability, property, property_count, val; > > /* TPM2_PCR_Read/Extend variables */ > int pcr_index = 0; > @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf, > case TPM2_CC_GET_CAPABILITY: > capability = get_unaligned_be32(sent); > sent += sizeof(capability); > - if (capability != TPM_CAP_TPM_PROPERTIES) { > - printf("Sandbox TPM only support TPM_CAPABILITIES\n"); > - return TPM2_RC_HANDLE; > - } > - > property = get_unaligned_be32(sent); > sent += sizeof(property); > - property -= TPM2_PROPERTIES_OFFSET; > - > property_count = get_unaligned_be32(sent); > sent += sizeof(property_count); > - if (!property_count || > - property + property_count > TPM2_PROPERTY_NB) { > + > + switch (capability) { > + case TPM2_CAP_PCRS: > + break; > + case TPM2_CAP_TPM_PROPERTIES: > + if (!property_count) { > + rc = TPM2_RC_HANDLE; > + return sandbox_tpm2_fill_buf(recv, recv_len, > + tag, rc); > + } > + > + if (property >= TPM2_PROPERTIES_OFFSET && > + ((property - TPM2_PROPERTIES_OFFSET) + > + property_count > TPM2_PROPERTY_NB)) { > + rc = TPM2_RC_HANDLE; > + return sandbox_tpm2_fill_buf(recv, recv_len, > + tag, rc); > + } > + break; > + default: > + printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or " > + "TPM2_CAP_TPM_PROPERTIES\n"); > rc = TPM2_RC_HANDLE; > return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc); > } > @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf, > put_unaligned_be32(capability, recv); > recv += sizeof(capability); > > - /* Give the number of properties that follow */ > - put_unaligned_be32(property_count, recv); > - recv += sizeof(property_count); > - > - /* Fill with the properties */ > - for (i = 0; i < property_count; i++) { > - put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property + > - i, recv); > - recv += sizeof(property); > - put_unaligned_be32(tpm->properties[property + i], > - recv); > - recv += sizeof(property); > + switch (capability) { > + case TPM2_CAP_PCRS: > + /* Give the number of algorithms supported - just SHA256 */ > + put_unaligned_be32(1, recv); > + recv += sizeof(u32); > + > + /* Give SHA256 algorithm */ > + put_unaligned_be16(TPM2_ALG_SHA256, recv); > + recv += sizeof(u16); > + > + /* Select the PCRs supported */ > + *recv = SANDBOX_TPM_PCR_SELECT_MAX; > + recv++; > + > + /* Activate all the PCR bits */ > + for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) { > + *recv = 0xff; > + recv++; > + } > + break; > + case TPM2_CAP_TPM_PROPERTIES: > + /* Give the number of properties that follow */ > + put_unaligned_be32(property_count, recv); > + recv += sizeof(property_count); > + > + /* Fill with the properties */ > + for (i = 0; i < property_count; i++) { > + put_unaligned_be32(property + i, recv); > + recv += sizeof(property); > + if (property >= TPM2_PROPERTIES_OFFSET) { > + val = tpm->properties[(property - > + TPM2_PROPERTIES_OFFSET) + i]; > + } else { > + switch (property) { > + case TPM2_PT_PCR_COUNT: > + val = SANDBOX_TPM_PCR_NB; > + break; > + default: > + val = 0xffffffff; > + break; > + } > + } > + > + put_unaligned_be32(val, recv); > + recv += sizeof(property); > + } > + break; > } > > /* Add trailing \0 */ > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index c5835e6ef6..605719d2b6 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL > bool "EFI_TCG2_PROTOCOL support" > default y > depends on TPM_V2 > - # Sandbox TPM currently fails on GetCapabilities needed for TCG2 > - depends on !SANDBOX > select SHA1 > select SHA256 > select SHA384 > -- > 2.31.1 >