diff options
| author | Tom Rini <trini@konsulko.com> | 2025-01-29 08:12:21 -0600 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2025-01-29 08:12:21 -0600 |
| commit | 021baf7b08cceb58bb850859dba1614424e16a83 (patch) | |
| tree | 9f53a40366eea064bcafbe5b82a3f1245b2671bc /include | |
| parent | 75125f392de4e672127fe0b092d481e78ff8bdd0 (diff) | |
| parent | 8895ff8ae2186b53b4a073966ef16b09c12a69b8 (diff) | |
| download | u-boot-021baf7b08cceb58bb850859dba1614424e16a83.tar.gz | |
Merge tag 'tpm-master-28012025' of https://source.denx.de/u-boot/custodians/u-boot-tpm
CI: https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/24375
We have use cases where a previous stage boot loader doesn't have any
TPM drivers. Instead of extending the hardware PCRs it produces an
EventLog that U-Boot later replays on the hardware.
The only real example we have is TF-A, which produces the EventLog using
hashing algorithms created at compile time. This creates a problem to the
TPM since measurements need to extend all active PCR banks. Up to now
we were exiting refusing the extend measurements.
TPMs can be instructed to change their active PCR banks, as long as the
device resets immediately after a reconfiguration. This PR is adding
that functionality. U-Boot can now scan the currently active TPM PCR
banks, the ones it was compiled to support and the ones present in an
EventLog. It the reconfigures the TPM on the fly with the correct algorithms.
Diffstat (limited to 'include')
| -rw-r--r-- | include/bloblist.h | 18 | ||||
| -rw-r--r-- | include/efi_tcg2.h | 2 | ||||
| -rw-r--r-- | include/tpm-v2.h | 53 |
3 files changed, 70 insertions, 3 deletions
diff --git a/include/bloblist.h b/include/bloblist.h index f999391f74b..52ba0ddcf84 100644 --- a/include/bloblist.h +++ b/include/bloblist.h @@ -250,6 +250,24 @@ static inline void *bloblist_check_magic(ulong addr) return ptr; } +#if CONFIG_IS_ENABLED(BLOBLIST) +/** + * bloblist_get_blob() - Find a blob and get the size of it + * + * Searches the bloblist and returns the blob with the matching tag + * + * @tag: Tag to search for (enum bloblist_tag_t) + * @sizep: Size of the blob found + * Return: pointer to bloblist if found, or NULL if not found + */ +void *bloblist_get_blob(uint tag, int *sizep); +#else +static inline void *bloblist_get_blob(uint tag, int *sizep) +{ + return NULL; +} +#endif + /** * bloblist_find() - Find a blob * diff --git a/include/efi_tcg2.h b/include/efi_tcg2.h index 8dfb1bc9527..7ed88809913 100644 --- a/include/efi_tcg2.h +++ b/include/efi_tcg2.h @@ -28,8 +28,6 @@ #define EFI_TCG2_MAX_PCR_INDEX 23 #define EFI_TCG2_FINAL_EVENTS_TABLE_VERSION 1 -#define TPM2_EVENT_LOG_SIZE CONFIG_EFI_TCG2_PROTOCOL_EVENTLOG_SIZE - typedef u32 efi_tcg_event_log_bitmap; typedef u32 efi_tcg_event_log_format; typedef u32 efi_tcg_event_algorithm_bitmap; diff --git a/include/tpm-v2.h b/include/tpm-v2.h index 65681464b37..ece422df0c7 100644 --- a/include/tpm-v2.h +++ b/include/tpm-v2.h @@ -230,6 +230,8 @@ enum tpm2_command_codes { TPM2_CC_PCR_READ = 0x017E, TPM2_CC_PCR_EXTEND = 0x0182, TPM2_CC_PCR_SETAUTHVAL = 0x0183, + TPM2_CC_PCR_ALLOCATE = 0x012B, + TPM2_CC_SHUTDOWN = 0x0145, }; /** @@ -430,7 +432,7 @@ enum { * * Return: code of the operation */ -u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode); +u32 tpm2_startup(struct udevice *dev, bool onoff, enum tpm2_startup_types mode); /** * Issue a TPM2_SelfTest command. @@ -702,6 +704,55 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd); /** + * tpm2_scan_masks - Scan the bitmask of algorithms based on the + * active/supported banks and the one from eventlog. + * + * @dev TPM device + * @log_active Active algorithm bitmask + * @mask Bitmask to set + * + * Return: zero on success, negative errno otherwise + */ +int tpm2_scan_masks(struct udevice *dev, u32 log_active, u32 *mask); + +/** + * tpm2_pcr_config_algo() - Allocate the active PCRs. Requires reboot + * + * @dev TPM device + * @algo_mask Mask of the algorithms + * @pcr PCR structure for allocation + * @pcr_len Actual PCR data length + * + * Return: code of the operation + */ +u32 tpm2_pcr_config_algo(struct udevice *dev, u32 algo_mask, + struct tpml_pcr_selection *pcr, u32 *pcr_len); + +/** + * tpm2_send_pcr_allocate() - Send PCR allocate command. Requires reboot + * + * @dev TPM device + * @pw Platform password + * @pw_sz Length of the password + * @pcr PCR structure for allocation + * @pcr_len Actual PCR data length + * + * Return: code of the operation + */ +u32 tpm2_send_pcr_allocate(struct udevice *dev, const char *pw, + const ssize_t pw_sz, struct tpml_pcr_selection *pcr, + u32 pcr_len); +/** + * tpm2_activate_banks() - Activate PCR banks + * + * @param dev TPM device + * @log_active Bitmask of eventlog algorithms + * + * Return: code of the operation + */ +int tpm2_activate_banks(struct udevice *dev, u32 log_active); + +/** * tpm2_auto_start() - start up the TPM and perform selftests. * If a testable function has not been tested and is * requested the TPM2 will return TPM_RC_NEEDS_TEST. |