On Wed, Nov 04, 2020 at 03:02:06PM -0700, Simon Glass wrote: > Hi Ilias, > > On Wed, 4 Nov 2020 at 11:52, Ilias Apalodimas > <ilias.apalodi...@linaro.org> wrote: > > > > Hi Simon, > > > > On Wed, Nov 04, 2020 at 11:08:42AM -0700, Simon Glass wrote: > > > Hi Ilias, > > > > > > On Wed, 4 Nov 2020 at 06:48, Ilias Apalodimas > > > <ilias.apalodi...@linaro.org> wrote: > > > > > > > > Since U-boot EFI implementation is getting richer it makes sense to > > > > add support for EFI_TCG2_PROTOCOL taking advantage of any hardware TPM > > > > available on the device. > > > > > > > > This is the initial implementation of the protocol which only adds > > > > support for GetCapability(). It's limited in the newer and safer > > > > TPMv2 devices. > > > > > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > > > > --- > > > > The protocol requires mode that GetCapability to be usable. > > > > I intend to add support for GetEventLog() and HashLogExtendEvent() once > > > > this gets reviewed/merged > > > > include/efi_loader.h | 2 + > > > > include/efi_tcg2.h | 91 ++++++++ > > > > include/tpm-v2.h | 48 ++++ > > > > lib/efi_loader/Kconfig | 8 + > > > > lib/efi_loader/Makefile | 1 + > > > > lib/efi_loader/efi_setup.c | 7 + > > > > lib/efi_loader/efi_tcg2.c | 460 +++++++++++++++++++++++++++++++++++++ > > > > 7 files changed, 617 insertions(+) > > > > create mode 100644 include/efi_tcg2.h > > > > create mode 100644 lib/efi_loader/efi_tcg2.c > > > > > > How can we add tests for this? We have a basic TPM emulator available > > > so perhaps it could be used to create a sandbox test? > > > > I assume you refer to drivers/tpm/tpm2_tis_sandbox.c right? > > I did check this before posting but it only supports > > TPM_CAP_TPM_PROPERTIES(0x6). > > The GetCapability() also uses TPM_CAP_PCRS(0x5). > > I don't really know if it's worth extending that, since the patches that > > will follow > > implementing GetEventLog() and HashLogExtendEvent() are a lot more > > demanding on the TPM. > > > > The benefit is that we get fast unit tests for the code in U-Boot. > > > Maybe look into some software TPM? > > The things we use are not that complicated. I think bringing in > something simple would be OK, but it needs to just cover what we need.
Sure. Let me check tpm2_tis_sandbox.c a bit more before we go ahead exploring other posibilities and see how far we can get. An alternative over here would be to use QEMU + OP-TEE + fTPM once and if QEMU gets an RPMB emulation available (needed for fTPM) or QEMU with softwareTPM. I think the latter is easier and not strictly bound to Arm architecture. > > > On my side I tested this on an armv8 with fTPM and and EFI application [1] > > > > [1] https://github.com/apalos/efi-tpm2-utils > > We can probably put some of that code in U-Boot if you are amenable. > Heinrich has added tests for most/all of the U-Boot EFI functionality. > That repo is not my code. I just fixed the arm64 compilation and used it during my development. If the licence permits it, we can indeed use some of the code in our selftests. Regards /Ilias
