Hi Eddie,

Apologies for the late reply, I am now getting back on this.
There are some failures on the CI wrt to sandbox here [0].  Can you have a
look ?
Also I believe some of the existing tests are wrong because they are
using PCR0 (which is always going to be extended).  Can you also pick up
[1] with your series?


[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471
[1] 
https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004

Thanks
/Ilias

On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote:
> The driver needs to support getting the PCRs in the capabilities
> command. Fix various other things and support the max number
> of PCRs for TPM2.
> Remove the !SANDBOX dependency for EFI TCG2 as well.
>
> Signed-off-by: Eddie James <eaja...@linux.ibm.com>
> Reviewed-by: Simon Glass <s...@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
> ---
> Changes since v8:
>  - Use >= for checking the property against TPM2_PROPERTIES_OFFSET
>
> Changes since v5:
>  - Remove the !SANDBOX dependency for EFI TCG2
>
>  drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
>  lib/efi_loader/Kconfig         |   2 -
>  2 files changed, 72 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
> index e4004cfcca..d15a28d9fc 100644
> --- a/drivers/tpm/tpm2_tis_sandbox.c
> +++ b/drivers/tpm/tpm2_tis_sandbox.c
> @@ -22,11 +22,6 @@ enum tpm2_hierarchy {
>       TPM2_HIERARCHY_NB,
>  };
>
> -/* Subset of supported capabilities */
> -enum tpm2_capability {
> -     TPM_CAP_TPM_PROPERTIES = 0x6,
> -};
> -
>  /* Subset of supported properties */
>  #define TPM2_PROPERTIES_OFFSET 0x0000020E
>
> @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property {
>       TPM2_PROPERTY_NB,
>  };
>
> -#define SANDBOX_TPM_PCR_NB 1
> +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
> +#define SANDBOX_TPM_PCR_SELECT_MAX   ((SANDBOX_TPM_PCR_NB + 7) / 8)
>
>  /*
>   * Information about our TPM emulation. This is preserved in the sandbox
> @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const 
> u8 *sendbuf,
>       int i, j;
>
>       /* TPM2_GetProperty */
> -     u32 capability, property, property_count;
> +     u32 capability, property, property_count, val;
>
>       /* TPM2_PCR_Read/Extend variables */
>       int pcr_index = 0;
> @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const 
> u8 *sendbuf,
>       case TPM2_CC_GET_CAPABILITY:
>               capability = get_unaligned_be32(sent);
>               sent += sizeof(capability);
> -             if (capability != TPM_CAP_TPM_PROPERTIES) {
> -                     printf("Sandbox TPM only support TPM_CAPABILITIES\n");
> -                     return TPM2_RC_HANDLE;
> -             }
> -
>               property = get_unaligned_be32(sent);
>               sent += sizeof(property);
> -             property -= TPM2_PROPERTIES_OFFSET;
> -
>               property_count = get_unaligned_be32(sent);
>               sent += sizeof(property_count);
> -             if (!property_count ||
> -                 property + property_count > TPM2_PROPERTY_NB) {
> +
> +             switch (capability) {
> +             case TPM2_CAP_PCRS:
> +                     break;
> +             case TPM2_CAP_TPM_PROPERTIES:
> +                     if (!property_count) {
> +                             rc = TPM2_RC_HANDLE;
> +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> +                                                          tag, rc);
> +                     }
> +
> +                     if (property >= TPM2_PROPERTIES_OFFSET &&
> +                         ((property - TPM2_PROPERTIES_OFFSET) +
> +                          property_count > TPM2_PROPERTY_NB)) {
> +                             rc = TPM2_RC_HANDLE;
> +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> +                                                          tag, rc);
> +                     }
> +                     break;
> +             default:
> +                     printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
> +                            "TPM2_CAP_TPM_PROPERTIES\n");
>                       rc = TPM2_RC_HANDLE;
>                       return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
>               }
> @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const 
> u8 *sendbuf,
>               put_unaligned_be32(capability, recv);
>               recv += sizeof(capability);
>
> -             /* Give the number of properties that follow */
> -             put_unaligned_be32(property_count, recv);
> -             recv += sizeof(property_count);
> -
> -             /* Fill with the properties */
> -             for (i = 0; i < property_count; i++) {
> -                     put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
> -                                        i, recv);
> -                     recv += sizeof(property);
> -                     put_unaligned_be32(tpm->properties[property + i],
> -                                        recv);
> -                     recv += sizeof(property);
> +             switch (capability) {
> +             case TPM2_CAP_PCRS:
> +                     /* Give the number of algorithms supported - just 
> SHA256 */
> +                     put_unaligned_be32(1, recv);
> +                     recv += sizeof(u32);
> +
> +                     /* Give SHA256 algorithm */
> +                     put_unaligned_be16(TPM2_ALG_SHA256, recv);
> +                     recv += sizeof(u16);
> +
> +                     /* Select the PCRs supported */
> +                     *recv = SANDBOX_TPM_PCR_SELECT_MAX;
> +                     recv++;
> +
> +                     /* Activate all the PCR bits */
> +                     for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
> +                             *recv = 0xff;
> +                             recv++;
> +                     }
> +                     break;
> +             case TPM2_CAP_TPM_PROPERTIES:
> +                     /* Give the number of properties that follow */
> +                     put_unaligned_be32(property_count, recv);
> +                     recv += sizeof(property_count);
> +
> +                     /* Fill with the properties */
> +                     for (i = 0; i < property_count; i++) {
> +                             put_unaligned_be32(property + i, recv);
> +                             recv += sizeof(property);
> +                             if (property >= TPM2_PROPERTIES_OFFSET) {
> +                                     val = tpm->properties[(property -
> +                                             TPM2_PROPERTIES_OFFSET) + i];
> +                             } else {
> +                                     switch (property) {
> +                                     case TPM2_PT_PCR_COUNT:
> +                                             val = SANDBOX_TPM_PCR_NB;
> +                                             break;
> +                                     default:
> +                                             val = 0xffffffff;
> +                                             break;
> +                                     }
> +                             }
> +
> +                             put_unaligned_be32(val, recv);
> +                             recv += sizeof(property);
> +                     }
> +                     break;
>               }
>
>               /* Add trailing \0 */
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index c5835e6ef6..605719d2b6 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL
>       bool "EFI_TCG2_PROTOCOL support"
>       default y
>       depends on TPM_V2
> -     # Sandbox TPM currently fails on GetCapabilities needed for TCG2
> -     depends on !SANDBOX
>       select SHA1
>       select SHA256
>       select SHA384
> --
> 2.31.1
>


Reply via email to