Hi Eddie, Apologies for the late reply, I am now getting back on this. There are some failures on the CI wrt to sandbox here [0]. Can you have a look ? Also I believe some of the existing tests are wrong because they are using PCR0 (which is always going to be extended). Can you also pick up [1] with your series?
[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471 [1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004 Thanks /Ilias On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote: > The driver needs to support getting the PCRs in the capabilities > command. Fix various other things and support the max number > of PCRs for TPM2. > Remove the !SANDBOX dependency for EFI TCG2 as well. > > Signed-off-by: Eddie James <eaja...@linux.ibm.com> > Reviewed-by: Simon Glass <s...@chromium.org> > Acked-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > --- > Changes since v8: > - Use >= for checking the property against TPM2_PROPERTIES_OFFSET > > Changes since v5: > - Remove the !SANDBOX dependency for EFI TCG2 > > drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++--------- > lib/efi_loader/Kconfig | 2 - > 2 files changed, 72 insertions(+), 30 deletions(-) > > diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c > index e4004cfcca..d15a28d9fc 100644 > --- a/drivers/tpm/tpm2_tis_sandbox.c > +++ b/drivers/tpm/tpm2_tis_sandbox.c > @@ -22,11 +22,6 @@ enum tpm2_hierarchy { > TPM2_HIERARCHY_NB, > }; > > -/* Subset of supported capabilities */ > -enum tpm2_capability { > - TPM_CAP_TPM_PROPERTIES = 0x6, > -}; > - > /* Subset of supported properties */ > #define TPM2_PROPERTIES_OFFSET 0x0000020E > > @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property { > TPM2_PROPERTY_NB, > }; > > -#define SANDBOX_TPM_PCR_NB 1 > +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS > +#define SANDBOX_TPM_PCR_SELECT_MAX ((SANDBOX_TPM_PCR_NB + 7) / 8) > > /* > * Information about our TPM emulation. This is preserved in the sandbox > @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const > u8 *sendbuf, > int i, j; > > /* TPM2_GetProperty */ > - u32 capability, property, property_count; > + u32 capability, property, property_count, val; > > /* TPM2_PCR_Read/Extend variables */ > int pcr_index = 0; > @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const > u8 *sendbuf, > case TPM2_CC_GET_CAPABILITY: > capability = get_unaligned_be32(sent); > sent += sizeof(capability); > - if (capability != TPM_CAP_TPM_PROPERTIES) { > - printf("Sandbox TPM only support TPM_CAPABILITIES\n"); > - return TPM2_RC_HANDLE; > - } > - > property = get_unaligned_be32(sent); > sent += sizeof(property); > - property -= TPM2_PROPERTIES_OFFSET; > - > property_count = get_unaligned_be32(sent); > sent += sizeof(property_count); > - if (!property_count || > - property + property_count > TPM2_PROPERTY_NB) { > + > + switch (capability) { > + case TPM2_CAP_PCRS: > + break; > + case TPM2_CAP_TPM_PROPERTIES: > + if (!property_count) { > + rc = TPM2_RC_HANDLE; > + return sandbox_tpm2_fill_buf(recv, recv_len, > + tag, rc); > + } > + > + if (property >= TPM2_PROPERTIES_OFFSET && > + ((property - TPM2_PROPERTIES_OFFSET) + > + property_count > TPM2_PROPERTY_NB)) { > + rc = TPM2_RC_HANDLE; > + return sandbox_tpm2_fill_buf(recv, recv_len, > + tag, rc); > + } > + break; > + default: > + printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or " > + "TPM2_CAP_TPM_PROPERTIES\n"); > rc = TPM2_RC_HANDLE; > return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc); > } > @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const > u8 *sendbuf, > put_unaligned_be32(capability, recv); > recv += sizeof(capability); > > - /* Give the number of properties that follow */ > - put_unaligned_be32(property_count, recv); > - recv += sizeof(property_count); > - > - /* Fill with the properties */ > - for (i = 0; i < property_count; i++) { > - put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property + > - i, recv); > - recv += sizeof(property); > - put_unaligned_be32(tpm->properties[property + i], > - recv); > - recv += sizeof(property); > + switch (capability) { > + case TPM2_CAP_PCRS: > + /* Give the number of algorithms supported - just > SHA256 */ > + put_unaligned_be32(1, recv); > + recv += sizeof(u32); > + > + /* Give SHA256 algorithm */ > + put_unaligned_be16(TPM2_ALG_SHA256, recv); > + recv += sizeof(u16); > + > + /* Select the PCRs supported */ > + *recv = SANDBOX_TPM_PCR_SELECT_MAX; > + recv++; > + > + /* Activate all the PCR bits */ > + for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) { > + *recv = 0xff; > + recv++; > + } > + break; > + case TPM2_CAP_TPM_PROPERTIES: > + /* Give the number of properties that follow */ > + put_unaligned_be32(property_count, recv); > + recv += sizeof(property_count); > + > + /* Fill with the properties */ > + for (i = 0; i < property_count; i++) { > + put_unaligned_be32(property + i, recv); > + recv += sizeof(property); > + if (property >= TPM2_PROPERTIES_OFFSET) { > + val = tpm->properties[(property - > + TPM2_PROPERTIES_OFFSET) + i]; > + } else { > + switch (property) { > + case TPM2_PT_PCR_COUNT: > + val = SANDBOX_TPM_PCR_NB; > + break; > + default: > + val = 0xffffffff; > + break; > + } > + } > + > + put_unaligned_be32(val, recv); > + recv += sizeof(property); > + } > + break; > } > > /* Add trailing \0 */ > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig > index c5835e6ef6..605719d2b6 100644 > --- a/lib/efi_loader/Kconfig > +++ b/lib/efi_loader/Kconfig > @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL > bool "EFI_TCG2_PROTOCOL support" > default y > depends on TPM_V2 > - # Sandbox TPM currently fails on GetCapabilities needed for TCG2 > - depends on !SANDBOX > select SHA1 > select SHA256 > select SHA384 > -- > 2.31.1 >