Hi Ilias, On Tue, 13 Jun 2023 at 06:48, Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > On Mon, Jun 12, 2023 at 10:17:28PM +0100, Simon Glass wrote: > > Hi Ilias, > > > > On Wed, 7 Jun 2023 at 10:18, Ilias Apalodimas > > <ilias.apalodi...@linaro.org> wrote: > > > > > > Currently we only read the pcr updates once on test_tpm2_pcr_read(). > > > It turns out that the tpm init sequence of force_init() which consists > > > of: > > > - tpm2 init > > > - tpm2 startup TPM2_SU_CLEAR > > > - tpm2 self_test full > > > - tpm2 clear TPM2_RH_LOCKOUT > > > > > > also counts as an update. Running this in the console verifies the > > > update bump > > > => tpm2 init > > > => tpm2 startup TPM2_SU_CLEAR > > > => tpm2 self_test full > > > => tpm pcr_read 10 $loadaddr > > > PCR #10 content (28 known updates): > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > => tpm2 clear TPM2_RH_LOCKOUT > > > => tpm pcr_read 10 $loadaddr > > > PCR #10 content (29 known updates): > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > => > > > > > > With the recent changes of replacing 'tpm2 init' with 'tpm2 autostart' > > > we end up always running the full init. The reason is 'tpm init' > > > returns -EBUSY if the tpm is already open, while 'tpm autostart' handles > > > ths gracefully and continues with the initialization. It's worth noting > > > that this won't affect the device functionality at all since > > > retriggering the startup sequence and selftests has no side effects. > > > > This may be true for some TPMs. > > The responses to the startup command are described by the spec, so unless > the device isn't a standard TPM, this should be safe
Yes, that could be the problem. > > > > > > > > > Instead of relying on the initial value, reread the 'known updates' > > > just before updating the PCR to ensure we read the correct values > > > before testing > > > > > > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > > > --- > > > Changes since v1: > > > - new patch to fix the python testing failures > > > > > > test/py/tests/test_tpm2.py | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > > Reviewed-by: Simon Glass <s...@chromium.org> > > > > BTW this is an example of why I still want to be able to just init the > > TPM to a basic level. Here we see that autostart changes the PCRs. > > > It doesnt change the PCRs. That code is checking how many commands have > been sent to the TPM in total. In the previous version of the code 'tpm > init' would return -EBUSY and we would never re-run the next commands. The > new command returns 0 and as a result we end up running the TPM2_RH_LOCKOUT > again. OK. Regards, Simon
