The existing 'qemu.swtpm' does not run swtpm_setup to configure the algorithm, by default it enables all algorithms it supports, but TF-A currently only support sha256 and measured with sha256-only, enabling other algorithms causes more measurements at U-Boot and then leads to eventlog mismatching.
Signed-off-by: Raymond Mao <raymond....@linaro.org> --- bin/qemu.swtpm-tfa | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 bin/qemu.swtpm-tfa diff --git a/bin/qemu.swtpm-tfa b/bin/qemu.swtpm-tfa new file mode 100644 index 0000000..cbcddef --- /dev/null +++ b/bin/qemu.swtpm-tfa @@ -0,0 +1,30 @@ +#!/bin/sh +# SPDX-License-Identifier: BSD-2 +# +# Copyright (c) 2025 Linaro Limited +# Author: Raymond Mao <raymond....@linaro.org> +# Based on qemu.swtpm +# +# This script launches swtpm to emulate a TPMv2. +# It explicitly configures swtpm with sha256-only. +# +# The parameter -t makes it unload when the connection to QEMU is +# terminated. +# +# To make use of it add +# +# qemu_helper_script="swtpm-tfa" +# +# to the board script and the following arguments to qemu_extra_args +# +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ +# -device tpm-tis-device,tpmdev=tpm0 +# +# U-Boot must be built with CONFIG_TPM2_MMIO=y. + +rm -rf /tmp/tpm +mkdir -p /tmp/tpm +swtpm_setup --tpmstate /tmp/tpm --tpm2 --pcr-banks sha256 +swtpm socket -d -t --tpmstate dir=/tmp/tpm --tpm2 \ +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock -- 2.25.1
