On Tue, Sep 16, 2025 at 09:12:24AM -0700, Raymond Mao wrote: > The existing 'qemu.swtpm' does not run swtpm_setup to configure the > algorithm, by default it enables all algorithms it supports, but TF-A > currently only support sha256 and measured with sha256-only, enabling > other algorithms causes more measurements at U-Boot and then leads > to eventlog mismatching. > > Signed-off-by: Raymond Mao <raymond....@linaro.org> > --- > bin/qemu.swtpm-tfa | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > create mode 100644 bin/qemu.swtpm-tfa > > diff --git a/bin/qemu.swtpm-tfa b/bin/qemu.swtpm-tfa > new file mode 100644 > index 0000000..cbcddef > --- /dev/null > +++ b/bin/qemu.swtpm-tfa > @@ -0,0 +1,30 @@ > +#!/bin/sh > +# SPDX-License-Identifier: BSD-2 > +# > +# Copyright (c) 2025 Linaro Limited > +# Author: Raymond Mao <raymond....@linaro.org> > +# Based on qemu.swtpm > +# > +# This script launches swtpm to emulate a TPMv2. > +# It explicitly configures swtpm with sha256-only. > +# > +# The parameter -t makes it unload when the connection to QEMU is > +# terminated. > +# > +# To make use of it add > +# > +# qemu_helper_script="swtpm-tfa" > +# > +# to the board script and the following arguments to qemu_extra_args > +# > +# -chardev socket,id=chrtpm,path=/tmp/tpm/swtpm-sock \ > +# -tpmdev emulator,id=tpm0,chardev=chrtpm \ > +# -device tpm-tis-device,tpmdev=tpm0 > +# > +# U-Boot must be built with CONFIG_TPM2_MMIO=y. > + > +rm -rf /tmp/tpm > +mkdir -p /tmp/tpm > +swtpm_setup --tpmstate /tmp/tpm --tpm2 --pcr-banks sha256 > +swtpm socket -d -t --tpmstate dir=/tmp/tpm --tpm2 \ > +--ctrl type=unixio,path=/tmp/tpm/swtpm-sock
I think we need to abstract the current script to take arguments and then pass them as needed in the conf.board file. -- Tom
signature.asc
Description: PGP signature
