Hi Heiko, This all looks reasonable. There's one place I forgot to mention though. tcg2_hash_pe_image() also needs SM3 support.
The easier way to test that SM3 is working is boot your device and look at the PCR measurements - 'tpm2_pcrread' -- The SM3 bank should be != 0 - tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements should also include SM3 Thanks /Ilias On Tue, 11 Nov 2025 at 07:48, Heiko Schocher <[email protected]> wrote: > > add sm3 256 hash support, so TPM2 chips which report > 5 pcrs with sm3 hash do not fail with: > > u-boot=> tpm2 autostart > tpm2_get_pcr_info: too many pcrs: 5 > Error: -90 > > Signed-off-by: Heiko Schocher <[email protected]> > > --- > > Changes in v2: > add comments from Ilias > - use ARRAY_SIZE(hash_algo_list) instead of a fix number > in tpm2_get_pcr_info() for the count of supported hashes > in U-Boot. > - add SM3 hash in tpm_tcg2 > > cmd/tpm-v2.c | 1 + > include/tpm-v2.h | 12 ++++++++++++ > lib/tpm-v2.c | 4 ++-- > lib/tpm_tcg2.c | 9 +++++++++ > 4 files changed, 24 insertions(+), 2 deletions(-) > > diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c > index 346e21d27bb..847b2691581 100644 > --- a/cmd/tpm-v2.c > +++ b/cmd/tpm-v2.c > @@ -589,6 +589,7 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a > TPMv2.x command", > " * sha256\n" > " * sha384\n" > " * sha512\n" > +" * sm3_256\n" > " <on|off> is one of:\n" > " * on - Select all available PCRs associated with the specified\n" > " algorithm (bank)\n" > diff --git a/include/tpm-v2.h b/include/tpm-v2.h > index f3eb2ef5643..a776d24d71f 100644 > --- a/include/tpm-v2.h > +++ b/include/tpm-v2.h > @@ -345,6 +345,18 @@ static const struct digest_info hash_algo_list[] = { > false, > #endif > }, > + { > + "sm3_256", > + TPM2_ALG_SM3_256, > + TCG2_BOOT_HASH_ALG_SM3_256, > + TPM2_SM3_256_DIGEST_SIZE, > +#if IS_ENABLED(CONFIG_SM3) > + true, > +#else > + false, > +#endif > + }, > + > }; > > /* NV index attributes */ > diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c > index 5b21c57ae42..f443b738f82 100644 > --- a/lib/tpm-v2.c > +++ b/lib/tpm-v2.c > @@ -686,10 +686,10 @@ int tpm2_get_pcr_info(struct udevice *dev, struct > tpml_pcr_selection *pcrs) > > pcrs->count = get_unaligned_be32(response); > /* > - * We only support 4 algorithms for now so check against that > + * check against the supported algorithms in hash_algo_list, > * instead of TPM2_NUM_PCR_BANKS > */ > - if (pcrs->count > 4 || pcrs->count < 1) { > + if (pcrs->count > ARRAY_SIZE(hash_algo_list) || pcrs->count < 1) { > printf("%s: too many pcrs: %u\n", __func__, pcrs->count); > return -EMSGSIZE; > } > diff --git a/lib/tpm_tcg2.c b/lib/tpm_tcg2.c > index c314b401d0b..d41228f75a9 100644 > --- a/lib/tpm_tcg2.c > +++ b/lib/tpm_tcg2.c > @@ -12,6 +12,7 @@ > #include <u-boot/sha1.h> > #include <u-boot/sha256.h> > #include <u-boot/sha512.h> > +#include <u-boot/sm3.h> > #include <version_string.h> > #include <asm/io.h> > #include <linux/bitops.h> > @@ -143,6 +144,12 @@ int tcg2_create_digest(struct udevice *dev, const u8 > *input, u32 length, > sha512_finish(&ctx_512, final); > len = TPM2_SHA512_DIGEST_SIZE; > break; > +#endif > +#if IS_ENABLED(CONFIG_SM3) > + case TPM2_ALG_SM3_256: > + sm3_hash(input, length, final); > + len = TPM2_SM3_256_DIGEST_SIZE; > + break; > #endif > default: > printf("%s: unsupported algorithm %x\n", __func__, > @@ -319,6 +326,7 @@ static int tcg2_replay_eventlog(struct tcg2_event_log > *elog, > case TPM2_ALG_SHA256: > case TPM2_ALG_SHA384: > case TPM2_ALG_SHA512: > + case TPM2_ALG_SM3_256: > len = tpm2_algorithm_to_len(algo); > break; > default: > @@ -431,6 +439,7 @@ static int tcg2_log_parse(struct udevice *dev, struct > tcg2_event_log *elog, > case TPM2_ALG_SHA256: > case TPM2_ALG_SHA384: > case TPM2_ALG_SHA512: > + case TPM2_ALG_SM3_256: > len = > get_unaligned_le16(&event->digest_sizes[i].digest_size); > if (tpm2_algorithm_to_len(algo) != len) { > log_err("EventLog invalid algorithm > length\n"); > -- > 2.20.1 >
