* [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend
@ 2024-03-27 22:37 Tim Harvey
2024-03-28 7:36 ` Ilias Apalodimas
0 siblings, 1 reply; 4+ messages in thread
From: Tim Harvey @ 2024-03-27 22:37 UTC (permalink / raw)
To: u-boot, Ilias Apalodimas, Eddie James; +Cc: Tim Harvey
For pcr_read and pcr_extend commands allow the digest algo to be
specified by an additional argument. If not specified it will default to
SHA256 for backwards compatibility.
A follow-on to this could be to extend all PCR banks with the detected
algo when the <digest_algo> argument is 'auto'.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
---
cmd/tpm-v2.c | 51 +++++++++++++++++++++++++++++++++++-------------
include/tpm-v2.h | 17 ++++++++++++++++
lib/tpm-v2.c | 46 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 100 insertions(+), 14 deletions(-)
diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index 7e479b9dfe36..52d232c3ea7d 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -99,11 +99,20 @@ static int do_tpm2_pcr_extend(struct cmd_tbl *cmdtp, int flag, int argc,
struct tpm_chip_priv *priv;
u32 index = simple_strtoul(argv[1], NULL, 0);
void *digest = map_sysmem(simple_strtoul(argv[2], NULL, 0), 0);
+ int algo_len = TPM2_SHA256_DIGEST_SIZE;
+ int algo = TPM2_ALG_SHA256;
int ret;
u32 rc;
- if (argc != 3)
+ if (argc < 3 || argc > 4)
return CMD_RET_USAGE;
+ if (argc == 4) {
+ algo = tpm2_algo_len(argv[3], &algo_len);
+ if (algo < 0) {
+ printf("Error: invalid algo\n");
+ return CMD_RET_USAGE;
+ }
+ }
ret = get_tpm(&dev);
if (ret)
@@ -116,8 +125,12 @@ static int do_tpm2_pcr_extend(struct cmd_tbl *cmdtp, int flag, int argc,
if (index >= priv->pcr_count)
return -EINVAL;
- rc = tpm2_pcr_extend(dev, index, TPM2_ALG_SHA256, digest,
- TPM2_DIGEST_LEN);
+ rc = tpm2_pcr_extend(dev, index, algo, digest, algo_len);
+ if (!rc) {
+ printf("PCR #%u extended with %d byte %s digest\n", index,
+ algo_len, tpm2_algo_name(algo));
+ print_byte_string(digest, algo_len);
+ }
unmap_sysmem(digest);
@@ -127,6 +140,8 @@ static int do_tpm2_pcr_extend(struct cmd_tbl *cmdtp, int flag, int argc,
static int do_tpm_pcr_read(struct cmd_tbl *cmdtp, int flag, int argc,
char *const argv[])
{
+ int algo_len = TPM2_SHA256_DIGEST_SIZE;
+ int algo = TPM2_ALG_SHA256;
struct udevice *dev;
struct tpm_chip_priv *priv;
u32 index, rc;
@@ -134,8 +149,15 @@ static int do_tpm_pcr_read(struct cmd_tbl *cmdtp, int flag, int argc,
void *data;
int ret;
- if (argc != 3)
+ if (argc < 3 || argc > 4)
return CMD_RET_USAGE;
+ if (argc == 4) {
+ algo = tpm2_algo_len(argv[3], &algo_len);
+ if (algo < 0) {
+ printf("Error: invalid algo\n");
+ return CMD_RET_USAGE;
+ }
+ }
ret = get_tpm(&dev);
if (ret)
@@ -151,11 +173,12 @@ static int do_tpm_pcr_read(struct cmd_tbl *cmdtp, int flag, int argc,
data = map_sysmem(simple_strtoul(argv[2], NULL, 0), 0);
- rc = tpm2_pcr_read(dev, index, priv->pcr_select_min, TPM2_ALG_SHA256,
- data, TPM2_DIGEST_LEN, &updates);
+ rc = tpm2_pcr_read(dev, index, priv->pcr_select_min, algo,
+ data, algo_len, &updates);
if (!rc) {
- printf("PCR #%u content (%u known updates):\n", index, updates);
- print_byte_string(data, TPM2_DIGEST_LEN);
+ printf("PCR #%u %s %d byte content (%u known updates):\n", index,
+ tpm2_algo_name(algo), algo_len, updates);
+ print_byte_string(data, algo_len);
}
unmap_sysmem(data);
@@ -415,14 +438,14 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
" <hierarchy> is one of:\n"
" * TPM2_RH_LOCKOUT\n"
" * TPM2_RH_PLATFORM\n"
-"pcr_extend <pcr> <digest_addr>\n"
-" Extend PCR #<pcr> with digest at <digest_addr>.\n"
+"pcr_extend <pcr> <digest_addr> [<digest_algo>]\n"
+" Extend PCR #<pcr> with digest at <digest_addr> with digest_algo.\n"
" <pcr>: index of the PCR\n"
-" <digest_addr>: address of a 32-byte SHA256 digest\n"
-"pcr_read <pcr> <digest_addr>\n"
-" Read PCR #<pcr> to memory address <digest_addr>.\n"
+" <digest_addr>: address of digest of digest_algo type (defaults to SHA256)\n"
+"pcr_read <pcr> <digest_addr> [<digest_algo>]\n"
+" Read PCR #<pcr> to memory address <digest_addr> with <digest_algo>.\n"
" <pcr>: index of the PCR\n"
-" <digest_addr>: address to store the a 32-byte SHA256 digest\n"
+" <digest_addr>: address of digest of digest_algo type (defaults to SHA256)\n"
"get_capability <capability> <property> <addr> <count>\n"
" Read and display <count> entries indexed by <capability>/<property>.\n"
" Values are 4 bytes long and are written at <addr>.\n"
diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 33dd103767c4..07d3ca5e6c83 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -965,4 +965,21 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
*/
u32 tpm2_auto_start(struct udevice *dev);
+/**
+ * tpm2_algo_len() - Return an algo value and length given a algorithm name
+ *
+ * @name: algorithm name
+ * @rwlen: pointer to integer to populate with algorithm length if non-null
+ * Return: algorithm value
+ */
+int tpm2_algo_len(const char *name, int *rwlen);
+
+/**
+ * tpm2_algo_len() - Return an algoithm name string
+ *
+ * @algo: algorithm value
+ * Return: algorithm string
+ */
+const char *tpm2_algo_name(int algo);
+
#endif /* __TPM_V2_H */
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 68eaaa639f89..6a090ce5810c 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -1555,3 +1555,49 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
return 0;
}
+
+int tpm2_algo_len(const char *name, int *rwlen)
+{
+ int algo = -EINVAL;
+ int len = 0;
+
+ if (!strcasecmp("sha1", name)) {
+ algo = TPM2_ALG_SHA1;
+ len = TPM2_SHA1_DIGEST_SIZE;
+ } else if (!strcasecmp("sha256", name)) {
+ algo = TPM2_ALG_SHA256;
+ len = TPM2_SHA256_DIGEST_SIZE;
+ } else if (!strcasecmp("sha384", name)) {
+ algo = TPM2_ALG_SHA384;
+ len = TPM2_SHA384_DIGEST_SIZE;
+ } else if (!strcasecmp("sha512", name)) {
+ algo = TPM2_ALG_SHA512;
+ len = TPM2_SHA512_DIGEST_SIZE;
+ } else if (!strcasecmp("sm3_256", name)) {
+ algo = TPM2_ALG_SM3_256;
+ len = TPM2_SM3_256_DIGEST_SIZE;
+ }
+
+ if (*rwlen)
+ *rwlen = len;
+
+ return algo;
+}
+
+const char *tpm2_algo_name(int algo)
+{
+ switch (algo) {
+ case TPM2_ALG_SHA1:
+ return "sha1";
+ case TPM2_ALG_SHA256:
+ return "sha256";
+ case TPM2_ALG_SHA384:
+ return "sha384";
+ case TPM2_ALG_SHA512:
+ return "sha512";
+ case TPM2_ALG_SM3_256:
+ return "sm3_256";
+ }
+
+ return "";
+}
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend
2024-03-27 22:37 [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend Tim Harvey
@ 2024-03-28 7:36 ` Ilias Apalodimas
2024-03-28 15:33 ` Tim Harvey
0 siblings, 1 reply; 4+ messages in thread
From: Ilias Apalodimas @ 2024-03-28 7:36 UTC (permalink / raw)
To: Tim Harvey; +Cc: u-boot, Eddie James
Hi Tim,
[...]
>
> +/**
> + * tpm2_algo_len() - Return an algo value and length given a algorithm name
> + *
> + * @name: algorithm name
> + * @rwlen: pointer to integer to populate with algorithm length if non-null
> + * Return: algorithm value
> + */
> +int tpm2_algo_len(const char *name, int *rwlen);
> +
> +/**
> + * tpm2_algo_len() - Return an algoithm name string
> + *
> + * @algo: algorithm value
> + * Return: algorithm string
> + */
> +const char *tpm2_algo_name(int algo);
> +
> #endif /* __TPM_V2_H */
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index 68eaaa639f89..6a090ce5810c 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -1555,3 +1555,49 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
>
> return 0;
> }
> +
> +int tpm2_algo_len(const char *name, int *rwlen)
> +{
> + int algo = -EINVAL;
> + int len = 0;
> +
> + if (!strcasecmp("sha1", name)) {
> + algo = TPM2_ALG_SHA1;
> + len = TPM2_SHA1_DIGEST_SIZE;
> + } else if (!strcasecmp("sha256", name)) {
> + algo = TPM2_ALG_SHA256;
> + len = TPM2_SHA256_DIGEST_SIZE;
> + } else if (!strcasecmp("sha384", name)) {
> + algo = TPM2_ALG_SHA384;
> + len = TPM2_SHA384_DIGEST_SIZE;
> + } else if (!strcasecmp("sha512", name)) {
> + algo = TPM2_ALG_SHA512;
> + len = TPM2_SHA512_DIGEST_SIZE;
> + } else if (!strcasecmp("sm3_256", name)) {
> + algo = TPM2_ALG_SM3_256;
> + len = TPM2_SM3_256_DIGEST_SIZE;
> + }
> +
> + if (*rwlen)
> + *rwlen = len;
> +
> + return algo;
> +}
> +
We already have tpm2_algorithm_to_len(). Instead of defining a new
function, can we convert strings to 'enum tpm2_algorithms'? We can
then reuse the existing function.
> +const char *tpm2_algo_name(int algo)
> +{
> + switch (algo) {
> + case TPM2_ALG_SHA1:
> + return "sha1";
> + case TPM2_ALG_SHA256:
> + return "sha256";
> + case TPM2_ALG_SHA384:
> + return "sha384";
> + case TPM2_ALG_SHA512:
> + return "sha512";
> + case TPM2_ALG_SM3_256:
> + return "sm3_256";
> + }
> +
> + return "";
> +}
> --
> 2.25.1
>
Thanks
/Ilias
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend
2024-03-28 7:36 ` Ilias Apalodimas
@ 2024-03-28 15:33 ` Tim Harvey
2024-03-28 16:34 ` Ilias Apalodimas
0 siblings, 1 reply; 4+ messages in thread
From: Tim Harvey @ 2024-03-28 15:33 UTC (permalink / raw)
To: Ilias Apalodimas; +Cc: u-boot, Eddie James
On Thu, Mar 28, 2024 at 12:37 AM Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Hi Tim,
>
> [...]
>
> >
> > +/**
> > + * tpm2_algo_len() - Return an algo value and length given a algorithm name
> > + *
> > + * @name: algorithm name
> > + * @rwlen: pointer to integer to populate with algorithm length if non-null
> > + * Return: algorithm value
> > + */
> > +int tpm2_algo_len(const char *name, int *rwlen);
> > +
> > +/**
> > + * tpm2_algo_len() - Return an algoithm name string
> > + *
> > + * @algo: algorithm value
> > + * Return: algorithm string
> > + */
> > +const char *tpm2_algo_name(int algo);
> > +
> > #endif /* __TPM_V2_H */
> > diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> > index 68eaaa639f89..6a090ce5810c 100644
> > --- a/lib/tpm-v2.c
> > +++ b/lib/tpm-v2.c
> > @@ -1555,3 +1555,49 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
> >
> > return 0;
> > }
> > +
> > +int tpm2_algo_len(const char *name, int *rwlen)
> > +{
> > + int algo = -EINVAL;
> > + int len = 0;
> > +
> > + if (!strcasecmp("sha1", name)) {
> > + algo = TPM2_ALG_SHA1;
> > + len = TPM2_SHA1_DIGEST_SIZE;
> > + } else if (!strcasecmp("sha256", name)) {
> > + algo = TPM2_ALG_SHA256;
> > + len = TPM2_SHA256_DIGEST_SIZE;
> > + } else if (!strcasecmp("sha384", name)) {
> > + algo = TPM2_ALG_SHA384;
> > + len = TPM2_SHA384_DIGEST_SIZE;
> > + } else if (!strcasecmp("sha512", name)) {
> > + algo = TPM2_ALG_SHA512;
> > + len = TPM2_SHA512_DIGEST_SIZE;
> > + } else if (!strcasecmp("sm3_256", name)) {
> > + algo = TPM2_ALG_SM3_256;
> > + len = TPM2_SM3_256_DIGEST_SIZE;
> > + }
> > +
> > + if (*rwlen)
> > + *rwlen = len;
> > +
> > + return algo;
> > +}
> > +
>
> We already have tpm2_algorithm_to_len(). Instead of defining a new
> function, can we convert strings to 'enum tpm2_algorithms'? We can
> then reuse the existing function.
>
Hi Ilias,
Thanks - I didn't see tpm2_algorithm_to_len. Yes, I can use it but I
still need to add a new function to turn the name into an algo. I also
didn't see tpm2_supported_algorithms; should I only support
name-to-algorithm and algorithm-to-name for that subset?
Best Regards,
Tim
> > +const char *tpm2_algo_name(int algo)
> > +{
> > + switch (algo) {
> > + case TPM2_ALG_SHA1:
> > + return "sha1";
> > + case TPM2_ALG_SHA256:
> > + return "sha256";
> > + case TPM2_ALG_SHA384:
> > + return "sha384";
> > + case TPM2_ALG_SHA512:
> > + return "sha512";
> > + case TPM2_ALG_SM3_256:
> > + return "sm3_256";
> > + }
> > +
> > + return "";
> > +}
> > --
> > 2.25.1
> >
>
> Thanks
> /Ilias
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend
2024-03-28 15:33 ` Tim Harvey
@ 2024-03-28 16:34 ` Ilias Apalodimas
0 siblings, 0 replies; 4+ messages in thread
From: Ilias Apalodimas @ 2024-03-28 16:34 UTC (permalink / raw)
To: Tim Harvey; +Cc: u-boot, Eddie James
On Thu, 28 Mar 2024 at 17:33, Tim Harvey <tharvey@gateworks.com> wrote:
>
> On Thu, Mar 28, 2024 at 12:37 AM Ilias Apalodimas
> <ilias.apalodimas@linaro.org> wrote:
> >
> > Hi Tim,
> >
> > [...]
> >
> > >
> > > +/**
> > > + * tpm2_algo_len() - Return an algo value and length given a algorithm name
> > > + *
> > > + * @name: algorithm name
> > > + * @rwlen: pointer to integer to populate with algorithm length if non-null
> > > + * Return: algorithm value
> > > + */
> > > +int tpm2_algo_len(const char *name, int *rwlen);
> > > +
> > > +/**
> > > + * tpm2_algo_len() - Return an algoithm name string
> > > + *
> > > + * @algo: algorithm value
> > > + * Return: algorithm string
> > > + */
> > > +const char *tpm2_algo_name(int algo);
> > > +
> > > #endif /* __TPM_V2_H */
> > > diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> > > index 68eaaa639f89..6a090ce5810c 100644
> > > --- a/lib/tpm-v2.c
> > > +++ b/lib/tpm-v2.c
> > > @@ -1555,3 +1555,49 @@ u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
> > >
> > > return 0;
> > > }
> > > +
> > > +int tpm2_algo_len(const char *name, int *rwlen)
> > > +{
> > > + int algo = -EINVAL;
> > > + int len = 0;
> > > +
> > > + if (!strcasecmp("sha1", name)) {
> > > + algo = TPM2_ALG_SHA1;
> > > + len = TPM2_SHA1_DIGEST_SIZE;
> > > + } else if (!strcasecmp("sha256", name)) {
> > > + algo = TPM2_ALG_SHA256;
> > > + len = TPM2_SHA256_DIGEST_SIZE;
> > > + } else if (!strcasecmp("sha384", name)) {
> > > + algo = TPM2_ALG_SHA384;
> > > + len = TPM2_SHA384_DIGEST_SIZE;
> > > + } else if (!strcasecmp("sha512", name)) {
> > > + algo = TPM2_ALG_SHA512;
> > > + len = TPM2_SHA512_DIGEST_SIZE;
> > > + } else if (!strcasecmp("sm3_256", name)) {
> > > + algo = TPM2_ALG_SM3_256;
> > > + len = TPM2_SM3_256_DIGEST_SIZE;
> > > + }
> > > +
> > > + if (*rwlen)
> > > + *rwlen = len;
> > > +
> > > + return algo;
> > > +}
> > > +
> >
> > We already have tpm2_algorithm_to_len(). Instead of defining a new
> > function, can we convert strings to 'enum tpm2_algorithms'? We can
> > then reuse the existing function.
> >
>
> Hi Ilias,
>
> Thanks - I didn't see tpm2_algorithm_to_len. Yes, I can use it but I
> still need to add a new function to turn the name into an algo.
Yep, that's fine,
> I also
> didn't see tpm2_supported_algorithms; should I only support
> name-to-algorithm and algorithm-to-name for that subset?
>
Yea, that would be good, we can at least have a reference of what we
currently support.
Cheers
/Ilias
> Best Regards,
>
> Tim
>
> > > +const char *tpm2_algo_name(int algo)
> > > +{
> > > + switch (algo) {
> > > + case TPM2_ALG_SHA1:
> > > + return "sha1";
> > > + case TPM2_ALG_SHA256:
> > > + return "sha256";
> > > + case TPM2_ALG_SHA384:
> > > + return "sha384";
> > > + case TPM2_ALG_SHA512:
> > > + return "sha512";
> > > + case TPM2_ALG_SM3_256:
> > > + return "sm3_256";
> > > + }
> > > +
> > > + return "";
> > > +}
> > > --
> > > 2.25.1
> > >
> >
> > Thanks
> > /Ilias
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-28 16:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-27 22:37 [PATCH] tpm-v2: allow algo name to be conigured for pcr_read and pcr_extend Tim Harvey
2024-03-28 7:36 ` Ilias Apalodimas
2024-03-28 15:33 ` Tim Harvey
2024-03-28 16:34 ` Ilias Apalodimas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.