From mboxrd@z Thu Jan  1 00:00:00 1970
From: Simon Glass <sjg@chromium.org>
Date: Wed, 22 Mar 2017 07:27:02 -0600
Subject: [U-Boot] [PATCH 1/3] tpm: Add function to load keys via their
 parent's SHA1 hash
In-Reply-To: <CAN1kZopKTNLquGty_q=s2L=B2Pn1c3Rb7dScqEXjTccwBV+-mA@mail.gmail.com>
References: <20170320092830.3040-1-mario.six@gdsys.cc>
 <20170320092830.3040-2-mario.six@gdsys.cc>
 <CAPnjgZ1oy-Mfq+FKT0F9+cbGKqgfnjmAwaMi+tNf4iYJo8=8ug@mail.gmail.com>
 <CAN1kZopKTNLquGty_q=s2L=B2Pn1c3Rb7dScqEXjTccwBV+-mA@mail.gmail.com>
Message-ID: <CAPnjgZ0PjuYPCkxaSEZj=e12PWons=ZamTbep9YRoNc7USB4Fw@mail.gmail.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi Mario,

On 22 March 2017 at 07:20, Mario Six <mario.six@gdsys.cc> wrote:
> On Wed, Mar 22, 2017 at 2:05 PM, Simon Glass <sjg@chromium.org> wrote:
>> On 20 March 2017 at 03:28, Mario Six <mario.six@gdsys.cc> wrote:
>>> If we want to load a key into a TPM, we need to know the designated parent
>>> key's handle, so that the TPM is able to insert the key at the correct place in
>>> the key hierarchy.
>>>
>>> However, if we want to load a key whose designated parent key we also
>>> previously loaded ourselves, we first need to memorize this parent key's handle
>>> (since the handles for the key are chosen at random when they are inserted into
>>> the TPM). If we are, however, unable to do so, for example if the parent key is
>>> loaded into the TPM during production, and its child key during the actual
>>> boot, we must find a different mechanism to identify the parent key.
>>>
>>> To solve this problem, we add a function that allows U-Boot to load a key into
>>> the TPM using their designated parent key's SHA1 hash, and the corresponding
>>> auth data.
>>>
>>> Signed-off-by: Mario Six <mario.six@gdsys.cc>
>>> ---
>>>  cmd/tpm.c           | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
>>>  drivers/tpm/Kconfig |  8 ++++++++
>>>  include/tpm.h       | 12 ++++++++++++
>>>  lib/tpm.c           | 40 ++++++++++++++++++++++++++++++++++++++++
>>>  4 files changed, 109 insertions(+)
>>
>> Reviewed-by: Simon Glass <sjg@chromium.org>
>>
>> Perhaps you don't need a new Kconfig option? Is that to save code space?
>>
>>
>
> Yes, it's primarily to save code space. I haven't really investigated how much
> this option does impact the overall size, but since every recent addition to
> the TPM library was guarded with a new Kconfig option, I thought it was prudent
> to emulate that.
>
> If you think it's overkill, I can drop the option, and just have it
> compiled in by default.

I think for now it is overkill, and I'm happy to just include the new
functionality always. We have a sandbox tpm emulator - can we use that
to write tests?

Regards,
Simon