Re: [PATCH v2 2/9] tpm: Avoid code bloat when not using EFI_TCG2_PROTOCOL

Fri, 14 Jun 2024 00:00:05 -0700 

On 6/14/24 08:03, Ilias Apalodimas wrote:

Hi Simon,

On Mon, 10 Jun 2024 at 17:59, Simon Glass <s...@chromium.org> wrote:


It does not make sense to enable all SHA algorithms unless they are
needed. It bloats the code and in this case, causes chromebook_link to
fail to build. That board does use the TPM, but not with measured boot,
nor EFI.

Since EFI_TCG2_PROTOCOL already selects these options, we just need to
add them to MEASURED_BOOT as well.

Note that the original commit combines refactoring and new features,
which makes it hard to see what is going on.

Fixes: 97707f12fda tpm: Support boot measurements
Signed-off-by: Simon Glass <s...@chromium.org>
---

Changes in v2:
- Put the conditions under EFI_TCG2_PROTOCOL
- Consider MEASURED_BOOT too

  boot/Kconfig | 4 ++++
  lib/Kconfig  | 4 ----
  2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/boot/Kconfig b/boot/Kconfig
index 6f3096c15a6..b061891e109 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -734,6 +734,10 @@ config LEGACY_IMAGE_FORMAT
  config MEASURED_BOOT
         bool "Measure boot images and configuration when booting without EFI"
         depends on HASH && TPM_V2
+       select SHA1
+       select SHA256
+       select SHA384
+       select SHA512
         help
           This option enables measurement of the boot process when booting
           without UEFI . Measurement involves creating cryptographic hashes
diff --git a/lib/Kconfig b/lib/Kconfig
index 189e6eb31aa..568892fce44 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -438,10 +438,6 @@ config TPM
         bool "Trusted Platform Module (TPM) Support"
         depends on DM
         imply DM_RNG
-       select SHA1
-       select SHA256
-       select SHA384
-       select SHA512


I am not sure this is the right way to deal with your problem.
The TPM main functionality is to measure and extend PCRs, so shaXXXX
is really required. To make things even worse, you don't know the PCR
banks that are enabled beforehand. This is a runtime config of the
TPM.


If neither MEASURED_BOOT nor EFI_TCG2_PROTOCOL is selected, U-Boot
cannot extend PCRs. So it seems fine to let these two select the
complete set of hashing algorithms. As Simon pointed out for
EFI_TCG2_PROTOCOL this is already done in lib/efi_loader/Kconfig.

Even if U-Boot does not support measured boot (EFI or non-EFI) we might
still be using the TPMs RNG.

Reviewed-by: Heinrich Schuchardt <xypron.g...@gmx.de>



  So this would make the TPM pretty useless. Can't you remove something
that doesn't break functionality?

Thanks
/Ilias

         help
           This enables support for TPMs which can be used to provide security
           features for your board. The TPM can be connected via LPC or I2C
--
2.34.1

Reply via email to