RE: [PATCH 1/3] tpm: update tpm hash algorithm according to tpm2.0 spec 1.59

[Benjamin BARATTE]

Hi Ilas,

Could you comment my last mail on this topic ?

Thanks,

Benjamin

> -----Original Message-----
> From: Benjamin BARATTE
> Sent: Friday, August 23, 2024 2:25 PM
> To: 'Ilias Apalodimas' <ilias.apalodi...@linaro.org>
> Cc: u-boot@lists.denx.de; eaja...@linux.ibm.com; s...@chromium.org;
> thar...@gateworks.com; tr...@konsulko.com
> Subject: RE: [PATCH 1/3] tpm: update tpm hash algorithm according to
> tpm2.0 spec 1.59
> 
> Hi @Ilias Apalodimas,
> 
> > -----Original Message-----
> > From: Ilias Apalodimas <ilias.apalodi...@linaro.org>
> > Sent: Monday, July 29, 2024 3:55 PM
> > To: Benjamin BARATTE <benjamin.bara...@st.com>
> > Cc: u-boot@lists.denx.de; eaja...@linux.ibm.com; s...@chromium.org;
> > thar...@gateworks.com; tr...@konsulko.com
> > Subject: Re: [PATCH 1/3] tpm: update tpm hash algorithm according to
> > tpm2.0 spec 1.59
> >
> > Hi Benjamin,
> >
> > Apologies for the late reply, but I wasn't cc'ed in the series. Did
> > you use get_maintainer.pl for the recipients?
> 
> I have tried but due to the corporate setup, I'm not able to use the script to
> format and send the message automatically...
> >
> > On Mon, Jul 15, 2024 at 01:33:16PM +0000, Benjamin BARATTE wrote:
> > > The hash algorithm structure shall reflect the TCG specification for
> > > TPM2.0
> > > With vesion 1.59, the SHA3 algorithm has been added and shall be
> > > reflected in this structure.
> > > The fact that U-Boot does or does not support SHA3 algo yet is not
> > > relevant for this structure.
> >
> > It's not, but I don't see why we should add more algorithms if we
> > don't plan to support them. Any plans of adding actual support for the SHA3
> family?
> >
> 
> The main issue here is that the new version of hardware TPM are now using
> default PCR configuration with SHA256 and SHA384 as per the TCG
> specifications and U-boot can't support them and generate error at boot time.
> 
> For the SHA3 family support, they are supported in the Linux Kernel already,
> therefore, this should be supported in the U-boot to ensure consistency in the
> full boot chain.
> 
> Also, TPM API offer hash interface, therefore if the PCR is using SHA3, the 
> hash
> calculation could be done by the TPM regardless of the software support in U-
> boot.
> 
> Best Regards,
> 
> Benjamin
> 
> > Thanks
> > /Ilias
> > > It's up to the end user to configure the active PCR bank to
> > > supported hash algorithm by all boot chain component.
> > > Also, by default, TPM2.0 shall support at least SHA256 and SHA384,
> > > in practice dTPM support 2 actives banks with this 2 hash algorithms
> > >
> > > Signed-off-by: Benjamin BARATTE mailto:benjamin.bara...@st.com
> > > ---
> > >
> > >  include/tpm-v2.h | 35 ++++++++++++++++++++++++++++++-----
> > >  1 file changed, 30 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/include/tpm-v2.h b/include/tpm-v2.h index
> > > 4fd19c52fd..9848e1fd10 100644
> > > --- a/include/tpm-v2.h
> > > +++ b/include/tpm-v2.h
> > > @@ -253,6 +253,9 @@ enum tpm2_algorithms {
> > >         TPM2_ALG_SHA512         = 0x0D,
> > >         TPM2_ALG_NULL           = 0x10,
> > >         TPM2_ALG_SM3_256        = 0x12,
> > > +       TPM2_ALG_SHA3_256       = 0x27,
> > > +       TPM2_ALG_SHA3_384       = 0x28,
> > > +       TPM2_ALG_SHA3_512       = 0x29,
> > >  };
> > >
> > >  /**
> > > @@ -271,11 +274,15 @@ struct digest_info {  };
> > >
> > >  /* Algorithm Registry */
> > > -#define TCG2_BOOT_HASH_ALG_SHA1    0x00000001
> > > -#define TCG2_BOOT_HASH_ALG_SHA256  0x00000002 -#define
> > > TCG2_BOOT_HASH_ALG_SHA384  0x00000004 -#define
> > > TCG2_BOOT_HASH_ALG_SHA512  0x00000008 -#define
> > > TCG2_BOOT_HASH_ALG_SM3_256 0x00000010
> > > +#define TCG2_BOOT_HASH_ALG_SHA1     0x00000001
> > > +#define TCG2_BOOT_HASH_ALG_SHA256   0x00000002
> > > +#define TCG2_BOOT_HASH_ALG_SHA384   0x00000004
> > > +#define TCG2_BOOT_HASH_ALG_SHA512   0x00000008
> > > +#define TCG2_BOOT_HASH_ALG_SM3_256  0x00000010 #define
> > > +TCG2_BOOT_HASH_ALG_SHA3_256 0x00000020 #define
> > > +TCG2_BOOT_HASH_ALG_SHA3_384 0x00000040 #define
> > > +TCG2_BOOT_HASH_ALG_SHA3_512 0x00000080
> > > +
> > >
> > >  static const struct digest_info hash_algo_list[] = {  #if
> > > IS_ENABLED(CONFIG_SHA1) @@ -310,6 +317,24 @@ static const struct
> > > digest_info hash_algo_list[] = {
> > >                 TPM2_SHA512_DIGEST_SIZE,
> > >         },
> > >  #endif
> > > +       {
> > > +               "sha3_256",
> > > +               TPM2_ALG_SHA3_256,
> > > +               TCG2_BOOT_HASH_ALG_SHA3_256,
> > > +               TPM2_SHA256_DIGEST_SIZE,
> > > +       },
> > > +       {
> > > +               "sha3_384",
> > > +               TPM2_ALG_SHA3_384,
> > > +               TCG2_BOOT_HASH_ALG_SHA3_384,
> > > +               TPM2_SHA384_DIGEST_SIZE,
> > > +       },
> > > +       {
> > > +               "sha3_512",
> > > +               TPM2_ALG_SHA3_512,
> > > +               TCG2_BOOT_HASH_ALG_SHA3_512,
> > > +               TPM2_SHA512_DIGEST_SIZE,
> > `> +       },
> > >  };
> > >
> > >  /* NV index attributes */
> > > --
> > > 2.34.1
> > >
> > > ST Restricted