smallsolar/u-boot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tpm: allow the user to select the compiled algorithms

Browse Source 
Simon reports that after enabling all algorithms on the TPM some boards
fail since they don't have enough storage to accommodate the ~5KB growth.

The choice of hash algorithms is determined by the platform and the TPM
configuration. Failing to cap a PCR in a bank which the platform left
active is a security vulnerability. It might allow  unsealing of secrets
if an attacker can replay a good set of measurements into an unused bank.

If MEASURED_BOOT or EFI_TCG2_PROTOCOL is enabled our Kconfig will enable
all supported hashing algorithms. We still want to allow users to add a
TPM and not enable measured boot via EFI or bootm though and at the same
time, control the compiled algorithms for size reasons.

So let's add a function tpm2_allow_extend() which checks the TPM active
PCRs banks against the one U-Boot was compiled with. We only allow
extending PCRs if the algorithms selected during build match the TPM
configuration.

It's worth noting that this is only added for TPM2.0, since TPM1.2 is
lacking a lot of code at the moment to read the available PCR banks.
We unconditionally enable SHA1 when a TPM is selected, which is the only
hashing algorithm v1.2 supports.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>  # chromebook-link
This commit is contained in:
Ilias Apalodimas
2024-06-23 14:48:18 +03:00
committed by Heinrich Schuchardt
parent cba3fa9024
commit e7505b3b8b
4 changed files with 87 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/Kconfig
View File

@@ -439,9 +439,6 @@ config TPM
depends on DM
imply DM_RNG
select SHA1
select SHA256
select SHA384
select SHA512
help
This enables support for TPMs which can be used to provide security
features for your board. The TPM can be connected via LPC or I2C
@@ -449,6 +446,9 @@ config TPM
command to interactive the TPM. Driver model support is provided
for the low-level TPM interface, but only one TPM is supported at
a time by the TPM library.
For size reasons only SHA1 is selected which is supported on TPM1.2.
If you want a fully functional TPM enable all hashing algorithms.
If you enabled measured boot all hashing algorithms are selected.
config SPL_TPM
bool "Trusted Platform Module (TPM) Support in SPL"