Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/30826 )
Change subject: security/tpm/tss/tcg-2.0: Add TPM2 function tlcl_getcapability() ......................................................................
Patch Set 9:
(3 comments)
https://review.coreboot.org/#/c/30826/9//COMMIT_MSG Commit Message:
https://review.coreboot.org/#/c/30826/9//COMMIT_MSG@9 PS9, Line 9: Add function tlcl_getcapability() to return TPM2 capability. Aren't these two separate concerns (the get capability stuff and the extend)? If so, please implement them in two separate CLs.
https://review.coreboot.org/#/c/30826/9//COMMIT_MSG@15 PS9, Line 15: TPML_DIGEST_VALUE pointer as input argument. I think my main question here is still... why? First of all, can't you just use the existing hash algorithm we have already implemented (SHA1 for 1.2 and SHA256 for 2.0)? It looks like your mboot code is using SHA1 but does it really have to? That looks like an easy thing to change.
If you really *need* to use SHA1 for some reason, can you rewrite the function in such a way that it allows you to pass in multiple algorithms but still only one at a time? Allowing multiple digests for the same measurement makes this whole thing way more complicated and I don't see the use case for it.
https://review.coreboot.org/#/c/30826/9/src/security/tpm/tspi/tspi.c File src/security/tpm/tspi/tspi.c:
https://review.coreboot.org/#/c/30826/9/src/security/tpm/tspi/tspi.c@212 PS9, Line 212: #if CONFIG(TPM2) Use
if (CONFIG(XXX) {
}
instead of
#if CONFIG(XXX)
#endif
wherever possible.