Attention is currently required from: Maciej Pijanowski, Christian Walter, Julius Werner, Krystian Hebel, Sergii Dmytruk.
Michał Żygowski has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/68748 )
Change subject: security/tpm: add TPM log format as per 2.0 spec ......................................................................
Patch Set 7:
(7 comments)
File src/security/tpm/Kconfig:
https://review.coreboot.org/c/coreboot/+/68748/comment/c396d562_b3b161f9 PS7, Line 101: default TPM_LOG_TPM2 if TPM2 See my comment from tpm1 log patch. We should have only one option to use TCG compliant log.
https://review.coreboot.org/c/coreboot/+/68748/comment/e2fcef9a_34deb397 PS7, Line 126: config TPM_HASH_SHA1 : bool "SHA1" : config TPM_HASH_SHA256 : bool "SHA256" : config TPM_HASH_SHA384 : bool "SHA384" : config TPM_HASH_SHA512 : bool "SHA512" We should not hardcode hashes. Instead we should determine which hashing algorithms TPM support and which PCR banks are enabled and populate all hashes based on that information.
File src/security/tpm/tpm2_log_serialized.h:
https://review.coreboot.org/c/coreboot/+/68748/comment/3b313cb1_8ee2f366 PS7, Line 11: #define TPM_20_LOG_VI_MAGIC 0x32544243 /* "CBT2" in LE */ Simply using "CORE" would be good here.
https://review.coreboot.org/c/coreboot/+/68748/comment/56eb1fdc_d32639bc PS7, Line 45: uint32_t digest_count; /* Always 1 in current implementation */ It would be great to have multiple digests based on the algorithms supported by the TPM and based on the enabled PCR banks.
https://review.coreboot.org/c/coreboot/+/68748/comment/56884c34_45a98f8b PS7, Line 62: struct tpm_digest_sizes digest_sizes[1]; We should populate all TPM supported and enabled PCR banks/hash algorithms
File src/security/tpm/tpm2_log_serialized.h:
https://review.coreboot.org/c/coreboot/+/68748/comment/322f0cc7_adecd403 PS5, Line 38: struct tpm_2_log_entry {
At the moment `cbmem` parses log in its generic form (arbitrary number of hashes and variable-length […]
We would like to have this code to be BSD licensed in the commonlib. ALso I would include this file into the tpm_log_serialized file to have only a single incldue for every log format.
File src/security/tpm/tspi/log-tpm2.c:
https://review.coreboot.org/c/coreboot/+/68748/comment/849d20c9_74b2794d PS7, Line 41: void *tpm_log_cbmem_init(void) Prefix should be tpm2_ for all functions so that we can use both log format based on detected TPM.