[coreboot-gerrit] [L] Change in coreboot[master]: security/tpm: add TPM log format as per 2.0 spec

Attention is currently required from: Maciej Pijanowski, Christian Walter, Julius Werner, Krystian Hebel, Sergii Dmytruk.

Michał Żygowski has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/68748 )

Change subject: security/tpm: add TPM log format as per 2.0 spec ......................................................................

Patch Set 7:

(2 comments)

File src/security/tpm/tpm2_log_serialized.h:

https://review.coreboot.org/c/coreboot/+/68748/comment/18b94304_4c128de4 PS7, Line 20: #if CONFIG(TPM_LOG_TPM2) : # if CONFIG(TPM_HASH_SHA1) : # define TPM_20_LOG_DIGEST_MAX_LENGTH SHA1_DIGEST_SIZE : # endif : # if CONFIG(TPM_HASH_SHA256) : # define TPM_20_LOG_DIGEST_MAX_LENGTH SHA256_DIGEST_SIZE : # endif : # if CONFIG(TPM_HASH_SHA384) : # define TPM_20_LOG_DIGEST_MAX_LENGTH SHA384_DIGEST_SIZE : # endif : # if CONFIG(TPM_HASH_SHA512) : # define TPM_20_LOG_DIGEST_MAX_LENGTH SHA512_DIGEST_SIZE : # endif : : # ifndef TPM_20_LOG_DIGEST_MAX_LENGTH : # error "Misconfiguration: failed to determine TPM hashing algorithm" : # endif : #else : # define TPM_20_LOG_DIGEST_MAX_LENGTH 1 /* To avoid compilation error */ : #endif We want to be crypto agile actually, so I would get rid of that. I agree handling the TPM log as C structure is not simple.

File src/security/tpm/tspi/crtm.h:

https://review.coreboot.org/c/coreboot/+/68748/comment/747cab28_bd3e316c PS7, Line 19: #if CONFIG(TPM_LOG_CB) && CONFIG(TPM1) : # define TPM_MEASURE_ALGO VB2_HASH_SHA1 : #elif CONFIG(TPM_LOG_CB) && CONFIG(TPM2) : # define TPM_MEASURE_ALGO VB2_HASH_SHA256 : #elif CONFIG(TPM_LOG_TPM1) : # define TPM_MEASURE_ALGO VB2_HASH_SHA1 : #elif CONFIG(TPM_LOG_TPM2) : # if CONFIG(TPM_HASH_SHA1) : # define TPM_MEASURE_ALGO VB2_HASH_SHA1 : # endif : # if CONFIG(TPM_HASH_SHA256) : # define TPM_MEASURE_ALGO VB2_HASH_SHA256 : # endif : # if CONFIG(TPM_HASH_SHA384) : # define TPM_MEASURE_ALGO VB2_HASH_SHA384 : # endif : # if CONFIG(TPM_HASH_SHA512) : # define TPM_MEASURE_ALGO VB2_HASH_SHA512 : # endif : #endif : : #if !defined(TPM_MEASURE_ALGO) : # if !CONFIG(TPM_MEASURED_BOOT) : # define TPM_MEASURE_ALGO VB2_HASH_INVALID : # else : # error "Misconfiguration: failed to determine TPM hashing algorithm" : # endif : #endif : This should go away. We should probe TPM for all supported algorithms/enabled PCR banks and populate all possible hashes.