[v9,2/6] tpm: sandbox: Update for needed TPM2 capabilities

Message ID	20230308212537.1725343-3-eajames@linux.ibm.com
State	Changes Requested
Delegated to:	Ilias Apalodimas
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Eddie James <eajames@linux.ibm.com> To: u-boot@lists.denx.de Cc: eajames@linux.ibm.com, sjg@chromium.org, ilias.apalodimas@linaro.org, xypron.glpk@gmx.de, joel@jms.id.au Subject: [PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities Date: Wed, 8 Mar 2023 15:25:33 -0600 Message-Id: <20230308212537.1725343-3-eajames@linux.ibm.com> In-Reply-To: <20230308212537.1725343-1-eajames@linux.ibm.com> References: <20230308212537.1725343-1-eajames@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	tpm: Support boot measurements \| expand [v9,0/6] tpm: Support boot measurements [v9,1/6] tpm: Fix spelling for tpmu_ha union [v9,2/6] tpm: sandbox: Update for needed TPM2 capabilities [v9,3/6] tpm: Support boot measurements [v9,4/6] bootm: Support boot measurement [v9,5/6] test: Add sandbox TPM boot measurement [v9,6/6] doc: Add measured boot documentation

Message ID

20230308212537.1725343-3-eajames@linux.ibm.com

State

Changes Requested

Delegated to:

Ilias Apalodimas

Headers

From: Eddie James <eajames@linux.ibm.com>
To: u-boot@lists.denx.de
Cc: eajames@linux.ibm.com, sjg@chromium.org, ilias.apalodimas@linaro.org,
 xypron.glpk@gmx.de, joel@jms.id.au
Subject: [PATCH v9 2/6] tpm: sandbox: Update for needed TPM2 capabilities
Date: Wed,  8 Mar 2023 15:25:33 -0600
Message-Id: <20230308212537.1725343-3-eajames@linux.ibm.com>
In-Reply-To: <20230308212537.1725343-1-eajames@linux.ibm.com>
References: <20230308212537.1725343-1-eajames@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

tpm: Support boot measurements | expand

Commit Message

Eddie James March 8, 2023, 9:25 p.m. UTC

The driver needs to support getting the PCRs in the capabilities
command. Fix various other things and support the max number
of PCRs for TPM2.
Remove the !SANDBOX dependency for EFI TCG2 as well.

Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
Changes since v8:
 - Use >= for checking the property against TPM2_PROPERTIES_OFFSET

Changes since v5:
 - Remove the !SANDBOX dependency for EFI TCG2

 drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
 lib/efi_loader/Kconfig         |   2 -
 2 files changed, 72 insertions(+), 30 deletions(-)

Comments

Ilias Apalodimas March 16, 2023, 8:32 a.m. UTC | #1

Hi Eddie,

Apologies for the late reply, I am now getting back on this.
There are some failures on the CI wrt to sandbox here [0].  Can you have a
look ?
Also I believe some of the existing tests are wrong because they are
using PCR0 (which is always going to be extended).  Can you also pick up
[1] with your series?


[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471
[1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004

Thanks
/Ilias

On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote:
> The driver needs to support getting the PCRs in the capabilities
> command. Fix various other things and support the max number
> of PCRs for TPM2.
> Remove the !SANDBOX dependency for EFI TCG2 as well.
>
> Signed-off-by: Eddie James <eajames@linux.ibm.com>
> Reviewed-by: Simon Glass <sjg@chromium.org>
> Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
> Changes since v8:
>  - Use >= for checking the property against TPM2_PROPERTIES_OFFSET
>
> Changes since v5:
>  - Remove the !SANDBOX dependency for EFI TCG2
>
>  drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
>  lib/efi_loader/Kconfig         |   2 -
>  2 files changed, 72 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
> index e4004cfcca..d15a28d9fc 100644
> --- a/drivers/tpm/tpm2_tis_sandbox.c
> +++ b/drivers/tpm/tpm2_tis_sandbox.c
> @@ -22,11 +22,6 @@ enum tpm2_hierarchy {
>  	TPM2_HIERARCHY_NB,
>  };
>
> -/* Subset of supported capabilities */
> -enum tpm2_capability {
> -	TPM_CAP_TPM_PROPERTIES = 0x6,
> -};
> -
>  /* Subset of supported properties */
>  #define TPM2_PROPERTIES_OFFSET 0x0000020E
>
> @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property {
>  	TPM2_PROPERTY_NB,
>  };
>
> -#define SANDBOX_TPM_PCR_NB 1
> +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
> +#define SANDBOX_TPM_PCR_SELECT_MAX	((SANDBOX_TPM_PCR_NB + 7) / 8)
>
>  /*
>   * Information about our TPM emulation. This is preserved in the sandbox
> @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
>  	int i, j;
>
>  	/* TPM2_GetProperty */
> -	u32 capability, property, property_count;
> +	u32 capability, property, property_count, val;
>
>  	/* TPM2_PCR_Read/Extend variables */
>  	int pcr_index = 0;
> @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
>  	case TPM2_CC_GET_CAPABILITY:
>  		capability = get_unaligned_be32(sent);
>  		sent += sizeof(capability);
> -		if (capability != TPM_CAP_TPM_PROPERTIES) {
> -			printf("Sandbox TPM only support TPM_CAPABILITIES\n");
> -			return TPM2_RC_HANDLE;
> -		}
> -
>  		property = get_unaligned_be32(sent);
>  		sent += sizeof(property);
> -		property -= TPM2_PROPERTIES_OFFSET;
> -
>  		property_count = get_unaligned_be32(sent);
>  		sent += sizeof(property_count);
> -		if (!property_count ||
> -		    property + property_count > TPM2_PROPERTY_NB) {
> +
> +		switch (capability) {
> +		case TPM2_CAP_PCRS:
> +			break;
> +		case TPM2_CAP_TPM_PROPERTIES:
> +			if (!property_count) {
> +				rc = TPM2_RC_HANDLE;
> +				return sandbox_tpm2_fill_buf(recv, recv_len,
> +							     tag, rc);
> +			}
> +
> +			if (property >= TPM2_PROPERTIES_OFFSET &&
> +			    ((property - TPM2_PROPERTIES_OFFSET) +
> +			     property_count > TPM2_PROPERTY_NB)) {
> +				rc = TPM2_RC_HANDLE;
> +				return sandbox_tpm2_fill_buf(recv, recv_len,
> +							     tag, rc);
> +			}
> +			break;
> +		default:
> +			printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
> +			       "TPM2_CAP_TPM_PROPERTIES\n");
>  			rc = TPM2_RC_HANDLE;
>  			return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
>  		}
> @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
>  		put_unaligned_be32(capability, recv);
>  		recv += sizeof(capability);
>
> -		/* Give the number of properties that follow */
> -		put_unaligned_be32(property_count, recv);
> -		recv += sizeof(property_count);
> -
> -		/* Fill with the properties */
> -		for (i = 0; i < property_count; i++) {
> -			put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
> -					   i, recv);
> -			recv += sizeof(property);
> -			put_unaligned_be32(tpm->properties[property + i],
> -					   recv);
> -			recv += sizeof(property);
> +		switch (capability) {
> +		case TPM2_CAP_PCRS:
> +			/* Give the number of algorithms supported - just SHA256 */
> +			put_unaligned_be32(1, recv);
> +			recv += sizeof(u32);
> +
> +			/* Give SHA256 algorithm */
> +			put_unaligned_be16(TPM2_ALG_SHA256, recv);
> +			recv += sizeof(u16);
> +
> +			/* Select the PCRs supported */
> +			*recv = SANDBOX_TPM_PCR_SELECT_MAX;
> +			recv++;
> +
> +			/* Activate all the PCR bits */
> +			for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
> +				*recv = 0xff;
> +				recv++;
> +			}
> +			break;
> +		case TPM2_CAP_TPM_PROPERTIES:
> +			/* Give the number of properties that follow */
> +			put_unaligned_be32(property_count, recv);
> +			recv += sizeof(property_count);
> +
> +			/* Fill with the properties */
> +			for (i = 0; i < property_count; i++) {
> +				put_unaligned_be32(property + i, recv);
> +				recv += sizeof(property);
> +				if (property >= TPM2_PROPERTIES_OFFSET) {
> +					val = tpm->properties[(property -
> +						TPM2_PROPERTIES_OFFSET) + i];
> +				} else {
> +					switch (property) {
> +					case TPM2_PT_PCR_COUNT:
> +						val = SANDBOX_TPM_PCR_NB;
> +						break;
> +					default:
> +						val = 0xffffffff;
> +						break;
> +					}
> +				}
> +
> +				put_unaligned_be32(val, recv);
> +				recv += sizeof(property);
> +			}
> +			break;
>  		}
>
>  		/* Add trailing \0 */
> diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> index c5835e6ef6..605719d2b6 100644
> --- a/lib/efi_loader/Kconfig
> +++ b/lib/efi_loader/Kconfig
> @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL
>  	bool "EFI_TCG2_PROTOCOL support"
>  	default y
>  	depends on TPM_V2
> -	# Sandbox TPM currently fails on GetCapabilities needed for TCG2
> -	depends on !SANDBOX
>  	select SHA1
>  	select SHA256
>  	select SHA384
> --
> 2.31.1
>

Ilias Apalodimas May 9, 2023, 1:49 p.m. UTC | #2

Hi Eddie

On Thu, 16 Mar 2023 at 10:32, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Hi Eddie,
>
> Apologies for the late reply, I am now getting back on this.
> There are some failures on the CI wrt to sandbox here [0].  Can you have a
> look ?
> Also I believe some of the existing tests are wrong because they are
> using PCR0 (which is always going to be extended).  Can you also pick up
> [1] with your series?
>
>
> [0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/pipelines/15471
> [1] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commit/0d28387cac5fafa59e4367d1548e021eeebe2004

I did manage to figure this out. You need this [0] with your patches.
Keep in mind that
("efi_loader: fix EFI_ENTRY point on get_active_pcr_banks ") needs to
be squashed with your patches as it's causing U-Boot to crash on
selftests.

You don't really need ("tpm: clean up tpm_init usage ") this is a WIP
i am exploring.  I'll go ahead and send the remaining patches and cc
you.  Once/if those are accepted, you can resend your series with the
fix I mentioned

[0] https://source.denx.de/u-boot/custodians/u-boot-tpm/-/commits/eddie
Regards
/Ilias
>
> Thanks
> /Ilias
>
> On Wed, Mar 08, 2023 at 03:25:33PM -0600, Eddie James wrote:
> > The driver needs to support getting the PCRs in the capabilities
> > command. Fix various other things and support the max number
> > of PCRs for TPM2.
> > Remove the !SANDBOX dependency for EFI TCG2 as well.
> >
> > Signed-off-by: Eddie James <eajames@linux.ibm.com>
> > Reviewed-by: Simon Glass <sjg@chromium.org>
> > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> > Changes since v8:
> >  - Use >= for checking the property against TPM2_PROPERTIES_OFFSET
> >
> > Changes since v5:
> >  - Remove the !SANDBOX dependency for EFI TCG2
> >
> >  drivers/tpm/tpm2_tis_sandbox.c | 100 ++++++++++++++++++++++++---------
> >  lib/efi_loader/Kconfig         |   2 -
> >  2 files changed, 72 insertions(+), 30 deletions(-)
> >
> > diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
> > index e4004cfcca..d15a28d9fc 100644
> > --- a/drivers/tpm/tpm2_tis_sandbox.c
> > +++ b/drivers/tpm/tpm2_tis_sandbox.c
> > @@ -22,11 +22,6 @@ enum tpm2_hierarchy {
> >       TPM2_HIERARCHY_NB,
> >  };
> >
> > -/* Subset of supported capabilities */
> > -enum tpm2_capability {
> > -     TPM_CAP_TPM_PROPERTIES = 0x6,
> > -};
> > -
> >  /* Subset of supported properties */
> >  #define TPM2_PROPERTIES_OFFSET 0x0000020E
> >
> > @@ -38,7 +33,8 @@ enum tpm2_cap_tpm_property {
> >       TPM2_PROPERTY_NB,
> >  };
> >
> > -#define SANDBOX_TPM_PCR_NB 1
> > +#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
> > +#define SANDBOX_TPM_PCR_SELECT_MAX   ((SANDBOX_TPM_PCR_NB + 7) / 8)
> >
> >  /*
> >   * Information about our TPM emulation. This is preserved in the sandbox
> > @@ -433,7 +429,7 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >       int i, j;
> >
> >       /* TPM2_GetProperty */
> > -     u32 capability, property, property_count;
> > +     u32 capability, property, property_count, val;
> >
> >       /* TPM2_PCR_Read/Extend variables */
> >       int pcr_index = 0;
> > @@ -542,19 +538,32 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >       case TPM2_CC_GET_CAPABILITY:
> >               capability = get_unaligned_be32(sent);
> >               sent += sizeof(capability);
> > -             if (capability != TPM_CAP_TPM_PROPERTIES) {
> > -                     printf("Sandbox TPM only support TPM_CAPABILITIES\n");
> > -                     return TPM2_RC_HANDLE;
> > -             }
> > -
> >               property = get_unaligned_be32(sent);
> >               sent += sizeof(property);
> > -             property -= TPM2_PROPERTIES_OFFSET;
> > -
> >               property_count = get_unaligned_be32(sent);
> >               sent += sizeof(property_count);
> > -             if (!property_count ||
> > -                 property + property_count > TPM2_PROPERTY_NB) {
> > +
> > +             switch (capability) {
> > +             case TPM2_CAP_PCRS:
> > +                     break;
> > +             case TPM2_CAP_TPM_PROPERTIES:
> > +                     if (!property_count) {
> > +                             rc = TPM2_RC_HANDLE;
> > +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> > +                                                          tag, rc);
> > +                     }
> > +
> > +                     if (property >= TPM2_PROPERTIES_OFFSET &&
> > +                         ((property - TPM2_PROPERTIES_OFFSET) +
> > +                          property_count > TPM2_PROPERTY_NB)) {
> > +                             rc = TPM2_RC_HANDLE;
> > +                             return sandbox_tpm2_fill_buf(recv, recv_len,
> > +                                                          tag, rc);
> > +                     }
> > +                     break;
> > +             default:
> > +                     printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
> > +                            "TPM2_CAP_TPM_PROPERTIES\n");
> >                       rc = TPM2_RC_HANDLE;
> >                       return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
> >               }
> > @@ -578,18 +587,53 @@ static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
> >               put_unaligned_be32(capability, recv);
> >               recv += sizeof(capability);
> >
> > -             /* Give the number of properties that follow */
> > -             put_unaligned_be32(property_count, recv);
> > -             recv += sizeof(property_count);
> > -
> > -             /* Fill with the properties */
> > -             for (i = 0; i < property_count; i++) {
> > -                     put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
> > -                                        i, recv);
> > -                     recv += sizeof(property);
> > -                     put_unaligned_be32(tpm->properties[property + i],
> > -                                        recv);
> > -                     recv += sizeof(property);
> > +             switch (capability) {
> > +             case TPM2_CAP_PCRS:
> > +                     /* Give the number of algorithms supported - just SHA256 */
> > +                     put_unaligned_be32(1, recv);
> > +                     recv += sizeof(u32);
> > +
> > +                     /* Give SHA256 algorithm */
> > +                     put_unaligned_be16(TPM2_ALG_SHA256, recv);
> > +                     recv += sizeof(u16);
> > +
> > +                     /* Select the PCRs supported */
> > +                     *recv = SANDBOX_TPM_PCR_SELECT_MAX;
> > +                     recv++;
> > +
> > +                     /* Activate all the PCR bits */
> > +                     for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
> > +                             *recv = 0xff;
> > +                             recv++;
> > +                     }
> > +                     break;
> > +             case TPM2_CAP_TPM_PROPERTIES:
> > +                     /* Give the number of properties that follow */
> > +                     put_unaligned_be32(property_count, recv);
> > +                     recv += sizeof(property_count);
> > +
> > +                     /* Fill with the properties */
> > +                     for (i = 0; i < property_count; i++) {
> > +                             put_unaligned_be32(property + i, recv);
> > +                             recv += sizeof(property);
> > +                             if (property >= TPM2_PROPERTIES_OFFSET) {
> > +                                     val = tpm->properties[(property -
> > +                                             TPM2_PROPERTIES_OFFSET) + i];
> > +                             } else {
> > +                                     switch (property) {
> > +                                     case TPM2_PT_PCR_COUNT:
> > +                                             val = SANDBOX_TPM_PCR_NB;
> > +                                             break;
> > +                                     default:
> > +                                             val = 0xffffffff;
> > +                                             break;
> > +                                     }
> > +                             }
> > +
> > +                             put_unaligned_be32(val, recv);
> > +                             recv += sizeof(property);
> > +                     }
> > +                     break;
> >               }
> >
> >               /* Add trailing \0 */
> > diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
> > index c5835e6ef6..605719d2b6 100644
> > --- a/lib/efi_loader/Kconfig
> > +++ b/lib/efi_loader/Kconfig
> > @@ -333,8 +333,6 @@ config EFI_TCG2_PROTOCOL
> >       bool "EFI_TCG2_PROTOCOL support"
> >       default y
> >       depends on TPM_V2
> > -     # Sandbox TPM currently fails on GetCapabilities needed for TCG2
> > -     depends on !SANDBOX
> >       select SHA1
> >       select SHA256
> >       select SHA384
> > --
> > 2.31.1
> >
>
>

diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
index e4004cfcca..d15a28d9fc 100644
--- a/drivers/tpm/tpm2_tis_sandbox.c
+++ b/drivers/tpm/tpm2_tis_sandbox.c
@@ -22,11 +22,6 @@  enum tpm2_hierarchy {
 	TPM2_HIERARCHY_NB,
 };
 
-/* Subset of supported capabilities */
-enum tpm2_capability {
-	TPM_CAP_TPM_PROPERTIES = 0x6,
-};
-
 /* Subset of supported properties */
 #define TPM2_PROPERTIES_OFFSET 0x0000020E
 
@@ -38,7 +33,8 @@  enum tpm2_cap_tpm_property {
 	TPM2_PROPERTY_NB,
 };
 
-#define SANDBOX_TPM_PCR_NB 1
+#define SANDBOX_TPM_PCR_NB TPM2_MAX_PCRS
+#define SANDBOX_TPM_PCR_SELECT_MAX	((SANDBOX_TPM_PCR_NB + 7) / 8)
 
 /*
  * Information about our TPM emulation. This is preserved in the sandbox
@@ -433,7 +429,7 @@  static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
 	int i, j;
 
 	/* TPM2_GetProperty */
-	u32 capability, property, property_count;
+	u32 capability, property, property_count, val;
 
 	/* TPM2_PCR_Read/Extend variables */
 	int pcr_index = 0;
@@ -542,19 +538,32 @@  static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
 	case TPM2_CC_GET_CAPABILITY:
 		capability = get_unaligned_be32(sent);
 		sent += sizeof(capability);
-		if (capability != TPM_CAP_TPM_PROPERTIES) {
-			printf("Sandbox TPM only support TPM_CAPABILITIES\n");
-			return TPM2_RC_HANDLE;
-		}
-
 		property = get_unaligned_be32(sent);
 		sent += sizeof(property);
-		property -= TPM2_PROPERTIES_OFFSET;
-
 		property_count = get_unaligned_be32(sent);
 		sent += sizeof(property_count);
-		if (!property_count ||
-		    property + property_count > TPM2_PROPERTY_NB) {
+
+		switch (capability) {
+		case TPM2_CAP_PCRS:
+			break;
+		case TPM2_CAP_TPM_PROPERTIES:
+			if (!property_count) {
+				rc = TPM2_RC_HANDLE;
+				return sandbox_tpm2_fill_buf(recv, recv_len,
+							     tag, rc);
+			}
+
+			if (property >= TPM2_PROPERTIES_OFFSET &&
+			    ((property - TPM2_PROPERTIES_OFFSET) +
+			     property_count > TPM2_PROPERTY_NB)) {
+				rc = TPM2_RC_HANDLE;
+				return sandbox_tpm2_fill_buf(recv, recv_len,
+							     tag, rc);
+			}
+			break;
+		default:
+			printf("Sandbox TPM2 only supports TPM2_CAP_PCRS or "
+			       "TPM2_CAP_TPM_PROPERTIES\n");
 			rc = TPM2_RC_HANDLE;
 			return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
 		}
@@ -578,18 +587,53 @@  static int sandbox_tpm2_xfer(struct udevice *dev, const u8 *sendbuf,
 		put_unaligned_be32(capability, recv);
 		recv += sizeof(capability);
 
-		/* Give the number of properties that follow */
-		put_unaligned_be32(property_count, recv);
-		recv += sizeof(property_count);
-
-		/* Fill with the properties */
-		for (i = 0; i < property_count; i++) {
-			put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
-					   i, recv);
-			recv += sizeof(property);
-			put_unaligned_be32(tpm->properties[property + i],
-					   recv);
-			recv += sizeof(property);
+		switch (capability) {
+		case TPM2_CAP_PCRS:
+			/* Give the number of algorithms supported - just SHA256 */
+			put_unaligned_be32(1, recv);
+			recv += sizeof(u32);
+
+			/* Give SHA256 algorithm */
+			put_unaligned_be16(TPM2_ALG_SHA256, recv);
+			recv += sizeof(u16);
+
+			/* Select the PCRs supported */
+			*recv = SANDBOX_TPM_PCR_SELECT_MAX;
+			recv++;
+
+			/* Activate all the PCR bits */
+			for (i = 0; i < SANDBOX_TPM_PCR_SELECT_MAX; ++i) {
+				*recv = 0xff;
+				recv++;
+			}
+			break;
+		case TPM2_CAP_TPM_PROPERTIES:
+			/* Give the number of properties that follow */
+			put_unaligned_be32(property_count, recv);
+			recv += sizeof(property_count);
+
+			/* Fill with the properties */
+			for (i = 0; i < property_count; i++) {
+				put_unaligned_be32(property + i, recv);
+				recv += sizeof(property);
+				if (property >= TPM2_PROPERTIES_OFFSET) {
+					val = tpm->properties[(property -
+						TPM2_PROPERTIES_OFFSET) + i];
+				} else {
+					switch (property) {
+					case TPM2_PT_PCR_COUNT:
+						val = SANDBOX_TPM_PCR_NB;
+						break;
+					default:
+						val = 0xffffffff;
+						break;
+					}
+				}
+
+				put_unaligned_be32(val, recv);
+				recv += sizeof(property);
+			}
+			break;
 		}
 
 		/* Add trailing \0 */
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index c5835e6ef6..605719d2b6 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -333,8 +333,6 @@  config EFI_TCG2_PROTOCOL
 	bool "EFI_TCG2_PROTOCOL support"
 	default y
 	depends on TPM_V2
-	# Sandbox TPM currently fails on GetCapabilities needed for TCG2
-	depends on !SANDBOX
 	select SHA1
 	select SHA256
 	select SHA384

[v9,2/6] tpm: sandbox: Update for needed TPM2 capabilities

Commit Message

Comments

Patch