Skip to content

Use all active TPM banks for Measured Boot #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SergiiDmytruk wants to merge 9 commits into
base: dasharo
Choose a base branch
from
Open

Use all active TPM banks for Measured Boot #821

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
02f5525
security/tpm/tss/tcg-2.0/tss: move tpm2_get_capability_pcrs() here
SergiiDmytruk Nov 30, 2025
4b3c51b
security/tpm: prepare API for multiple active banks
SergiiDmytruk Dec 1, 2025
f914cfe
security/tpm/tss/tcg-2.0: enable extending multiple PCR banks
SergiiDmytruk Dec 12, 2025
362ed5a
security/tpm: stop using fixed-size entries in TPM 2.0 log
SergiiDmytruk Dec 13, 2025
943f1b6
security/intel/cbnt/measurement.c: extract measurement functions
SergiiDmytruk Dec 14, 2025
27ebc1b
security/intel/cbnt/measurement.c: support multiple PCR banks
SergiiDmytruk Dec 15, 2025
e688fc4
security/vboot/tpm_common.c: support multiple banks
SergiiDmytruk Dec 15, 2025
2bbe938
lib/cbfs.c,security/tpm/tspi: support multiple banks
SergiiDmytruk Dec 15, 2025
69aee15
security/tpm: detect and use all active PCR banks
SergiiDmytruk Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion configs/config.emulation_qemu_x86_q35_uefi
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ CONFIG_DRIVERS_EFI_MAIN_FW_LSV=0x00020101
CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y
CONFIG_TPM1=y
CONFIG_TPM2=y
CONFIG_TPM_HASH_SHA256=y
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
# CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
# CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
Expand Down
1 change: 0 additions & 1 deletion configs/config.emulation_qemu_x86_q35_uefi_all_menus
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ CONFIG_UDK_202005_BINDING=y
CONFIG_DRIVERS_EFI_VARIABLE_STORE=y
CONFIG_TPM1=y
CONFIG_TPM2=y
CONFIG_TPM_HASH_SHA256=y
CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
# CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
# CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
Expand Down
21 changes: 6 additions & 15 deletions src/lib/cbfs.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,21 +186,12 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
}

if (CONFIG(TPM_MEASURED_BOOT) && !ENV_SMM) {
struct vb2_hash calculated_hash;

/* No need to re-hash file if we already have it from verification. */
if (!hash || hash->algo != tpm_log_alg()) {
if (vb2_hash_calculate(vboot_hwcrypto_allowed(), buffer, size,
tpm_log_alg(), &calculated_hash))
hash = NULL;
else
hash = &calculated_hash;
}

if (!hash ||
tspi_cbfs_measurement(mdata->h.filename, be32toh(mdata->h.type), hash))
ERROR("failed to measure '%s' into TPM log\n", mdata->h.filename);
/* We intentionally continue to boot on measurement errors. */
tpm_result_t rc = tspi_cbfs_measurement(mdata->h.filename, buffer, size,
be32toh(mdata->h.type), hash);
if (rc != TPM_SUCCESS)
ERROR("failed to measure '%s' into TPM log, error %#x\n",
mdata->h.filename, rc);
/* We intentionally continue to boot on measurement errors. */
}

return false;
Expand Down
Loading