#u-boot on 2022-10-26 — irc logs at libera.irclog.whitequark.org

2022-10-04 15:46 xypron changed the topic of #u-boot to: #u-boot SOURCE MOVED TO https://source.denx.de/u-boot/u-boot.git / U-Boot 2023.01 / Merge Window is OPEN, -next is CLOSED / Release v2023.01 is scheduled for 2023-01-09 / Channel archives at https://libera.irclog.whitequark.org/u-boot

00:08 <marex> apalos-: was it you who did the TPM2.x device support in U-Boot ?

00:17 vagrantc has quit [Quit: leaving]

00:20 torez has quit [Quit: torez]

00:27 mmu_man has quit [Ping timeout: 240 seconds]

00:32 qschulz has quit [Remote host closed the connection]

00:35 qschulz has joined #u-boot

01:20 tafama has joined #u-boot

01:20 tafa has quit [Ping timeout: 268 seconds]

01:23 camus has quit [Quit: camus]

01:41 umbramalison has quit [Quit: %So long and thanks for all the fish%]

01:41 umbramalison has joined #u-boot

01:46 umbramalison has quit [Client Quit]

01:47 umbramalison has joined #u-boot

01:52 thopiekar_ has joined #u-boot

01:53 thopiekar has quit [Ping timeout: 272 seconds]

01:53 camus has joined #u-boot

02:25 GNUtoo has quit [Ping timeout: 258 seconds]

02:29 jclsn has quit [Ping timeout: 240 seconds]

02:31 jclsn has joined #u-boot

02:32 GNUtoo has joined #u-boot

04:15 hanetzer has joined #u-boot

04:32 camus1 has joined #u-boot

04:32 camus has quit [Ping timeout: 250 seconds]

04:32 camus1 is now known as camus

04:42 xroumegue has quit [Ping timeout: 264 seconds]

04:54 xroumegue has joined #u-boot

05:04 ikarso has joined #u-boot

05:11 rvalue has quit [Read error: Connection reset by peer]

05:11 rvalue has joined #u-boot

05:18 jagan has quit [Ping timeout: 272 seconds]

05:39 ladis has joined #u-boot

06:11 ldevulder has quit [Quit: Leaving]

06:22 ldevulder has joined #u-boot

06:37 mncheck has joined #u-boot

06:55 guillaume_g has joined #u-boot

07:00 zibolo has joined #u-boot

07:02 frieder has joined #u-boot

07:11 m5zs7k has quit [Ping timeout: 250 seconds]

07:20 m5zs7k has joined #u-boot

07:45 xypron has left #u-boot [#u-boot]

07:45 xypron has joined #u-boot

08:09 thopiekar_ has quit [Ping timeout: 252 seconds]

08:10 mckoan|away is now known as mckoan

08:14 thopiekar has joined #u-boot

08:29 <apalos-> marex: not all of it

08:29 <apalos-> there was some preexisting support, I just cleaned up the drivers a lot

08:29 <apalos-> and I add a TCG layer, so we now need ~100 lines per driver, instead of 1500ish

08:30 <apalos-> i added the tpm mmio driver for qemu as well, but I haven't really touched the rest

08:30 <apalos-> (of the drivers)

08:40 sszy has joined #u-boot

08:43 apalos- is now known as apalos

08:45 macromorgan has quit [Read error: Connection reset by peer]

08:50 Algotech has joined #u-boot

08:53 <apalos> marex: which part are you looking at ?

08:58 Algotech has quit [Quit: Leaving]

08:58 Algotech has joined #u-boot

09:00 <marex> apalos: TPM2 support for drive encryption

09:01 <marex> apalos: if I understand it right, I can pick any TPM2.x compatible chip with I2C/SPI bus and that would work with the upstream U-Boot driver, because the register interface is standardized ?

09:02 <marex> apalos: and the TPM would allow me to pull out some sort of key in case the system wasn't tampered with on boot, which I can use to decrypt luks volume ?

09:07 GNUtoo has quit [Ping timeout: 258 seconds]

09:10 apritzel_ has joined #u-boot

09:13 GNUtoo has joined #u-boot

09:37 Algotech75 has joined #u-boot

09:37 <apalos> yes

09:37 <apalos> but you need efi for it

09:38 <apalos> and that is the part I wrote, it's the EFI_TCG protocol

09:39 camus has quit [Ping timeout: 240 seconds]

09:40 camus has joined #u-boot

09:47 <apalos> any spi tpm should work fine

09:48 <apalos> then you boot up, efi-stub on the kernel does a couple of more measurements (i added initrd and kerndl cmdline recently)

09:48 <apalos> and you have have an initrd to decrypt you luks volume with a key that's 'hidden' in th tpm

09:50 Algotech has quit [Quit: Leaving]

09:50 Algotech has joined #u-boot

09:58 thopiekar has quit [Ping timeout: 272 seconds]

10:00 <marex> apalos: and this is used to tie together the software on the platform with the TPM, so that nobody can pull out the storage from the system and use it elsewhere, right ?

10:02 thopiekar has joined #u-boot

10:04 mckoan is now known as mckoan|away

10:08 Algotech has quit [Quit: Leaving]

10:09 Algotech75 is now known as Algotech

10:14 naoki has quit [Quit: naoki]

10:17 naoki has joined #u-boot

10:23 prabhakarlad has quit [Quit: Client closed]

10:37 prabhakarlad has joined #u-boot

10:44 <apalos> marex: yes

10:44 <apalos> well it depends on the PCRs you use to seal the key against

10:45 <apalos> we usually just use PCR7 for now, which holds the EFI secure boot key values

10:45 <apalos> but you can use more PCRs when sealing e.g include the u-boot version -- the initrd you used etc

10:45 <apalos> the hard part is updating those measurements on a firmware upgrade

10:45 <apalos> People usually refer to it as 'PCR prediction'

10:46 <apalos> however there's an easier way to deal with it, which is called authenticated PCR policies

10:46 <apalos> https://www.intel.com/content/www/us/en/developer/articles/code-sample/protecting-secret-data-and-keys-using-intel-platform-trust-technology.html

10:46 minimal has joined #u-boot

10:46 <apalos> This is a good read of the fundamentals tbh

10:53 mmu_man has joined #u-boot

11:13 <marex> apalos: nice, thanks !

11:45 yollom has joined #u-boot

11:46 <yollom> If I have an env in SPI flash programmed by a vendor how can I find the size? U-Boot seems to happily read it with ENV_IS_IN_SPI_FLASH

11:46 <yollom> I'm trying to read it from userspace with fw_printenv

11:52 ladis has quit [Ping timeout: 272 seconds]

11:52 <marex> yollom: if you have mtdparts defined, look at /proc/mtd

11:52 <marex> there might be separate mtdpart for just env

11:59 <yollom> The env doesn't have to be the same size. In my experience it is typically smaller

11:59 <yollom> And there's a hash over the ENV_SIZE, right?

12:01 <marex> yollom: see include/env_internal.h, there is crc(4byte)[,flags(byte) but optional, only in case of redundant env],data

12:01 <marex> yollom: often if the board does define mtdparts, the mtdpart for env is the same size as env

12:02 <marex> if all you get is the whole SPI NOR as flat mtdX device, hum

12:02 <marex> yollom: which board is this, custom ?

12:02 <yollom> Ah, the env size does equal the size of the mtd

12:02 <marex> yollom: it _might_

12:02 <marex> it is not an iron rule

12:02 <yollom> Yup, no, I just tested it

12:03 <yollom> A ADI reference board

12:03 <yollom> And the env in SPI flash doesn't seem to match what I could find in source

12:03 <marex> blackfin ? :)

12:03 <marex> errr

12:03 <yollom> All set, can read the env fw_printenv now. Thanks!

12:05 <marex> yollom: so it had mtdparts after all ?

12:07 <yollom> I just read /dev/mtd* form Linux and `du -b`

12:12 <marex> yollom: well that works too

12:17 monstr has joined #u-boot

12:26 jagan has joined #u-boot

12:56 rvalue has quit [Read error: Connection reset by peer]

12:56 rvalue has joined #u-boot

13:13 torez has joined #u-boot

13:13 macromorgan has joined #u-boot

13:25 ladis has joined #u-boot

14:14 ikarso has quit [Quit: Connection closed for inactivity]

14:37 thopiekar has quit [Ping timeout: 252 seconds]

14:47 mmu_man has quit [Ping timeout: 246 seconds]

14:59 thopiekar has joined #u-boot

15:06 mmu_man has joined #u-boot

15:21 zibolo has quit [Ping timeout: 272 seconds]

15:29 alan_o has quit [Quit: Leaving]

15:29 alan_o has joined #u-boot

15:31 alan_o has quit [Client Quit]

15:31 alan_o has joined #u-boot

15:47 <tlwoerner> marex: ADI has newer boards that aren't quite blackfin, but sorta are

15:48 <tlwoerner> i.e. the have a cortex-A5 for the SoC, but they still use bootroms that clearly are from the blackfin era (i.e. they use ldr)

15:48 * tlwoerner is working with one such board now

15:49 <tlwoerner> https://www.analog.com/en/design-center/evaluation-hardware-and-software/evaluation-boards-kits/eval-adsp-sc589.html

15:54 mmu_man has quit [Ping timeout: 276 seconds]

16:00 kmaincent[m] has quit [Quit: You have been kicked for being idle]

16:10 jagan has quit [Ping timeout: 240 seconds]

16:12 mmu_man has joined #u-boot

16:13 monstr has quit [Quit: Leaving]

16:22 mmu_man has quit [Ping timeout: 252 seconds]

16:25 guillaume_g has quit [Quit: Konversation terminated!]

16:30 frieder has quit [Remote host closed the connection]

16:31 PhoenixMage has quit [Ping timeout: 252 seconds]

16:33 PhoenixMage has joined #u-boot

16:35 vagrantc has joined #u-boot

16:39 PhoenixMage has quit [Ping timeout: 250 seconds]

16:41 PhoenixMage has joined #u-boot

16:49 PhoenixMage has quit [Ping timeout: 272 seconds]

16:51 PhoenixMage has joined #u-boot

16:52 <marex> tlwoerner: interesting

17:09 sszy has quit [Ping timeout: 272 seconds]

17:19 GNUtoo has quit [Remote host closed the connection]

17:20 GNUtoo has joined #u-boot

17:33 apritzel_ has quit [Ping timeout: 250 seconds]

17:35 thopiekar has quit [Ping timeout: 272 seconds]

18:12 alan_o has quit [Ping timeout: 272 seconds]

19:01 minimal has quit [Quit: Leaving]

19:02 thopiekar has joined #u-boot

19:36 pgreco_ is now known as pgreco

19:44 Gravis has quit [Ping timeout: 240 seconds]

19:48 mmu_man has joined #u-boot

20:04 torez has quit [Quit: torez]

20:05 ladis has quit [Ping timeout: 276 seconds]

21:34 Gravis has joined #u-boot

21:37 GNUtoo has quit [Ping timeout: 258 seconds]

22:17 mmu_man has quit [Ping timeout: 240 seconds]

22:30 mmu_man has joined #u-boot

23:06 prabhakarlad has quit [Quit: Client closed]

23:16 Gravis has quit [Ping timeout: 272 seconds]

23:27 minimal has joined #u-boot