<sjg1>
apalos: I am not trying to break anything. Why would I want to do that?
<apalos>
sjg1: we mentioned it a few times
<apalos>
If the tpm tries to extend stuff and the algos are not there you are creating potential holes
<apalos>
Anyway I am on the road, I'll have a look next wekk probably
<apalos>
It's only the chromebook you mention that breaks?
<apalos>
(and I am obviously not suggesting you are trying to break stuff on purpose if thats not already clear)
<sjg1>
Yes just that Chromebook, but I'm not keen on the idea that enabling the tpm unconditionally adds these algos. I spent ages getting the hash stuff down to a reasonable and configurable size...now we just ignore it. If the tpm tries to extend and the algo is not available, it should fail, not blinding continue
<sjg1>
apalos: *blindly
<apalos>
but the tpm knows nothing about it
slobodan has quit [Read error: Connection reset by peer]
<apalos>
*you* calculate the checksum you extend
<apalos>
the tpmn only writes the results in some registers
<apalos>
So if you dont have support for the algorithms it's configured those banks will probably end up with ll 0s
<apalos>
all 0s*
slobodan has joined #u-boot
<apalos>
so in order to do what you want, we need to check what the tpm has configured and try to figure out what we gave available....
<apalos>
and then faiul *what*?
<apalos>
the command? Booting?
<sjg1>
Yes, fail booting. Otherwise it would create a security hole. The case is already covered by the 'select's in Kconfig, for the measured boot, etc. We are only talking about the case where that is not enabled, but we want to have a tpm command that works
Clamor has quit [Ping timeout: 260 seconds]
eballetbo has quit [Quit: Connection closed for inactivity]
Clamor has joined #u-boot
<apalos>
ok,
<apalos>
I think I can fix that
Clamor has quit [Read error: Connection reset by peer]
<apalos>
sjg1: kind of unrelated to the above but
<apalos>
I have a cleanup series for efi measured boot. When the code was moved out of EFI to the tpm some things got duplicated
<apalos>
I have internal tests that run on buildbot & qemu to test the changes
<apalos>
but we should those tests to QEMU and the u-boot CI
<apalos>
I'll ping on how to do that
<apalos>
I'll send the series next week probably
<apalos>
also moving all to common/hash.c isnt too realistic
<apalos>
but we define the shaX lengths in 3-4 diferent places,
<apalos>
that *can* be cleaned up, I'll see what I can do about that
<sjg1>
apalos: OK SGTM
pbsds34 has joined #u-boot
pbsds3 has quit [Ping timeout: 268 seconds]
pbsds34 is now known as pbsds3
naoki has joined #u-boot
tec has quit [Quit: bye!]
tec has joined #u-boot
slobodan has quit [Read error: Connection reset by peer]
slobodan_ has joined #u-boot
polprog has quit [Remote host closed the connection]
<apalos>
sjg1: its a bit messy...
<apalos>
Not the idea the idea doanle, but look at cmd/tpm-v1.c
<apalos>
It sometime calls tpm1_xxx functions from the API
<apalos>
while other times it calles the tpm_xxx wrappers from the API...
<apalos>
so for example the tpm command instead of doing tpm1.x right now randnly workss on tpmv2s as well
<apalos>
the tpm-v2 seems more consistent
<apalos>
we got 2 options here
<apalos>
we either unify the tpm command and always call the API
<apalos>
or we split them and always call tpm1_xx and tpm2_xx explicitly
polprog has joined #u-boot
logicalerzor has joined #u-boot
slobodan_ has quit [Ping timeout: 264 seconds]
<logicalerzor>
i find it quite strange that ‘# CONFIG_DISPLAY_CPUINFO is not set’ is needed in order to compile qcom_defconfig. didnt expect a comment to be neccessary tbh :P