security/tpm: detect and use all active PCR banks

SergiiDmytruk · SergiiDmytruk · commit 5c23cb0c62e5 · 2025-12-20T00:44:25.000+02:00
All of the client has already been updated to permit use of multiple
banks, but at most one was ever enabled.  TPM 2 log was also updated to
permit handling of multiple digests, but similarly only one was in use.

From now on, it's possible to configure more than one digest (only SHA1
and SHA256 are selected by default).  This changes previous TSPI API of
`tpm_log_alg()` (single hash) to `tpm_log_alg_active(enum
vb2_hash_algorithm)` coupled with `enabled_tpm_algs` array (multiple
hashes).

The bulk of the code here is for dealing with the set of banks of TPM:
 - querying it from the device to know what digests should be used
 - synchronizing set of digests in the log with the actual set of active
   banks
The latter is needed in case TPM is initialized in ramstage while
measurements are accumulated starting from the bootblock.  An
alternative was to require initializing TPM in the bootblock, but
bootblock may not have enough space for the extra code required for
TPM, hence a different approach was taken: take all supported hashes
before TPM is initialized, trim unnecessary digests after the
initialization.

Change-Id: Ia326b22869c4983fc4e02e150461e7a9ff94dc4e
Upstream-Status: Pending
Signed-off-by: Sergii Dmytruk &lt;sergii.dmytruk@3mdeb.com&gt;
diff --git a/configs/config.emulation_qemu_x86_q35_uefi b/configs/config.emulation_qemu_x86_q35_uefi
@@ -14,7 +14,6 @@ CONFIG_DRIVERS_EFI_MAIN_FW_LSV=0x00020101
 CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=y
 CONFIG_TPM1=y
 CONFIG_TPM2=y
-CONFIG_TPM_HASH_SHA256=y
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
 # CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
 # CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
diff --git a/configs/config.emulation_qemu_x86_q35_uefi_all_menus b/configs/config.emulation_qemu_x86_q35_uefi_all_menus
@@ -9,7 +9,6 @@ CONFIG_UDK_202005_BINDING=y
 CONFIG_DRIVERS_EFI_VARIABLE_STORE=y
 CONFIG_TPM1=y
 CONFIG_TPM2=y
-CONFIG_TPM_HASH_SHA256=y
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_0=y
 # CONFIG_CONSOLE_USE_LOGLEVEL_PREFIX is not set
 # CONFIG_CONSOLE_USE_ANSI_ESCAPES is not set
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
@@ -108,22 +108,20 @@ config TPM_LOG_TPM2
 
 endchoice
 
-choice
-	prompt "TPM2 hashing algorithm"
-	depends on TPM_MEASURED_BOOT && (TPM_LOG_TCG || TPM_LOG_TPM2)
-	default TPM_HASH_SHA1 if TPM1
-	default TPM_HASH_SHA256 if TPM2
+if TPM_MEASURED_BOOT && (TPM_LOG_TCG || TPM_LOG_TPM2)
 
 config TPM_HASH_SHA1
-	bool "SHA1"
+	bool "SHA1 PCR hashing"
+	default y if TPM1 || TPM2
 config TPM_HASH_SHA256
-	bool "SHA256"
+	bool "SHA256 PCR hashing"
+	default y if TPM2
 config TPM_HASH_SHA384
-	bool "SHA384"
+	bool "SHA384 PCR hashing"
 config TPM_HASH_SHA512
-	bool "SHA512"
+	bool "SHA512 PCR hashing"
 
-endchoice
+endif
 
 config TPM_MEASURED_BOOT_INIT_BOOTBLOCK
 	bool
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
@@ -43,36 +43,20 @@ static inline bool tpm_log_use_tpm2_format(void)
 }
 
 /**
- * Retrieves hash algorithm used by TPM event log or VB2_HASH_INVALID.
+ * Checks whether a PCR banks corresponding to a hash algorithm is active.
  */
-static inline enum vb2_hash_algorithm tpm_log_alg(void)
+static inline bool tpm_log_alg_active(enum vb2_hash_algorithm alg)
 {
 	if (CONFIG(TPM_LOG_CB))
-		return (tlcl_get_family() == TPM_1 ? VB2_HASH_SHA1 : VB2_HASH_SHA256);
+		return alg == (tlcl_get_family() == TPM_1 ? VB2_HASH_SHA1 : VB2_HASH_SHA256);
 
 	if (tpm_log_use_tpm1_format())
-		return VB2_HASH_SHA1;
-
-	if (tpm_log_use_tpm2_format()) {
-		if (CONFIG(TPM_HASH_SHA1))
-			return VB2_HASH_SHA1;
-		if (CONFIG(TPM_HASH_SHA256))
-			return VB2_HASH_SHA256;
-		if (CONFIG(TPM_HASH_SHA384))
-			return VB2_HASH_SHA384;
-		if (CONFIG(TPM_HASH_SHA512))
-			return VB2_HASH_SHA512;
-	}
+		return alg == VB2_HASH_SHA1;
 
-	return VB2_HASH_INVALID;
-}
+	if (tpm_log_use_tpm2_format())
+		return tpm2_log_alg_active(alg);
 
-/**
- * Checks whether a PCR banks corresponding to a hash algorithm is active.
- */
-static inline bool tpm_log_alg_active(enum vb2_hash_algorithm alg)
-{
-	return alg == tpm_log_alg();
+	return false;
 }
 
 /**
@@ -179,6 +163,15 @@ static inline void tpm_log_startup_locality(int locality)
 		tpm2_log_startup_locality(locality);
 }
 
+/**
+ * Align TPM log with the TPM if necessary.
+ */
+static inline void tpm_log_align_with_tpm(void)
+{
+	if (tpm_log_use_tpm2_format())
+		tpm2_log_align_with_tpm();
+}
+
 /**
  * Dump TPM log entries on console
  */
diff --git a/src/security/tpm/tspi/crtm.c b/src/security/tpm/tspi/crtm.c
@@ -180,6 +180,13 @@ tpm_result_t tspi_measure_cache_to_pcr(void)
 		return TPM_CB_FAIL;
 	}
 
+	/*
+	 * At this point TPM has been initialized, but none of coreboot's measurements have been
+	 * submitted to it yet.  Before extending cached digests, invoke a log-specific function
+	 * to do modifications based on the information queried from a TPM.
+	 */
+	tpm_log_align_with_tpm();
+
 	printk(BIOS_DEBUG, "TPM: Write digests cached in TPM log to PCR\n");
 	i = 0;
 	while (!tpm_log_get(i++, &pcr, digests, &event_name)) {
diff --git a/src/security/tpm/tspi/log-tpm2.c b/src/security/tpm/tspi/log-tpm2.c
diff --git a/src/security/tpm/tspi/logs.h b/src/security/tpm/tspi/logs.h
