On 10/22/21 2:39 AM, Gerd Hoffmann wrote:
On Thu, Oct 21, 2021 at 09:24:55AM -0400, Stefan Berger wrote:
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
Allows to compile OVMF without HashInstanceLibSha1,
i.e. no SHA1 hash support in TPM/TCG modules.
Does that then mean that the SHA1 bank in a TPM 2 stays untouched, meaning
the PCRs there won't get extended even though the bank is there and active?
Not fully sure. The tcg2 config menu looks like this:
[ ... ]
TPM2 Active PCR Hash SHA1, SHA256
Algorithm
TPM2 Hardware Supported SHA1, SHA256, SHA384,
Hash Algorithm SHA512
BIOS Supported Hash SHA256, SHA384, SHA512
Algorithm
[ ... ]
TCG2 Protocol Configuration
Supported Event Log Format TCG_2
Hash Algorithm Bitmap SHA256, SHA384, SHA512
Number of PCR Banks 3
Active PCR Banks SHA256
PCR Bank: SHA1 [ ]
PCR Bank: SHA256 [X]
PCR Bank: SHA384 [ ]
PCR Bank: SHA512 [ ]
[ ... ]
Which looks correct to me (SHA1 bank present but not active).
I see this also but when I get into Linux and run tpm2_pcrread I see the
SHA1 bank active but not having received any PCR extensions from the
firmware, which is not supposed to happen. So I think you should drop
this patch and I'll change the set of active PCR banks on the
swtpm_setup level.
Stefan
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82515): https://edk2.groups.io/g/devel/message/82515
Mute This Topic: https://groups.io/mt/86487987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-