On 10/22/21 2:39 AM, Gerd Hoffmann wrote:
On Thu, Oct 21, 2021 at 09:24:55AM -0400, Stefan Berger wrote:
On 10/21/21 8:20 AM, Gerd Hoffmann wrote:
Allows to compile OVMF without HashInstanceLibSha1,
i.e. no SHA1 hash support in TPM/TCG modules.
Does that then mean that the SHA1 bank in a TPM 2 stays untouched, meaning
the PCRs there won't get extended even though the bank is there and active?
Not fully sure.  The tcg2 config menu looks like this:

[ ... ]
    TPM2 Active PCR Hash       SHA1, SHA256
    Algorithm
    TPM2 Hardware Supported    SHA1, SHA256, SHA384,
    Hash Algorithm             SHA512
    BIOS Supported Hash        SHA256, SHA384, SHA512
    Algorithm
[ ... ]
    TCG2 Protocol Configuration
    Supported Event Log Format TCG_2
    Hash Algorithm Bitmap      SHA256, SHA384, SHA512
    Number of PCR Banks        3
    Active PCR Banks           SHA256

      PCR Bank: SHA1           [ ]
      PCR Bank: SHA256         [X]
      PCR Bank: SHA384         [ ]
      PCR Bank: SHA512         [ ]
[ ... ]

Which looks correct to me (SHA1 bank present but not active).

I see this also but when I get into Linux and run tpm2_pcrread I see the SHA1 bank active but not having received any PCR extensions from the firmware, which is not supposed to happen. So I think you should drop this patch and I'll change the set of active PCR banks on the swtpm_setup level.

   Stefan



take care,
   Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82515): https://edk2.groups.io/g/devel/message/82515
Mute This Topic: https://groups.io/mt/86487987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to