Hi, > > TPM2 Active PCR Hash SHA1, SHA256 > > Algorithm
> > Active PCR Banks SHA256 > I see this also but when I get into Linux and run tpm2_pcrread I see the > SHA1 bank active but not having received any PCR extensions from the > firmware, which is not supposed to happen. Because of the discrepancy above I guess. > So I think you should drop this > patch and I'll change the set of active PCR banks on the swtpm_setup level. Yes. I think the code base is not ready for this. I can disable sha1 in the tpm2 config menu, with the effect that SHA1 is removed from the "TPM2 Active PCR Hash Algorithm" list. But that works only in case ovmf is built with sha1 *enabled*. OVMF with SHA1 support disabled neither disabling the bank automatically nor allowing me to do this manually is clearly a non-starter. This needs fixing before we can consider to disable SHA1 support. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#82517): https://edk2.groups.io/g/devel/message/82517 Mute This Topic: https://groups.io/mt/86487987/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
