On 6/9/25 3:46 AM, Gary Lin wrote:
For "tpm2_key_protector" and "grub-protect", 'SHA256' is chosen as the hash algorithm for the TPM session. However, grub-protect mistakenly used the hash algorithm of the PCR bank to calculate PCR digest. If the user chose a PCR bank other than 'SHA256", "grub-protect" created a non-SHA256 PCR digest to seal the key. But, "tpm2_key_protector" expects a SHA256 PCR digest to the TPM unsealing session, so it would fail due to digest mismatch. This commit fixes the hash algorithm of PCR digest in grub-protect to avoid the potential unsealing failure. Ref: https://github.com/lcp/grub2/issues/4 Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
--- util/grub-protect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/grub-protect.c b/util/grub-protect.c index 40d4a3fc5..d53c2572d 100644 --- a/util/grub-protect.c +++ b/util/grub-protect.c @@ -483,7 +483,7 @@ protect_tpm2_get_policy_digest (protect_args_t *args, TPM2B_DIGEST_t *digest) } pcr_concat.size = pcr_concat_len;- rc = grub_tpm2_hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest, NULL, NULL);+ rc = grub_tpm2_hash (NULL, &pcr_concat, TPM_ALG_SHA256, TPM_RH_NULL, &pcr_digest, NULL, NULL); if (rc != TPM_RC_SUCCESS) { fprintf (stderr, "Failed to generate PCR digest (TPM2_Hash: 0x%x)\n", rc);
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
