Re: [tboot-devel] VLP policy and TPM2 hash agility

Fri, 10 Jan 2020 05:21:54 -0800 

On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) wrote:
> On Fri, 2020-01-03 at 20:07 +0000, Paul Moore (pmoore2) via tboot-devel
> wrote:
> > On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-
> > devel
> > wrote:
> > > I hope everyone had a nice holiday and is enjoying the new year thus
> > > far.
> > > 
> > > As you've seen in the other thread, I'm playing around with
> > > different
> > > tboot/TXT policies and I have a question regarding tboot/VLP
> > > policies
> > > that can extend PCRs using something other than SHA1: at present
> > > tb_polgen seems limited to using SHA1, does anyone have any patches
> > > to
> > > use SHA256 (or another hash)?
> > 
> > To answer my own question, it appears that Lukasz added suppport in
> > 549:ca935709d8a6 ("Add support for SHA256 in tb_polgen").
> > 
> > Lukasz, if I wanted to generate both SHA1 and SHA256 hashes for a TPM2
> > system, would I need to create two rules in the VLP?  For example I do
> > the following now for the TXT/sig patches and PCR20:
> > 
> >  # tb_polgen --add --num 0 --pcr 20 \
> >      --hash pecoff pecoff.vlp
> > 
> > ... but that only writes the SHA1 hash into PCR20, presumably I could
> > do
> > the following to support both hashes?
> > 
> >  # tb_polgen --add --num 0 --pcr 20 --alg sha1 \
> >      --hash pecoff pecoff.vlp
> >  # tb_polgen --add --num 0 --pcr 20 --alg sha256 \
> >      --hash pecoff pecoff.vlp
> > 
> 
> It appears I didn't look close enough at the patch, the hash algorithm
> selection is done at VLP policy creation and applies to all the rules.
> 
> Lukasz, is there a way to generate PCR hashes for all supported
> algorithms like tboot does for PCR17/18?
> 
> -Paul
> 

Hello Paul

I looks like you can't create policy with different hash algorithms,
look at tb_policy_t structure in tb_policy.h There is one field for
setting hash algorithm that is common to all policy entries.

Thanks,
Lukasz



_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to