On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote:
On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
On Fri, 2020-01-03 at 20:07 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-
devel
wrote:
I hope everyone had a nice holiday and is enjoying the new year thus
far.
As you've seen in the other thread, I'm playing around with
different
tboot/TXT policies and I have a question regarding tboot/VLP
policies
that can extend PCRs using something other than SHA1: at present
tb_polgen seems limited to using SHA1, does anyone have any patches
to
use SHA256 (or another hash)?
To answer my own question, it appears that Lukasz added suppport in
549:ca935709d8a6 ("Add support for SHA256 in tb_polgen").
Lukasz, if I wanted to generate both SHA1 and SHA256 hashes for a TPM2
system, would I need to create two rules in the VLP? For example I do
the following now for the TXT/sig patches and PCR20:
# tb_polgen --add --num 0 --pcr 20 \
--hash pecoff pecoff.vlp
... but that only writes the SHA1 hash into PCR20, presumably I could
do
the following to support both hashes?
# tb_polgen --add --num 0 --pcr 20 --alg sha1 \
--hash pecoff pecoff.vlp
# tb_polgen --add --num 0 --pcr 20 --alg sha256 \
--hash pecoff pecoff.vlp
It appears I didn't look close enough at the patch, the hash algorithm
selection is done at VLP policy creation and applies to all the rules.
Lukasz, is there a way to generate PCR hashes for all supported
algorithms like tboot does for PCR17/18?
-Paul
Hello Paul
I looks like you can't create policy with different hash algorithms,
look at tb_policy_t structure in tb_policy.h There is one field for
setting hash algorithm that is common to all policy entries.
Have you been able to create a VLP which causes tboot to extend the TPM's
sha256 PCR bank?
-Paul
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
