On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel wrote:
On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote:
On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
On Fri, 2020-01-03 at 20:07 +0000, Paul Moore (pmoore2) via tboot-devel
wrote:
On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-
devel
wrote:
I hope everyone had a nice holiday and is enjoying the new year thus
far.
As you've seen in the other thread, I'm playing around with
different
tboot/TXT policies and I have a question regarding tboot/VLP
policies
that can extend PCRs using something other than SHA1: at present
tb_polgen seems limited to using SHA1, does anyone have any patches
to
use SHA256 (or another hash)?
To answer my own question, it appears that Lukasz added suppport in
549:ca935709d8a6 ("Add support for SHA256 in tb_polgen").
Lukasz, if I wanted to generate both SHA1 and SHA256 hashes for a TPM2
system, would I need to create two rules in the VLP? For example I do
the following now for the TXT/sig patches and PCR20:
# tb_polgen --add --num 0 --pcr 20 \
--hash pecoff pecoff.vlp
... but that only writes the SHA1 hash into PCR20, presumably I could
do
the following to support both hashes?
# tb_polgen --add --num 0 --pcr 20 --alg sha1 \
--hash pecoff pecoff.vlp
# tb_polgen --add --num 0 --pcr 20 --alg sha256 \
--hash pecoff pecoff.vlp
It appears I didn't look close enough at the patch, the hash algorithm
selection is done at VLP policy creation and applies to all the rules.
Lukasz, is there a way to generate PCR hashes for all supported
algorithms like tboot does for PCR17/18?
-Paul
Hello Paul
I looks like you can't create policy with different hash algorithms,
look at tb_policy_t structure in tb_policy.h There is one field for
setting hash algorithm that is common to all policy entries.
Have you been able to create a VLP which causes tboot to extend the TPM's
sha256 PCR bank?
After digging through the code some more, it looks like the key to making this
work is to specify the correct "extpol=" parameter on the tboot command line.
It appears to be TPM and ACM dependent (?) so I'm not sure this will work for
everyone, but on my system "extpol=embedded" caused tboot to extend all of the
TPM PCR banks; "extpol=agile" on my system caused the ACM to reset the system.
-Paul
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
