On Tue, 2020-01-14 at 00:18 +0000, Paul Moore (pmoore2) wrote: > On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel wrote: > > On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote: > > > On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via tboot-devel > > > wrote: > > > > > > > > Lukasz, is there a way to generate PCR hashes for all supported > > > > algorithms like tboot does for PCR17/18? > > > > > > > > -Paul > > > > > > > > > > Hello Paul > > > > > > I looks like you can't create policy with different hash algorithms, > > > look at tb_policy_t structure in tb_policy.h There is one field for > > > setting hash algorithm that is common to all policy entries. > > > > Have you been able to create a VLP which causes tboot to extend the > > TPM's sha256 PCR bank? > > > > After digging through the code some more, it looks like the key to > making this work is to specify the correct "extpol=" parameter on the > tboot command line. It appears to be TPM and ACM dependent (?) so I'm > not sure this will work for everyone, but on my system > "extpol=embedded" caused tboot to extend all of the TPM PCR banks; > "extpol=agile" on my system caused the ACM to reset the system. > > -Paul >
As far as I remember I was able to extend SHA256 PCRs, because this is the only way to test my changes in tb_polgen. I am not sure, but I think that you have to pass "extpol=sha256" in command line and than you can work with SHA256 policies. Did you try to do that? I will try tomorrow how agile and embedded options work on my platform. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
