On Tue, Jan 14, 2020 at 10:31 AM Lukasz Hawrylko <lukasz.hawry...@linux.intel.com> wrote: > On Tue, 2020-01-14 at 00:18 +0000, Paul Moore (pmoore2) wrote: > > On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel > > wrote: > > > On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote: > > > > On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via tboot-devel > > > > wrote: > > > > > > > > > > Lukasz, is there a way to generate PCR hashes for all supported > > > > > algorithms like tboot does for PCR17/18? > > > > > > > > > > -Paul > > > > > > > > > > > > > Hello Paul > > > > > > > > I looks like you can't create policy with different hash algorithms, > > > > look at tb_policy_t structure in tb_policy.h There is one field for > > > > setting hash algorithm that is common to all policy entries. > > > > > > Have you been able to create a VLP which causes tboot to extend the > > > TPM's sha256 PCR bank? > > > > > > > After digging through the code some more, it looks like the key to > > making this work is to specify the correct "extpol=" parameter on the > > tboot command line. It appears to be TPM and ACM dependent (?) so I'm > > not sure this will work for everyone, but on my system > > "extpol=embedded" caused tboot to extend all of the TPM PCR banks; > > "extpol=agile" on my system caused the ACM to reset the system. > > > > -Paul > > > > As far as I remember I was able to extend SHA256 PCRs, because this is > the only way to test my changes in tb_polgen. I am not sure, but I think > that you have to pass "extpol=sha256" in command line and than you can > work with SHA256 policies. Did you try to do that? I will try tomorrow > how agile and embedded options work on my platform.
Yes, "extpol=sha256" did work to extend the sha256 PCR bank, but it didn't extend the sha1 bank; ideally I would be able to do both and that is what "extpol=embedded" did for my system. I have a suspicion that instead of defaulting to sha1, we may be able to query the ACM to get the TPM2 extpol setting, but I haven't done any serious investigation of that yet. -- paul moore www.paul-moore.com _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
