Werner Zeh has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35645 )
Change subject: vboot: Fix wrong algorithm in TCPA log for BOOT_MODE ......................................................................
Patch Set 2:
(2 comments)
https://review.coreboot.org/c/coreboot/+/35645/2//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/35645/2//COMMIT_MSG@9 PS2, Line 9: The hash algorithm for VBOOTs BOOT_MODE is fixed to sha1 but TCPA log
I don't think this is the case any more. Does the coreboot. […]
No, TCPA log uses fixed SHA2 while vb2api_get_pcr_digest() returns a size of 20 bytes for the digest_type.
https://review.coreboot.org/c/coreboot/+/35645/2//COMMIT_MSG@13 PS2, Line 13: BOOT_MODE.
I'm confused. […]
Have a look at 3rdparty/vboot/firmware/2lib/2api.c:
vb2_error_t vb2api_get_pcr_digest(struct vb2_context *ctx, enum vb2_pcr_digest which_digest, uint8_t *dest, uint32_t *dest_size) { const uint8_t *digest; uint32_t digest_size;
switch (which_digest) { case BOOT_MODE_PCR: digest = vb2_get_boot_state_digest(ctx); digest_size = VB2_SHA1_DIGEST_SIZE; break; case HWID_DIGEST_PCR: digest = vb2_get_gbb(ctx)->hwid_digest; digest_size = VB2_GBB_HWID_DIGEST_SIZE; break; default: return VB2_ERROR_API_PCR_DIGEST; }
For BOOT_MODE_PCR, digest size is set to VB2_SHA1_DIGEST_SIZE which is defined in 3rdparty/vboot/firmware/2lib/include/2sha.h as
#define VB2_SHA1_DIGEST_SIZE 20
So it still uses SHA1 for BOOT_MODE_PCR.
My current vboot commit is e6700f4c70fe72850ae4f3f5df19c9281ebcefc8