Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/33252 )
Change subject: security/tpm/tss/tcg-2.0: Add multi digits support to tlcl_extend() ......................................................................
Patch Set 8:
(1 comment)
https://review.coreboot.org/c/coreboot/+/33252/8/src/security/tpm/tss/tcg-2.... File src/security/tpm/tss/tcg-2.0/tss.c:
https://review.coreboot.org/c/coreboot/+/33252/8/src/security/tpm/tss/tcg-2.... PS8, Line 183: (tpml_digests->digests[0].hashAlg == TPM_ALG_ERROR) && Well... I'm pretty sure you're misunderstanding the TPM spec there? That "invalidate" thing you're trying to do doesn't work. It doesn't do anything. You cannot do a TPM2_PCR_Extend with TPM_ALG_ERROR, that has no meaning, that's just an error. See the description of TPM2_PCR_Extend in https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Comm... (section 22.2), there's nothing about passing TPM_ALG_ERROR there. It says
If the TPM unmarshals the hashAlg of a list entry and the unmarshaled value is not a hash algorithm implemented on the TPM, the TPM shall return TPM_RC_HASH.
That's the case you're hitting, because TPM_ALG_ERROR is not a hash algorithm implemented in the TPM, that's why you're getting TPM_RC_HASH back. That doesn't "invalidate" anything, it just doesn't change the PCRs at all.
The comment on your invalidate_pcrs() says " * Invalidate PCRs 0-7 with extending 1 after tpm failure." -- if that's what you want to do (extend the PCR with "1" so it can no longer match any real hash chain), you can do that, but you need to use the normal hash algorithm you used in your PCRs for that (e.g. SHA256 or whatever), not TPM_ALG_ERROR.