The reason for this change is the following entry in the TCPA log when VBOOT is enabled on mc_bdx1 (fsp_broadwell_de) with TPM2:

PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA256 [VBOOT: boot mode]
PCR-1 a66c8c2cda246d332d0c2025b6266e1e23c89410051002f46bfad1c9265f43d0 SHA256 [VBOOT: GBB HWID]

This two PCRs claim to have the same algorithm used for hashing (SHA256) but for boot mode the entry is clear too short as it just has 20 bytes (which would be SHA1 instead of SHA256).
So in this case it is just wrong that SHA256 is reported.

Yes, that needs to be fixed. That's a consequence of us passing both digest length and algorithm type as separate parameters to tpm_extend_pcr(). That doesn't make sense because those two always need to be in sync.

I'd again like to campaign for my suggestion to get rid of both of them and have the algorithm type hardcoded in Kconfig for all PCRs. That would cause the right (full 32-byte) value to be logged for PCR-0 here and would make future misconfiguration like this and others impossible.

View Change

To view, visit change 35645. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ia25938ac5f6c29f60a4819023b99f7796849f574
Gerrit-Change-Number: 35645
Gerrit-PatchSet: 2
Gerrit-Owner: Werner Zeh <werner.zeh@siemens.com>
Gerrit-Reviewer: Aaron Durbin <adurbin@chromium.org>
Gerrit-Reviewer: Andrey Pronin <apronin@chromium.org>
Gerrit-Reviewer: Julius Werner <jwerner@chromium.org>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Reviewer: Werner Zeh <werner.zeh@siemens.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-CC: Andrey Pronin <apronin@google.com>
Gerrit-CC: Joel Kitching <kitching@google.com>
Gerrit-Comment-Date: Mon, 30 Sep 2019 20:14:14 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
Gerrit-MessageType: comment