Sorry, we needed to change this for correctness (and can't let you change it back). See my comments in CB:33252 for explanation.

We need both vboot PCRs to use the same PCR bank (SHA256 for TPM 2.0). It's true that the data you get is only a SHA1 hash, but it is zero extended and you need to treat it like a SHA256 hash. This is how vboot has always done it and how all our userspace tools expect it, so we don't want to change it now.

The whole implementation in tpm_extend_pcr() is still a mess in that it gets passed an algorithm and a length and uses that for the TCPA log but not for actual TPM communication. That needs to be cleaned up so they at least both work on the same data. Like I mentioned in CB:33252, I think the best way to clean it up would be to remove the algorithm type (and therefore maybe also the digest length) parameter completely and just use a hardcoded hash algorithm (possibly selected by Kconfig) for both TPM communication and TCPA log. Using multiple algorithm banks at once on TPM 2.0 is just super confusing with little practical benefit in my opinion, so I think it would be better if we just don't allow that at all.

Patch set 2:Code-Review -1

View Change

To view, visit change 35645. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ia25938ac5f6c29f60a4819023b99f7796849f574
Gerrit-Change-Number: 35645
Gerrit-PatchSet: 2
Gerrit-Owner: Werner Zeh <werner.zeh@siemens.com>
Gerrit-Reviewer: Aaron Durbin <adurbin@chromium.org>
Gerrit-Reviewer: Andrey Pronin <apronin@chromium.org>
Gerrit-Reviewer: Julius Werner <jwerner@chromium.org>
Gerrit-Reviewer: Julius Werner <jwerner@google.com>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Gerrit-Reviewer: Werner Zeh <werner.zeh@siemens.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org>
Gerrit-Comment-Date: Fri, 27 Sep 2019 18:56:09 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment