Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35645 )
Change subject: vboot: Fix wrong algorithm in TCPA log for BOOT_MODE ......................................................................
Patch Set 2:
(1 comment)
https://review.coreboot.org/c/coreboot/+/35645/2//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/35645/2//COMMIT_MSG@13 PS2, Line 13: BOOT_MODE.
For TPM2.0 case, given that we extend a padded value to SHA256 bank, what shall be logged with tcpa_log_add_table_entry()? (A) A SHA1 digest or (B) the padded 32-byte value?
The TCPA log should always log the thing that was actually sent to the TPM, and the algorithm in the log should match the actual TPM bank it was written to. So SHA256 for this.
If (B), then we need #if CONFIG(TPM2) when deciding a) what value to return from vb2api_get_pcr_digest() b) which algo to use when calling tpm_extend_pcr(BOOT_MODE_PCR) in vboot_extend_pcr().
I would prefer not to pull knowledge of which TPM version we're using into vboot (for the firmware part at least). We should treat the values returned by vb2api_get_pcr_digest() not as hashes but as opaque blobs that are written into whatever PCR bank is correct for the platform. Maybe we should change the API such that dest_size is only a value and not a pointer, so that vboot doesn't pass a size back out again (because the caller can't do anything useful with that anyway, the PCR size is fixed and vboot always zero-extends the buffer if necessary).