Andrey Pronin has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/35476 )
Change subject: vboot: extend BOOT_MODE_PCR to SHA256 bank on TPM2 ......................................................................
vboot: extend BOOT_MODE_PCR to SHA256 bank on TPM2
With the support of various algorithms and banks in tlcl_extend(), digest_algo parameter of tpm_extend_pcr() started defining the target PCR bank in TPM2 case.
The OS expects coreboot to extend the SHA256 bank of BOOT_MODE_PCR. The value that the OS expects coreboot to extend into BOOT_MODE_PCR is the SHA1 digest of mode bits extended to the length of SHA256 digest by appending zero bytes.
Thus the correct value for digest_algo passed into tpm_extend_pcr() for BOOT_MODE_PCR is TPM_ALG_SHA256.
This didn't matter until adding the support for multiple digest introduced by patches like https://review.coreboot.org/c/coreboot/+/33252, as tlcl_extend always used SHA256 bank before.
Change-Id: I834fec24023cd10344cc359117f00fc80c61b80c Signed-off-by: Andrey Pronin apronin@chromium.org --- M src/security/vboot/tpm_common.c 1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/76/35476/1
diff --git a/src/security/vboot/tpm_common.c b/src/security/vboot/tpm_common.c index 1db7189..0a211c5 100644 --- a/src/security/vboot/tpm_common.c +++ b/src/security/vboot/tpm_common.c @@ -46,7 +46,7 @@ switch (which_digest) { /* SHA1 of (devmode|recmode|keyblock) bits */ case BOOT_MODE_PCR: - return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size, + return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer, size, TPM_PCR_BOOT_MODE); /* SHA256 of HWID */ case HWID_DIGEST_PCR: