This series of patches extends the TPM2 code to extend the BIOS related PCRs 0-7 in all available banks. This prevents that these PCRs remain untouched and filled with bogus values by applications. For example, the SHA1 hash is extended into the SHA256 bank. The value that is extended into this bank is essentially a SHA1 with zero bytes used for filling it to the size of a sha256 hash. This is done for all PCR banks of the TPM2 where these PCRs are available.
In v2 of this series I also extended the log functions for logging the additional hashes. So there are more patches now.
Regards, Stefan
Stefan Berger (6): tpm: Retrieve the PCR Bank configuration tpm: Restructure tpm20_extend to use buffer and take hash as parameter tpm: Extend tpm20_extend to support extending to multiple PCR banks tpm: Move tpm_log_init to a later point tpm: Adjust the TPM2 log header to show all hashes tpm: Append to TPM2 log the hashes used for PCR extension
src/std/tcg.h | 78 +++++++++++-- src/tcgbios.c | 348 ++++++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 371 insertions(+), 55 deletions(-)