On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote: [...] > I see this also but when I get into Linux and run tpm2_pcrread I see > the SHA1 bank active but not having received any PCR extensions from > the firmware, which is not supposed to happen.
That's not entirely correct: the TCG firmware profile just requires us to log through at least one bank; it doesn't require that all active banks be logged. I've got several physical systems with three active banks but only one or two measured through. The knock on problem the linux kernel is going to have is that we do tend to expect the sha1 bank to be extended into if any others are, so someone is going to have to update expectations ... we should have this in hand already as sha1 is deprecated. > So I think you should drop this patch and I'll change the set of > active PCR banks on the swtpm_setup level. Even if the firmware deactivated the sha1 bank, the kernel expectation problem is still going to exist. James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#82518): https://edk2.groups.io/g/devel/message/82518 Mute This Topic: https://groups.io/mt/86487987/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-