Okay new update. I tracked the issue down to the ACM saying the PO hash algorithm mask is 0. Here is the script I'm running to create and write the policy.
I'm passing the algorithm in to the lcp2_crtpol command. Why isn't it writing that to the algorithm mask? I'm currently analyzing the policy that was generated to see if, in fact, the hash algorithm mask is 0. #!/bin/bash tpm2_takeownership -o new -e new -l new tpm2_nvdefine -x 0x1c10106 -a 0x40000001 -P new -s 70 -t 0x204000A lcp2_mlehash --verbose --create --alg sha256 --cmdline "logging=serial,memory extpol=sha256" tboot.gz > tboot_hash lcp2_crtpolelt --verbose --create --type mle --alg sha256 --ctrl 0x00 --minver 0 --out tbootmle.elt tboot_hash lcp2_crtpollist --verbose --create --out lists1_unsig.lst tbootmle.elt lcp2_crtpol --verbose --create --type list --pol lists1.pol --alg sha256 --data lists1.data lists1_unsig.lst tpm2_nvwrite -x 0x1c10106 -a 0x40000001 -P new -f lists1.pol ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel