Re: [tboot-devel] VLP policy and TPM2 hash agility

Mon, 13 Jan 2020 16:19:23 -0800 

On Mon, 2020-01-13 at 20:33 +0000, Paul Moore (pmoore2) via tboot-devel wrote:
On Thu, 2020-01-09 at 14:59 +0000, Hawrylko, Lukasz wrote:

On Fri, 2020-01-03 at 20:26 +0000, Paul Moore (pmoore2) via tboot-devel

wrote:

On Fri, 2020-01-03 at 20:07 +0000, Paul Moore (pmoore2) via tboot-devel

wrote:

On Thu, 2020-01-02 at 22:27 +0000, Paul Moore (pmoore2) via tboot-

devel

wrote:

I hope everyone had a nice holiday and is enjoying the new year thus

far.


As you've seen in the other thread, I'm playing around with

different

tboot/TXT policies and I have a question regarding tboot/VLP

policies

that can extend PCRs using something other than SHA1: at present

tb_polgen seems limited to using SHA1, does anyone have any patches

to

use SHA256 (or another hash)?


To answer my own question, it appears that Lukasz added suppport in

549:ca935709d8a6 ("Add support for SHA256 in tb_polgen").


Lukasz, if I wanted to generate both SHA1 and SHA256 hashes for a TPM2

system, would I need to create two rules in the VLP?  For example I do

the following now for the TXT/sig patches and PCR20:


 # tb_polgen --add --num 0 --pcr 20 \

     --hash pecoff pecoff.vlp


... but that only writes the SHA1 hash into PCR20, presumably I could

do

the following to support both hashes?


 # tb_polgen --add --num 0 --pcr 20 --alg sha1 \

     --hash pecoff pecoff.vlp

 # tb_polgen --add --num 0 --pcr 20 --alg sha256 \

     --hash pecoff pecoff.vlp



It appears I didn't look close enough at the patch, the hash algorithm

selection is done at VLP policy creation and applies to all the rules.


Lukasz, is there a way to generate PCR hashes for all supported

algorithms like tboot does for PCR17/18?


-Paul



Hello Paul


I looks like you can't create policy with different hash algorithms,

look at tb_policy_t structure in tb_policy.h There is one field for

setting hash algorithm that is common to all policy entries.

Have you been able to create a VLP which causes tboot to extend the TPM's 
sha256 PCR bank?


After digging through the code some more, it looks like the key to making this 
work is to specify the correct "extpol=" parameter on the tboot command line. 
It appears to be TPM and ACM dependent (?) so I'm not sure this will work for 
everyone, but on my system "extpol=embedded" caused tboot to extend all of the 
TPM PCR banks; "extpol=agile" on my system caused the ACM to reset the system.

-Paul


_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel






















					Reply via email to