On Sat, 2020-06-06 at 23:02 +0300, Timo Lindfors wrote: > Hi, > > when I boot current mercurial tip with TPM 1.2 I get the following output: > > TBOOT: verifying policy > TBOOT: verifying module "root=UUID=bc701bae-ee9c-4151-a85b-0f5a68212975 ro > quiet net.ifnames=0 intel_iommu=on"... > TBOOT: OK : 26 0d 8e 28 3d 24 8b 45 74 92 02 76 50 f4 28 11 2b 6c d5 03 00 > 00 00 00 00 00 00 00 00 00 d8 9b > TBOOT: verifying module ""... > TBOOT: OK : ed 04 ea fe e3 e4 30 63 ae c2 ba 41 cc 35 de aa f0 2a e7 18 00 > 00 00 00 00 00 00 00 00 00 d8 9b > TBOOT: all modules are verified > > Notice how both hashes end with the same byte string "00 00 00 00 00 00 00 > 00 00 00 d8 9b". Is the code printing 32 bytes of memory (length of a > SHA256 hash) but the memory actually contains a SHA1 hash? > > -Timo > >
Hi Timo TBOOT is using hardcoded default policy when TPM is not provisioned. That policy enforces SHA256 even if TPM1.2 is detected. That leads to undesirable behaviour. To fix that issue I created another default policy that uses SHA1 and is applied when TPM1.2 is present. Patch is already published. Thanks, Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
