vboot: extend BOOT_MODE_PCR to SHA256 bank on TPM2

With the support of various algorithms and banks in tlcl_extend(), digest_algo parameter of tpm_extend_pcr() started defining the target PCR bank in TPM2 case. The OS expects coreboot to extend the SHA256 bank of BOOT_MODE_PCR. The value that the OS expects coreboot to extend into BOOT_MODE_PCR is the SHA1 digest of mode bits extended to the length of SHA256 digest by appending zero bytes. Thus the correct value for digest_algo passed into tpm_extend_pcr() for BOOT_MODE_PCR is TPM_ALG_SHA256. This didn't matter until adding the support for multiple digest introduced by patches like https://review.coreboot.org/c/coreboot/+/33252, as tlcl_extend always used SHA256 bank before. Change-Id: I834fec24023cd10344cc359117f00fc80c61b80c Signed-off-by: Andrey Pronin <apronin@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/35476 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2019-09-19 09:27:23 -07:00 · 2019-09-19 09:27:23 -07:00 · 31839f3c45
parent 26e59a6280
commit 31839f3c45
1 changed files with 1 additions and 1 deletions
--- a/src/security/vboot/tpm_common.c
+++ b/src/security/vboot/tpm_common.c
@ -46,7 +46,7 @@ vb2_error_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
 	switch (which_digest) {
 	/* SHA1 of (devmode|recmode|keyblock) bits */
 	case BOOT_MODE_PCR:
-		return tpm_extend_pcr(pcr, VB2_HASH_SHA1, buffer, size,
+		return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer, size,
 				      TPM_PCR_BOOT_MODE);
 	 /* SHA256 of HWID */
 	case HWID_DIGEST_PCR: