From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.7012.1634902655859001101 for ; Fri, 22 Oct 2021 04:37:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=f0h0mpU3; spf=pass (domain: redhat.com, ip: 170.10.133.124, mailfrom: kraxel@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1634902655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fPhdYu16gKvQhaWwDeLqOQdWBQK1RTA6MetDMtTcCjg=; b=f0h0mpU3zg+3Pw3pOtAtauMFGtNbtrCH0R9Uq1WZigZ7kXwZKRzOwqM/1rsfRkB3l0CouU 0vbVOGs9xKzhIpw0fAESivw7q9cbfvdHTYlhOux/AlNq8sqxzbDmdIkqPRoYS7fDsNnrUS 7pFFAskyYXQGgCBXrrsmDBKyVyQYTq8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-444-OdHEhqjTNu6uDQl4IeBBKw-1; Fri, 22 Oct 2021 07:37:33 -0400 X-MC-Unique: OdHEhqjTNu6uDQl4IeBBKw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C588F5074B; Fri, 22 Oct 2021 11:37:31 +0000 (UTC) Received: from sirius.home.kraxel.org (unknown [10.39.192.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 536DD5D9DE; Fri, 22 Oct 2021 11:37:28 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 93E54180060E; Fri, 22 Oct 2021 13:37:26 +0200 (CEST) Date: Fri, 22 Oct 2021 13:37:26 +0200 From: "Gerd Hoffmann" To: Stefan Berger Cc: devel@edk2.groups.io, James Bottomley , Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?utf-8?Q?Marc-Andr=C3=A9?= Lureau , Jiewen Yao , Tom Lendacky , Brijesh Singh Subject: Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option Message-ID: <20211022113726.vxyl3ir6spkmebpt@sirius.home.kraxel.org> References: <20211021122003.2008499-1-kraxel@redhat.com> <20211021122003.2008499-5-kraxel@redhat.com> <03a75199-000f-5575-8898-6d9b113f2bee@linux.ibm.com> <20211022063948.mratwrzgponwiulg@sirius.home.kraxel.org> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kraxel@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, > > TPM2 Active PCR Hash SHA1, SHA256 > > Algorithm > > Active PCR Banks SHA256 > I see this also but when I get into Linux and run tpm2_pcrread I see the > SHA1 bank active but not having received any PCR extensions from the > firmware, which is not supposed to happen. Because of the discrepancy above I guess. > So I think you should drop this > patch and I'll change the set of active PCR banks on the swtpm_setup level. Yes. I think the code base is not ready for this. I can disable sha1 in the tpm2 config menu, with the effect that SHA1 is removed from the "TPM2 Active PCR Hash Algorithm" list. But that works only in case ovmf is built with sha1 *enabled*. OVMF with SHA1 support disabled neither disabling the bank automatically nor allowing me to do this manually is clearly a non-starter. This needs fixing before we can consider to disable SHA1 support. take care, Gerd