From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by mx.groups.io with SMTP id smtpd.web10.7165.1634903372125905668 for ; Fri, 22 Oct 2021 04:49:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FePvJ8Du; spf=pass (domain: linux.ibm.com, ip: 148.163.158.5, mailfrom: jejb@linux.ibm.com) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19M9qALp005948; Fri, 22 Oct 2021 07:49:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : subject : from : reply-to : to : cc : date : in-reply-to : references : content-type : mime-version : content-transfer-encoding; s=pp1; bh=vDx2kgEdeH00N2RaH0zNLlXO/B7lWcpVufHQpxKHluQ=; b=FePvJ8DuC7ES1AFwdtpf980avtSuX+cVe7mLnVqkiSH/P0oROgchELZN4GAY50go6QWL uo7AXZfUrxWxc88cT14MM4ktRmbmVePZXylrDPKn6bMJD63IoSd1FoiguGiqSY4YZwTS A+xo7lE5YyydQOHJjr3Unmyy+OmkPhdPz+YX4WzKscN4XIoCRSmsUjS1tcuc4uRnlNh5 dYiU4+B+aHIwNFsLkd4fbIRy2189AGrhnx6ou3g1fA92CxFOnEblycP0yL5gwhROLjrT MDv9mUl9AqBa0A3sO+hX94hG+yL0fve8goi14Zjz/hIQUbfHJUMJAYvW/kDRAZsVzjnQ xA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3buu22a5w4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 07:49:29 -0400 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 19MBe7wl002091; Fri, 22 Oct 2021 07:49:29 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 3buu22a5vn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 07:49:28 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19MBmPVt023037; Fri, 22 Oct 2021 11:49:28 GMT Received: from b03cxnp07029.gho.boulder.ibm.com (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16]) by ppma01dal.us.ibm.com with ESMTP id 3bqpceejsf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 11:49:28 +0000 Received: from b03ledav004.gho.boulder.ibm.com (b03ledav004.gho.boulder.ibm.com [9.17.130.235]) by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19MBnQTp48628098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Oct 2021 11:49:26 GMT Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 521F37805E; Fri, 22 Oct 2021 11:49:26 +0000 (GMT) Received: from b03ledav004.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 92A1378060; Fri, 22 Oct 2021 11:49:24 +0000 (GMT) Received: from jarvis.int.hansenpartnership.com (unknown [9.211.92.132]) by b03ledav004.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 22 Oct 2021 11:49:24 +0000 (GMT) Message-ID: <46963c6b6e0eea2bf0b3629031f6f04232ea7528.camel@linux.ibm.com> Subject: Re: [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option From: "James Bottomley" Reply-To: jejb@linux.ibm.com To: Stefan Berger , Gerd Hoffmann Cc: devel@edk2.groups.io, Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?ISO-8859-1?Q?Marc-Andr=E9?= Lureau , Jiewen Yao , Tom Lendacky , Brijesh Singh Date: Fri, 22 Oct 2021 07:49:23 -0400 In-Reply-To: References: <20211021122003.2008499-1-kraxel@redhat.com> <20211021122003.2008499-5-kraxel@redhat.com> <03a75199-000f-5575-8898-6d9b113f2bee@linux.ibm.com> <20211022063948.mratwrzgponwiulg@sirius.home.kraxel.org> User-Agent: Evolution 3.34.4 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: EaFWXw18w7WYt2NRI3xNO8a--Q-N7gGc X-Proofpoint-GUID: sCB-c57xbJ43XloG9jm1IDgEB7wovOeX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-22_03,2021-10-21_02,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=921 spamscore=0 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 mlxscore=0 phishscore=0 bulkscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110220064 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote: [...] > I see this also but when I get into Linux and run tpm2_pcrread I see > the SHA1 bank active but not having received any PCR extensions from > the firmware, which is not supposed to happen. That's not entirely correct: the TCG firmware profile just requires us to log through at least one bank; it doesn't require that all active banks be logged. I've got several physical systems with three active banks but only one or two measured through. The knock on problem the linux kernel is going to have is that we do tend to expect the sha1 bank to be extended into if any others are, so someone is going to have to update expectations ... we should have this in hand already as sha1 is deprecated. > So I think you should drop this patch and I'll change the set of > active PCR banks on the swtpm_setup level. Even if the firmware deactivated the sha1 bank, the kernel expectation problem is still going to exist. James