On Sat, 2020-01-18 at 16:20 -0700, Jerry Snitselaar wrote: > On Sat Jan 18 20, Jerry Snitselaar wrote: > > On Fri Jan 17 20, James Bottomley wrote: [...] > > > The implication seems to be that on a DELL setting the bios > > > default to sha256 turns off the TPM's sha1 pcr banks ... is that > > > the case? > > > > > > tssgetcapability -cap 5 > > > > > > should confirm or deny this. > > > > > > James > > > > > > > I believe so, I'm waiting to get access to the system here to > > double check. Before with the intel stack, tpm2_pcrlist -s would > > return both sha1 and sha256, but the plain tpm2_pcrlist command > > would show only banks for one or the other depending on which > > setting was in the bios. For the other it would just print > > out the algorithm and nothing else. > > > > I should be able to run the tss2 command later today. > > > > Regards, > > Jerry > > with sha1 selected: > > [root@dell-per830-01 ~]# tssgetcapability -cap 5 > 2 PCR selections > hash TPM_ALG_SHA1 > TPMS_PCR_SELECTION length 3 > ff ff ff > hash TPM_ALG_SHA256 > TPMS_PCR_SELECTION length 3 > 00 00 00 > > with sha256 selected: > > [root@dell-per830-01 ~]# tssgetcapability -cap 5 > 2 PCR selections > hash TPM_ALG_SHA1 > TPMS_PCR_SELECTION length 3 > 00 00 00 > hash TPM_ALG_SHA256 > TPMS_PCR_SELECTION length 3 > ff ff ff OK, so that confirms the suspicion. The only active bank is the one you've selected in the bios ... I suppose it was done to avoid having to measure through more than one bank, but it does mean IMA must cope in the case the sha1 bank isn't active. James
