fix: use tpm2 hash algorithm constants and allow non-SHA-256 PCRs #7811
Conversation
|
i think i'd still fail if sha256 is not found, since it would fail elsewhere. I;ll clean that up |
|
@frezbo Is it possible to build a version of Talos with this change? I can test it on the affected system. I believe it should be fine as there will be sha256 banks available - the original code would fail if there were any non-sha256 banks present at all, which I believe was the main problem. |
|
@uhthomas Could you try this image: This would work with a fresh boot only, an upgrade won't work |
|
/ok-to-test |
this makes no sense, since it loops over all banks |
|
/promote integration-trusted-boot |
|
@frezbo Do you also have an ISO I could use? I just tried with the installer you provided, but it had the same error (which indicates to me the code hasn't changed, and the ISO probably needs to be updated too). |
Ahh I see the problem, the first code runs from iso 😅 . I'll generate one and sent over |
|
@frezbo Thanks for building that ISO for me. I've been able to install Talos with secureboot and TPM encryption. |
|
/promote integration-trusted-boot |
The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for uncommon algorithms like SM3256. This can be avoided by checking the constants directly, rather than converting them. It should also be fine to allow some non SHA-256 PCRs. Fixes: siderolabs#7810 Signed-off-by: Thomas Way <thomas@6f.io> Signed-off-by: Noel Georgi <git@frezbo.dev>
|
/promote integration-trusted-boot |
1 similar comment
|
/promote integration-trusted-boot |
|
/m |
Pull Request
What? (description)
The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for uncommon algorithms like SM3256. This can be avoided by checking the constants directly, rather than converting them. It should also be fine to allow some non SHA-256 PCRs.
Why? (reasoning)
Fixes: #7810
Acceptance
Please use the following checklist:
make conformance)make fmt)make lint)make docs)make unit-tests)