fix: use tpm2 hash algorithm constants and allow non-SHA-256 PCRs

The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for uncommon algorithms like SM3256. This can be avoided by checking the constants directly, rather than converting them. It should also be fine to allow some non SHA-256 PCRs. Fixes: siderolabs#7810
uhthomas · Sep 29, 2023 · 1e6582f · 1e6582f
1 parent 0bd1bdd
commit 1e6582f
Showing 1 changed file with 10 additions and 23 deletions.
diff --git a/internal/pkg/secureboot/tpm2/pcr.go b/internal/pkg/secureboot/tpm2/pcr.go
@@ -7,7 +7,6 @@ package tpm2
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/sha256"
 	"fmt"
 	"log"
@@ -164,30 +163,18 @@ func validatePCRBanks(t transport.TPM) error {
 	}
 
 	for _, s := range assignedPCRs.PCRSelections {
-		h, err := s.Hash.Hash()
-		if err != nil {
-			return fmt.Errorf("failed to parse hash algorithm: %v", err)
+		if s.Hash != tpm2.TPMAlgSHA256 {
+			continue
 		}
 
-		switch h { //nolint:exhaustive
-		case crypto.SHA1:
-			continue
-		case crypto.SHA256:
-			// check if 24 banks are available
-			if len(s.PCRSelect) != 24/8 {
-				return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect))
-			}
-
-			// check if all banks are available
-			if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff {
-				return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect)
-			}
-		case crypto.SHA384:
-			continue
-		case crypto.SHA512:
-			continue
-		default:
-			return fmt.Errorf("unsupported hash algorithm: %s", h.String())
+		// check if 24 banks are available
+		if len(s.PCRSelect) != 24/8 {
+			return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect))
+		}
+
+		// check if all banks are available
+		if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff {
+			return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect)
 		}
 	}