From 1e6582f6b59e4a3d7f5c3d21851f9b1c1b1c083c Mon Sep 17 00:00:00 2001 From: Thomas Way Date: Fri, 29 Sep 2023 20:07:36 +0100 Subject: [PATCH] fix: use tpm2 hash algorithm constants and allow non-SHA-256 PCRs The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for uncommon algorithms like SM3256. This can be avoided by checking the constants directly, rather than converting them. It should also be fine to allow some non SHA-256 PCRs. Fixes: #7810 --- internal/pkg/secureboot/tpm2/pcr.go | 33 +++++++++-------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/internal/pkg/secureboot/tpm2/pcr.go b/internal/pkg/secureboot/tpm2/pcr.go index 73811086771..69c4d0d425d 100644 --- a/internal/pkg/secureboot/tpm2/pcr.go +++ b/internal/pkg/secureboot/tpm2/pcr.go @@ -7,7 +7,6 @@ package tpm2 import ( "bytes" - "crypto" "crypto/sha256" "fmt" "log" @@ -164,30 +163,18 @@ func validatePCRBanks(t transport.TPM) error { } for _, s := range assignedPCRs.PCRSelections { - h, err := s.Hash.Hash() - if err != nil { - return fmt.Errorf("failed to parse hash algorithm: %v", err) + if s.Hash != tpm2.TPMAlgSHA256 { + continue } - switch h { //nolint:exhaustive - case crypto.SHA1: - continue - case crypto.SHA256: - // check if 24 banks are available - if len(s.PCRSelect) != 24/8 { - return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect)) - } - - // check if all banks are available - if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff { - return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect) - } - case crypto.SHA384: - continue - case crypto.SHA512: - continue - default: - return fmt.Errorf("unsupported hash algorithm: %s", h.String()) + // check if 24 banks are available + if len(s.PCRSelect) != 24/8 { + return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect)) + } + + // check if all banks are available + if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff { + return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect) } }