Bug 2325528

Summary: tpm2: use first PCR algorithm bank supported by TPM as default
Product: [Fedora] Fedora Reporter: Sergio Arroutbi <sarroutb>
Component: clevisAssignee: Sergio Arroutbi <sarroutb>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 40CC: amulhern, extras-qa, fmartine, rsroka, sarroutb, scorreia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://github.com/latchset/clevis/pull/490
Whiteboard:
Fixed In Version: clevis-21-7.fc40 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2325522 Environment:
Last Closed: 2024-12-15 02:39:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergio Arroutbi 2024-11-12 15:40:19 UTC 
+++ This bug was initially created as a clone of Bug #2325522 +++

The default PCR bank for TPM2 is sha1, which is not always supported (it is legacy and optional for implementation). Make this more future-proof and use the first bank with non-empty set of PCRs, which is returned from TPM by tpm2_getcap pcrs.
The swtpm by default does not create sha1 bank, so this fixes usage with swtpm.

Reproducible: Always

Steps to Reproduce:
1.Configure TPM2 bank without sha1
2.Try configuring clevis without specifying bank
3.Check error:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.

Actual Results:  

# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.



Expected Results:  
Encryption/Decryption should be performed correctly independently of the bank:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
foo
Comment 1 Fedora Update System 2024-11-18 11:58:59 UTC 
FEDORA-2024-cfd77e67c1 (clevis-21-6.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-cfd77e67c1
Comment 2 Fedora Update System 2024-11-19 02:25:18 UTC 
FEDORA-2024-cfd77e67c1 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-cfd77e67c1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-cfd77e67c1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-11-30 03:36:27 UTC 
FEDORA-2024-152e731ede has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-152e731ede`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-152e731ede

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2024-12-15 02:39:39 UTC 
FEDORA-2024-152e731ede (clevis-21-7.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.