Bug 2325522 - tpm2: use first PCR algorithm bank supported by TPM as default
Summary: tpm2: use first PCR algorithm bank supported by TPM as default
Keywords:
Status: MODIFIED
Alias: None
Product: Fedora
Classification: Fedora
Component: clevis
Version: 42
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Sergio Arroutbi
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/latchset/clevis/pu...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-12 15:34 UTC by Sergio Arroutbi
Modified: 2025-02-26 13:16 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
: 2325524 2325528 (view as bug list)
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sergio Arroutbi 2024-11-12 15:34:29 UTC 
The default PCR bank for TPM2 is sha1, which is not always supported (it is legacy and optional for implementation). Make this more future-proof and use the first bank with non-empty set of PCRs, which is returned from TPM by tpm2_getcap pcrs.
The swtpm by default does not create sha1 bank, so this fixes usage with swtpm.

Reproducible: Always

Steps to Reproduce:
1.Configure TPM2 bank without sha1
2.Try configuring clevis without specifying bank
3.Check error:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.

Actual Results:  

# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.



Expected Results:  
Encryption/Decryption should be performed correctly independently of the bank:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
foo
Comment 1 Aoife Moloney 2025-02-26 13:16:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Note You need to log in before you can comment on or make changes to this bug.