Bug 2325528 - tpm2: use first PCR algorithm bank supported by TPM as default
Summary: tpm2: use first PCR algorithm bank supported by TPM as default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: clevis
Version: 40
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Sergio Arroutbi
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/latchset/clevis/pu...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-12 15:40 UTC by Sergio Arroutbi
Modified: 2024-12-15 02:39 UTC (History)
6 users (show)

Fixed In Version: clevis-21-7.fc40
Clone Of: 2325522
Environment:
Last Closed: 2024-12-15 02:39:39 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sergio Arroutbi 2024-11-12 15:40:19 UTC 
+++ This bug was initially created as a clone of Bug #2325522 +++

The default PCR bank for TPM2 is sha1, which is not always supported (it is legacy and optional for implementation). Make this more future-proof and use the first bank with non-empty set of PCRs, which is returned from TPM by tpm2_getcap pcrs.
The swtpm by default does not create sha1 bank, so this fixes usage with swtpm.

Reproducible: Always

Steps to Reproduce:
1.Configure TPM2 bank without sha1
2.Try configuring clevis without specifying bank
3.Check error:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.

Actual Results:  

# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.



Expected Results:  
Encryption/Decryption should be performed correctly independently of the bank:
# echo foo | clevis encrypt tpm2 '{"pcr_ids": "7"}' | clevis decrypt
foo
Comment 1 Fedora Update System 2024-11-18 11:58:59 UTC 
FEDORA-2024-cfd77e67c1 (clevis-21-6.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-cfd77e67c1
Comment 2 Fedora Update System 2024-11-19 02:25:18 UTC 
FEDORA-2024-cfd77e67c1 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-cfd77e67c1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-cfd77e67c1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-11-30 03:36:27 UTC 
FEDORA-2024-152e731ede has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-152e731ede`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-152e731ede

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2024-12-15 02:39:39 UTC 
FEDORA-2024-152e731ede (clevis-21-7.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.