tlaurion
commented
8 months ago I have nothing against. PR welcome! Logic is all under tpmr
Open miczyg1 opened 8 months ago
tlaurion
commented
8 months ago I have nothing against. PR welcome! Logic is all under tpmr
Is your feature request related to a problem? Please describe.
Infineon SLB9672 TPMs are already supporting SHA384 PCR bank (default disabled) besides SHA1 (default disabled) and SHA256 (default enabled). It is not particularly a problem for heads right now, but if the TPM supports it, why not use the stronger hashing algorithm (assuming TPM has enabled given bank, e.g. SHA384).
Currently, heads hardcodes the usage of SHA1 in case of TPM1 (for obvious reasons) and SHA256 in case of TPM2 (here it becomes a little bit tricky). TPM2 may have various PCR banks active at a time, sometimes only one, sometimes multiple ones (Infineon SLB9665 and SLB9670 TPMs had both SHA1 and SHA256 active simultaneously by default).
Describe the solution you'd like Heads should be more flexible and query the TPM for active PCR banks and choose the stronger hashing algorithm (preferably?).
Describe alternatives you've considered
Be agile and extend PCRs in all active PCR banks? However, the newer TPMs may possibly have only one PCR bank active at a time (true for Intel fTPMs and maybe for Infineon SLB9672 too - have to check), so this alternative approach may not be beneficial at all, i.e. SHA1 measurements are useless if we have SHA256, given that SHA1 is considered insecure already.
Additional context Preparing heads to run on MSI PRO Z690-A/Z790-P with Infineon SLB9672 and want it to run on steroids.