fix: use tpm2 hash algorithm constants and allow non-SHA-256 PCRs

The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for uncommon algorithms like SM3256. This can be avoided by checking the constants directly, rather than converting them. It should also be fine to allow some non SHA-256 PCRs. Fixes: #7810 Signed-off-by: Thomas Way <thomas@6f.io> Signed-off-by: Noel Georgi <git@frezbo.dev>
2023-09-29 20:13:17 +01:00 · 2023-09-29 20:13:17 +01:00 · 336aee0fdb
commit 336aee0fdb
parent 69d8054c9e
1 changed files with 9 additions and 22 deletions
--- a/internal/pkg/secureboot/tpm2/pcr.go
+++ b/internal/pkg/secureboot/tpm2/pcr.go
@ -7,7 +7,6 @@ package tpm2

 import (
 	"bytes"
-	"crypto"
 	"crypto/sha256"
 	"fmt"
 	"log"
@ -164,30 +163,18 @@ func validatePCRBanks(t transport.TPM) error {
 	}

 	for _, s := range assignedPCRs.PCRSelections {
-		h, err := s.Hash.Hash()
-		if err != nil {
-			return fmt.Errorf("failed to parse hash algorithm: %v", err)
+		if s.Hash != tpm2.TPMAlgSHA256 {
+			continue
 		}

-		switch h { //nolint:exhaustive
-		case crypto.SHA1:
-			continue
-		case crypto.SHA256:
-			// check if 24 banks are available
-			if len(s.PCRSelect) != 24/8 {
-				return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect))
-			}
+		// check if 24 banks are available
+		if len(s.PCRSelect) != 24/8 {
+			return fmt.Errorf("unexpected number of PCR banks: %d", len(s.PCRSelect))
+		}

-			// check if all banks are available
-			if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff {
-				return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect)
-			}
-		case crypto.SHA384:
-			continue
-		case crypto.SHA512:
-			continue
-		default:
-			return fmt.Errorf("unsupported hash algorithm: %s", h.String())
+		// check if all banks are available
+		if s.PCRSelect[0] != 0xff || s.PCRSelect[1] != 0xff || s.PCRSelect[2] != 0xff {
+			return fmt.Errorf("unexpected PCR banks: %v", s.PCRSelect)
 		}
 	}