--- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2 2024-09-24 10:27:06.000000000 +0200 +++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2 2024-11-05 15:54:16.209993587 +0100 @@ -58,7 +58,7 @@ echo echo " key: Algorithm type for the generated key (default: ecc)" echo - echo " pcr_bank: PCR algorithm bank to use for policy (default: sha1)" + echo " pcr_bank: PCR algorithm bank to use for policy (default: first supported by TPM)" echo echo " pcr_ids: PCR list used for policy. If not present, no policy is used" echo @@ -130,7 +130,15 @@ key="$(jose fmt -j- -Og key -u- <<< "$cfg")" || key="ecc" -pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || pcr_bank="sha1" +pcr_bank="$(jose fmt -j- -Og pcr_bank -u- <<< "$cfg")" || { + if ! pcr_bank=$(tpm2_getcap pcrs | + awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ + {found=1; split($0, m, /[-:[:space:]]+/); print m[2]; exit} + END {exit !found}'); then + echo "Unable to find non-empty PCR algorithm bank, please check output of tpm2_getcap pcrs" >&2 + exit 1 + fi +} # Trim the spaces from the config, so that we will not have issues parsing # the PCR IDs. --- clevis-21.old/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-09-24 10:27:06.000000000 +0200 +++ clevis-21/src/pins/tpm2/clevis-encrypt-tpm2.1.adoc 2024-11-05 15:54:16.209993587 +0100 @@ -91,13 +91,17 @@ - *symcipher* * *pcr_bank* (string) : - PCR algorithm bank to use for policy (default: sha1) + PCR algorithm bank to use for policy (default: first supported by TPM) - It must be one of the following: + Examples of PCR algorithm banks, support depends on TPM chip: - *sha1* - *sha256* + For the full list of algorithms supported by the TPM chip check output of + `tpm2_getcap pcrs` and use the algorithm which shows non-empty list of PCR + numbers. + * *pcr_ids* (string) : Comma separated list of PCR used for policy. If not present, no policy is used --- clevis-21.old/src/pins/tpm2/pin-tpm2 2024-09-24 10:27:06.000000000 +0200 +++ clevis-21/src/pins/tpm2/pin-tpm2 2024-11-05 15:54:16.209993587 +0100 @@ -142,8 +142,10 @@ # arrays and check if we get the expected pcr_ids. # Let's first make sure this would be a valid configuration. -_default_pcr_bank="sha1" -if validate_pcrs "${_default_pcr_bank}" "4,16"; then +_default_pcr_bank=$(tpm2_getcap pcrs | + awk '/^[[:space:]]*-[[:space:]]*([^:]+):[[:space:]]*\[[[:space:]]*[^][:space:]]/ \ + {split($0, m, /[-:[:space:]]+/); print m[2]; exit}') +if [ -n "$_default_pcr_bank" ] && validate_pcrs "${_default_pcr_bank}" "4,16"; then test_pcr_ids "${orig}" '{"pcr_ids": "16"}' "16" || exit 1 test_pcr_ids "${orig}" '{"pcr_ids": ["16"]}' "16" || exit 1 test_pcr_ids "${orig}" '{"pcr_ids": "4, 16"}' "4,16" || exit 1