From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 2 Jun 2025 10:32:33 +0000 (+0200)
Subject: pcrlock: also refuse lacking SHA-256 support early when creating policy
X-Git-Tag: v258-rc1~408^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7ce6fd30e8d67075081d69ec27a62d26d750d60;p=thirdparty%2Fsystemd.git

pcrlock: also refuse lacking SHA-256 support early when creating policy

This will fail eventually, but let's be explicit early here.
---

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 652692ea812..4232d99e0c2 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4511,6 +4511,8 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
 
         if (!tpm2_supports_command(tc, TPM2_CC_PolicyAuthorizeNV))
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 does not support PolicyAuthorizeNV command, refusing.");
+        if (!tpm2_supports_alg(tc, TPM2_ALG_SHA256))
+                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 does not support SHA-256 hash algorithm, refusing.");
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *srk_handle = NULL;