pcrlock: also refuse lacking SHA-256 support early when creating policy

This will fail eventually, but let's be explicit early here.

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 652692ea812d64325a4f6ccc2d330df5620561fd..4232d99e0c26ff13298c4b6dd32e5c441586bd19 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -4511,6 +4511,8 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
 
         if (!tpm2_supports_command(tc, TPM2_CC_PolicyAuthorizeNV))
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 does not support PolicyAuthorizeNV command, refusing.");
+        if (!tpm2_supports_alg(tc, TPM2_ALG_SHA256))
+                return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 does not support SHA-256 hash algorithm, refusing.");
 
         _cleanup_(tpm2_handle_freep) Tpm2Handle *srk_handle = NULL;