util/grub-protect: Fix the hash algorithm of PCR digest

For tpm2_key_protector and grub-protect, SHA-256 is chosen as the hash
algorithm for the TPM session. However, grub-protect mistakenly used the
hash algorithm of the PCR bank to calculate PCR digest. If the user
chose a PCR bank other than SHA-256, grub-protect created a non-SHA-256
PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256
PCR digest to the TPM unsealing session, so it would fail due to digest
mismatch.

This commit fixes the hash algorithm of PCR digest in grub-protect to
avoid the potential unsealing failure.

Fixes: https://github.com/lcp/grub2/issues/4
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/util/grub-protect.c b/util/grub-protect.c
index 40d4a3fc539519c910f50be8b00d548fb519085e..d53c2572d39a22d5e5303a1ef3ecbd660369b200 100644 (file)
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -483,7 +483,7 @@ protect_tpm2_get_policy_digest (protect_args_t *args, TPM2B_DIGEST_t *digest)
     }
   pcr_concat.size = pcr_concat_len;
 
-  rc = grub_tpm2_hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest, NULL, NULL);
+  rc = grub_tpm2_hash (NULL, &pcr_concat, TPM_ALG_SHA256, TPM_RH_NULL, &pcr_digest, NULL, NULL);
   if (rc != TPM_RC_SUCCESS)
     {
       fprintf (stderr, "Failed to generate PCR digest (TPM2_Hash: 0x%x)\n", rc);