From 11caacdb22599fcd448d92dcf4367032f661a23a Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 13 Jun 2025 15:02:33 +0800 Subject: [PATCH] util/grub-protect: Fix the hash algorithm of PCR digest For tpm2_key_protector and grub-protect, SHA-256 is chosen as the hash algorithm for the TPM session. However, grub-protect mistakenly used the hash algorithm of the PCR bank to calculate PCR digest. If the user chose a PCR bank other than SHA-256, grub-protect created a non-SHA-256 PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256 PCR digest to the TPM unsealing session, so it would fail due to digest mismatch. This commit fixes the hash algorithm of PCR digest in grub-protect to avoid the potential unsealing failure. Fixes: https://github.com/lcp/grub2/issues/4 Signed-off-by: Gary Lin Reviewed-by: Stefan Berger Reviewed-by: Sudhakar Kuppusamy Reviewed-by: Daniel Kiper --- util/grub-protect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/grub-protect.c b/util/grub-protect.c index 40d4a3fc5..d53c2572d 100644 --- a/util/grub-protect.c +++ b/util/grub-protect.c @@ -483,7 +483,7 @@ protect_tpm2_get_policy_digest (protect_args_t *args, TPM2B_DIGEST_t *digest) } pcr_concat.size = pcr_concat_len; - rc = grub_tpm2_hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest, NULL, NULL); + rc = grub_tpm2_hash (NULL, &pcr_concat, TPM_ALG_SHA256, TPM_RH_NULL, &pcr_digest, NULL, NULL); if (rc != TPM_RC_SUCCESS) { fprintf (stderr, "Failed to generate PCR digest (TPM2_Hash: 0x%x)\n", rc); -- 2.47.2