On Mon, 2020-03-02 at 15:11 +0000, Roberto Sassu wrote:
Yes, preference is given to the IMA default algorithm, but it should fall back to using SHA256 or SHA1, based on the TPM.
Ok. The patch already does it even if the TPM version is not checked. For TPM 1.2, if the default algorithm is not SHA1 the patch will select the first PCR bank (SHA1).
Should I send a new patch which explicitly checks the TPM version?
Checking the TPM version shouldn't be necessary. The code currently sets bank_idx to the HASH_ALGO_SHA256. If instead of initializing bank_idx to 0, initialize it to the nr_allocated_banks or -1. As long as the bank_idx value is the same as the initialized value, set the bank_idx to HASH_ALGO_SHA1.
The subsequent bank_idx would then be limited to testing for the initialized value.
Mimi