You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed pkg/tss only interacts with the SHA256 PCRs, and assumes that hashes being passed to the library are SHA256 hashes. Couple problems:
This code might run on a system whose TPM has a different PCR bank enabled instead (like SHA1 or SHA384)
This code might run on a system that has both SHA256 and another PCR algorithm enabled. This means that u-root will leave that other PCR bank totally empty and free for falsified attestations by later code.
Describe the bug
I noticed
pkg/tss
only interacts with the SHA256 PCRs, and assumes that hashes being passed to the library are SHA256 hashes. Couple problems:A long-winded explanation of "TPM Carte Blanche" is available at https://www.dlp.rip/tpm-carte-blanche.
To Reproduce
n/a (issue reported based on inspection of the code)
Expected behavior
Additional context
https://www.dlp.rip/tpm-carte-blanche
The text was updated successfully, but these errors were encountered: