[tpm2] PCR missing SHA-512 support

[tpm2] PCR missing SHA-512 support

[Anderson, Daniel]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

I was playing around with tpm2_pcrlist and noticed it supports SHA-1, SHA-256, SHA-384, but SHA-512 is missing:


tumalo ~/tpm/bin$ tpm2_pcrlist -L sha512:22
WARN: Ignore unsupported bank/algorithm: sha512(0x000d)
ERROR: Unable to run tpm2_pcrlist
tumalo ~/tpm/bin$ tpm2_pcrlist -L sha384:22
sha384:
  22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Then I look in the man page and see SHA-512 is supported.

Is this a bug or a feature?

There's also bugs in the man page example, but I will fix that separately.

Dan

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 2797 bytes --]

Re: [tpm2] PCR missing SHA-512 support

[Anderson, Daniel]

[-- Attachment #1: Type: text/plain, Size: 404 bytes --]

Ricardo,

My guess is it is a tpm2-tss  or tpm2-tools bug, not a simulator issue.

That is especially true since we tend to use the Microsoft/IBM tpm2 simulator, which, by default, has the SHA-512 PCR bank disabled.

Yes, it looks like this:
https://github.com/tpm2-software/tpm2-tools/issues/1021

Could you add your information to issue #1021 or file a new issue if it is different?

Dan

Re: [tpm2] PCR missing SHA-512 support

[Anderson, Daniel]

[-- Attachment #1: Type: text/plain, Size: 843 bytes --]

Ricardo,

No I have not seen that before.

This is just a hunch.  But I suspect that the code needs to be recompiled with your simulator (or real TPM).

Some more information would be useful--does your TPM (real or virtual or simulated) have a SHA-512 PCR bank?

Did you compile it on the same machine?  Or did you compile elsewhere or use a precompiled package or something like that?

Dan

From: Ricardo Araújo [mailto:ricardo(a)lsd.ufcg.edu.br] 
> Not sure it is the same simulator, but I'm using
> https://github.com/stefanberger/libtpms/tree/tpm2-preview.rev146.v2 and after SHA-512 was enabled (yesterday) tpm2_pcrlist is crashing with this error:
> WARNING:marshal:src/tss2-mu/tpml-types.c:197:Tss2_MU_TPML_PCR_SELECTION_Unmarshal() count too big
> ERROR: Tss2_Sys_GetCapability(0x80011) - sys:Response is malformed

Re: [tpm2] PCR missing SHA-512 support

[@ 2018-05-24 19:04 UTC (permalink / raw)]

[-- Attachment #1: Type: text/plain, Size: 1293 bytes --]

Hey, 

Not sure it is the same simulator, but I'm using https://github.com/stefanberger/libtpms/tree/tpm2-preview.rev146.v2 and after SHA-512 was enabled (yesterday) tpm2_pcrlist is crashing with this error:

WARNING:marshal:src/tss2-mu/tpml-types.c:197:Tss2_MU_TPML_PCR_SELECTION_Unmarshal() count too big
ERROR: Tss2_Sys_GetCapability(0x80011) - sys:Response is malformed
ERROR: Unable to run tpm2_pcrlist

Anyone has seen this happening too?

Ricardo

Ricardo Araújo Santos - 
www.lsd.ufcg.edu.br/~ricardo 

M.Sc in Computer Science at UFCG - www.ufcg.edu.br 
Researcher and Developer at Distributed Systems Laboratory - www.lsd.ufcg.edu.br 
Paraíba - Brasil

----- Mensagem original -----
De: "Anderson, Daniel" <daniel.anderson(a)intel.com>
Para: tpm2(a)lists.01.org
Enviadas: Quinta-feira, 10 de maio de 2018 17:34:16
Assunto: Re: [tpm2] PCR missing SHA-512 support

OK Thanks!--not a big deal if it's just a simulator issue.

I could see the simulator not supporting SHA-3, since it is relatively new and perhaps unknown, but it's funny that SHA-384 is supported but not SHA-512, since they are very similar.

Dan

...
_______________________________________________
tpm2 mailing list
tpm2(a)lists.01.org
https://lists.01.org/mailman/listinfo/tpm2

Re: [tpm2] PCR missing SHA-512 support

[Anderson, Daniel]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

OK Thanks!--not a big deal if it's just a simulator issue.

I could see the simulator not supporting SHA-3, since it is relatively new and perhaps unknown, but it's funny that SHA-384 is supported but not SHA-512, since they are very similar.

Dan

...

Re: [tpm2] PCR missing SHA-512 support

[Tadeusz Struk]

[-- Attachment #1: Type: text/plain, Size: 878 bytes --]

On 05/10/2018 10:09 AM, Anderson, Daniel wrote:
> I was playing around with tpm2_pcrlist and noticed it supports SHA-1, SHA-256, SHA-384, but SHA-512 is missing:
> 
>  
> 
>  
> 
> tumalo ~/tpm/bin$ tpm2_pcrlist -L sha512:22
> 
> WARN: Ignore unsupported bank/algorithm: sha512(0x000d)
> 
> ERROR: Unable to run tpm2_pcrlist
> 
> tumalo ~/tpm/bin$ tpm2_pcrlist -L sha384:22
> 
> sha384:
> 
>   22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
>  
> 
> Then I look in the man page and see SHA-512 is supported.
> 
>  
> 
> Is this a bug or a feature?
> 

It is supported, but it looks like the TPM simulator doesn't support SHA512 by default:

Implementation.h:
#define  ALG_SHA256            ALG_YES
#define  ALG_SHA384            ALG_YES
#define  ALG_SHA512            ALG_NO
...