Description
Dasharo version (if applicable)
Development version and all prior ones (current commit is Dasharo/coreboot@4706227).
Dasharo variant (if applicable)
APU+EDK2 is the main concern, but pretty much all platforms with MeasuredBoot are affected.
Affected component(s) or functionality (if applicable)
MeasuredBoot.
Brief summary
In relation to SecureBoot/MeasuredBoot improvements in Dasharo/coreboot#517, the fact that coreboot extends at most one TPM bank for TPM2 (there is only one in TPM1) creates problems for attesting integrity of the system for banks not extended by coreboot. While coreboot skips updating some banks, they remain active and get used by EDK which has to add fake TPM log entries to comply with the specification. Fake entries break log replaying and complicate testing (Dasharo/open-source-firmware-validation#326).
Additional context
The non-workaround ways were listed in Dasharo/open-source-firmware-validation#326 (comment):
- Make coreboot work with multiple allocated banks
- Enforce that only one PCR bank can be allocated at any given time (decreases security against hash collisions)
The first option is better in the long run, but harder to do (need to know the set of banks (see TPM code in TrenchBoot/Xen) and properly implement agile log format). I thought part of it was already available in older version of patches on Gerrit but I was wrong. It was considered and discussed in https://ticket.coreboot.org/issues/421, but discarded. Still there is Dasharo/coreboot@c5bb9b4 which would need rebasing, it also relies on banks being configured at build time. cbmem can already handle agile log fine.
The second option is not perfect but better than the current state and easier to implement. SHA1 is deprecated and isn't always available, SHA256 is often the only non-SHA1 bank available, so we're not losing much by keeping only it active.