When extending PCR or trying to seed entropy pool from TPM if the found
device is a TPM1.2 device, skip it, since Talos only supports TPM2.0
Fixes: #10847
Signed-off-by: Noel Georgi <git@frezbo.dev>
This does not fix the underlying digest mismatch issue, but does handle the error and should provide
further insight into issues (if present).
Refs: #7828
Signed-off-by: Thomas Way <thomas@6f.io>
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
The conversion from TPM 2 hash algorithm to Go crypto algorithm will fail for
uncommon algorithms like SM3256. This can be avoided by checking the constants
directly, rather than converting them. It should also be fine to allow some non
SHA-256 PCRs.
Fixes: #7810
Signed-off-by: Thomas Way <thomas@6f.io>
Signed-off-by: Noel Georgi <git@frezbo.dev>
For rng seed and pcr extend, let's ignore if the device is not TPM2.0
based. Seal/Unseal operations would still error out since it's
explicitly user enabled feature.
Signed-off-by: Noel Georgi <git@frezbo.dev>
The previous flow was using TPM PCR 11 values to bound the policy which
means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7
which is bound to the SecureBoot state (SecureBoot status and
Certificates). This provides a full chain of trust bound to SecureBoot
state and signed PCR signature.
Also the code has been refactored to use PolicyCalculator from the TPM
library.
Signed-off-by: Noel Georgi <git@frezbo.dev>
