From 2dc24b772835f210023dd7e4d754ccba14a7c5b9 Mon Sep 17 00:00:00 2001
From: Li Kun <hw.likun@huawei.com>
Date: Tue, 19 Feb 2019 06:30:56 +0000
Subject: [PATCH] tpm2: change the default pcr bank of tpm2 to sha256

euler inclusion
category: feature/tpm
bugzilla: 3007
CVE: NA

-------------------------------------------------

Sha1 is not safe enough to for the trust computing environment, so
change the default pcr bank of tpm2 to sha256 to harden the system.

------
kABI: symbol evm_verifyxattr changed crc from 0x1efaed40 to 0x465083df
kABI Warning: kABI breakage!
------

Signed-off-by: Li Kun <hw.likun@huawei.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Hui Wang <john.wanghui@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/char/tpm/tpm2-cmd.c    | 4 ++--
 security/integrity/integrity.h | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 3acf4fd4e5a5..8ab0b1e16e5b 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -200,7 +200,7 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf)
 	pcr_select[pcr_idx >> 3] = 1 << (pcr_idx & 0x7);
 
 	tpm_buf_append_u32(&buf, 1);
-	tpm_buf_append_u16(&buf, TPM2_ALG_SHA1);
+	tpm_buf_append_u16(&buf, TPM2_ALG_SHA256);
 	tpm_buf_append_u8(&buf, TPM2_PCR_SELECT_MIN);
 	tpm_buf_append(&buf, (const unsigned char *)pcr_select,
 		       sizeof(pcr_select));
@@ -209,7 +209,7 @@ int tpm2_pcr_read(struct tpm_chip *chip, int pcr_idx, u8 *res_buf)
 			res_buf ? "attempting to read a pcr value" : NULL);
 	if (rc == 0 && res_buf) {
 		out = (struct tpm2_pcr_read_out *)&buf.data[TPM_HEADER_SIZE];
-		memcpy(res_buf, out->digest, SHA1_DIGEST_SIZE);
+		memcpy(res_buf, out->digest, SHA256_DIGEST_SIZE);
 	}
 
 	tpm_buf_destroy(&buf);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e60473b13a8d..0ec55122363d 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -79,7 +79,7 @@ enum evm_ima_xattr_type {
 
 struct evm_ima_xattr_data {
 	u8 type;
-	u8 digest[SHA1_DIGEST_SIZE];
+	u8 digest[SHA256_DIGEST_SIZE];
 } __packed;
 
 #define IMA_MAX_DIGEST_SIZE	64
-- 
GitLab