You are not logged in.
Pages: 1
I got a warning for lack of SHA256 on an old laptop with TPM2 (I think). However SHA256 is mandatory for TPM2, and it seems to have an empty SHA256 bank.
How to switch to SHA256?
> sudo systemd-cryptenroll /dev/nvme0n1p2 --tpm2-device=auto --tpm2-pcrs=7+12+15
TPM2 device lacks support for SHA256 PCR bank, but SHA1 bank is supported and SHA1 PCRs are valid, falling back to SHA1 bank. This reduces the security level substantially.
New TPM2 token enrolled as key slot 1.> sudo tpm2 pcrread
sha1:
(0-23 here)
sha256:
(empty)> sudo tpm2 pcrallocate sha1:none+sha256:all
WARNING:esys:src/tss2-esys/api/Esys_PCR_Allocate.c:313:Esys_PCR_Allocate_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_PCR_Allocate.c:110:Esys_PCR_Allocate() Esys Finish ErrorCode (0x000009a2)
ERROR: Could not allocate PCRs.
ERROR: Esys_PCR_Allocate(0x9A2) - tpm:session(1):authorization failure without DA implications
ERROR: Failed TPM2_CC_ECDH_ZGen
ERROR: Unable to run pcrallocate> cat /sys/class/tpm/tpm0/device/description
TPM 2.0 Device
> sudo tpm2 getcap algorithms
sha256:
value: 0xB
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0Last edited by Beemo (2025-02-19 15:05:37)
Offline
Pages: 1