Runtime-disabling any hash algorithm also means that the corresponding
hash bank must be disabled as well. In case the SHA-1 bank is disabled,
the output of TPM2_GetCapability must therefore filter-out the SHA-1 bank
that is still compiled-in but otherwise cannot be used.
$ tssgetcapability -cap 5
3 PCR selections
hash TPM_ALG_SHA256
TPMS_PCR_SELECTION length 3
ff ff ff
hash TPM_ALG_SHA384
TPMS_PCR_SELECTION length 3
ff ff ff
hash TPM_ALG_SHA512
TPMS_PCR_SELECTION length 3
ff ff ff
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement functions to set and check runtime-disabled algorithms. Use
these functions when the algorithm capabilities of the TPM 2 are
advertised via the TPM2_GetCapability command. However, it is not
sufficient to just suppress runtime-disabled algorithms in the return
value of this command but also certain code paths have to be instrumented
to check for disabled algorithms since they could otherwise lead to their
usage. Users are not required nor will they always look at the returned
values of TPM2_GetCapability but should still be prevented from using
runtime-disabled algorithms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
