How many PCR banks are available in SLB9670 and SLB9672

Hi @Shreya_S ,

Thanks for your response.

I have myICP access, but I could not access the document you attached. I will request access through support.

If SLB9670 have only one PCR bank, how can we dump sha1 and sha256 PCRs at the same time?

Below is the output from my machine which has SLB9670 when doing a pcr_read.

[root@sut11sys-r242 ~]# tpm2_pcrread
sha1:
0 : 0x82058CB8F75B27148FD1C819B892E329E2CF33D2
1 : 0xAE784ECE98E530668A79D42FD8F2A3AA45F72971
2 : 0xBEE5FCDF336368AA1546107513D7F512F38242D3
3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
4 : 0xB46CB5175855A91C937DEDA0E4AA9EB1BA2F0D4B
5 : 0x3532CBD8F210D069FD5FFA0FB95511212D78300D
6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
7 : 0x7679047866E616450760CE711EA91126EB45BEF6
8 : 0x0000000000000000000000000000000000000000
9 : 0x0000000000000000000000000000000000000000
10: 0x48CF6F111AA5EF8951DAFD528E52260FE375D6D0
11: 0x0000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000
14: 0xD93FF8609F4C858F0000E25E016C820AA1EA2C31
15: 0x0000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000
sha256:
0 : 0xC819CEE938B32ACAA123B7F8F72572725173E2CCE2E6832D573542947C5784CE
1 : 0x3179162CF8BF0901D8483680C1F2ED2E40EC1BD671F04BF804AE040652F4B8DB
2 : 0x5E8098A75C2B826F2AB14F4DBABA5DB0F7004679133829F999C97DBA6FF480C7
3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
4 : 0x0B540F0839930723AF23F0F5F9A51AE0BD93C902C5BC3E2E0A73F0659FC0BB9C
5 : 0x79FC5E73AAB8BA4CB31750FBA791040AB26A3B76504009842136F40961FFCC96
6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
7 : 0xB926225AC488E9C50EF2FA815AA7104B385A06907093BFB1DC62EEB7ABECDDF1
8 : 0x0000000000000000000000000000000000000000000000000000000000000000
9 : 0x0000000000000000000000000000000000000000000000000000000000000000
10: 0xDC7CE7DC066DD21C556FA3215154CF8322CAF212A47E837219DB5EFC0B140344
11: 0x0000000000000000000000000000000000000000000000000000000000000000
12: 0x0000000000000000000000000000000000000000000000000000000000000000
13: 0x0000000000000000000000000000000000000000000000000000000000000000
14: 0xE2D3F225DE80E60D3D29DB95DFE9D66500A21331C08914F90EE96602A96FA595
15: 0x0000000000000000000000000000000000000000000000000000000000000000
16: 0x0000000000000000000000000000000000000000000000000000000000000000
17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0x0000000000000000000000000000000000000000000000000000000000000000

UEFI menu also shows that SHA1 and SHA256 banks are active.

But,  with SLB9672, I'm able to enable only one algorithm at any time and it prints only the active bank's PCRs when I do tpm2_pcrread. Can you please help to explain this behavior?

Hi @Shreya_S 

One more query is, when I'm trying to do PCR allocate of rest of the algorithms in SLB9672, I'm getting response error code as 0x127. What does that mean? Where can I find the meanings of these response codes.

Thanks,

Balaji Prakash

Hello,

TPM2.0 SLB9670 support 2 pcr banks SHA1 and SHA256, whereas SLB9672 support 1 pcr bank.

Default allocation is for Hash Algorithm ID 0x000B (SHA256). For changing the allocation for this PCR bank the command is: TPM2_PCR_Allocate.

I recommend you to test PCR via ELTT2 tool under Linux.
You can refer this link. 

Also, the TPM Error code 0x127 means Error (2.0): TPM_RC_PCR, PCR check fail.

Let me know if this works for you.

Regards,
Shreya

Hi @balajiprakash ,

According to the TCG spec if a TPM supports SHA1 and SHA256, then it maintains an allocation for two banks.
So it can be considered that SLB9670 has 2 sets of PCR banks (24 PCRs for each algorithm). So you have both SHA1 and SHA256 enabled.

SLB9672 supports SHA1/256/384 but has 1 PCR bank only and by default it is allocated for Hash Algorithm ID 0x000B (SHA256).
If you wish to switch to another hash algorithm supported by the TPM, please execute "tpm2_pcrallocate":

(if platform authorization is not set, try: tpm2_changeauth -c platform newpass)

tpm2_pcrallocate -P newpass sha256:none+sha384:all

The changes will be effective after a reboot. Could you try this command and check if you are able to allocate the PCR bank to another algorithm.

Please note that when the PCR banks are switched, keys that have been bound to the previous PCR values will no longer work.

Hi @Sneha_P ,

Can you point me to the TCG spec that you are referring to?

With SLB9672, I'm able to allocate PCRs to one particular algorithm with tpm2_pcrallocate command. I just needed clarification on how many banks we can allocate in case of SLB9670 and in SLB9672. 

So, based on your explanation, SLB9670 supports 2PCR banks and SLB9672 supports only 1PCR bank.

There is no way to enable both SHA1 and SHA256 in case of SLB9672 but we can enable SHA1 and SHA256 in SLB9670?

Thanks,

Balaji Prakash