config: change tpm_hash_alg to SHA1 by default

This ensures that Keylime works out of the box on older kernel versions. Signed-off-by: Thore Sommer <mail@thson.de>
keylime · Dec 15, 2021 · 33d15b2 · 33d15b2
1 parent 4b380b8
commit 33d15b2
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/keylime.conf b/keylime.conf
@@ -115,12 +115,14 @@ max_retries = 10
 
 # TPM2-specific options, allows customizing default algorithms to use.
 # Specify the default crypto algorithms to use with a TPM2 for this agent.
+# On kernel versions less than 5.10 choose sha1 as hash algorithm, because
+# otherwise IMA attestation will fail.
 #
 # Currently accepted values include:
 # - hashing:    sha512, sha384, sha256 or sha1
 # - encryption: ecc or rsa
 # - signing:    rsassa, rsapss, ecdsa, ecdaa or ecschnorr
-tpm_hash_alg = sha256
+tpm_hash_alg = sha1
 tpm_encryption_alg = rsa
 tpm_signing_alg = rsassa