Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2023-10-06 21:12:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Fri Oct 6 21:12:40 2023 rev:302 rq:1115941 version:2.12~rc1
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2023-10-02
20:04:48.739235293 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.28202/grub2.changes 2023-10-06
21:12:57.380631972 +0200
@@ -1,0 +2,26 @@
+Thu Oct 5 09:49:54 UTC 2023 - Fabian Vogt <fv...@suse.com>
+
+- Add patch to fix reading files from btrfs with "implicit" holes:
+ * 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
+
+-------------------------------------------------------------------
+Mon Oct 2 14:30:49 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update the TPM 2.0 patches to support more RSA and ECC algorithms
+ * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
+ * 0003-protectors-Add-TPM2-Key-Protector.patch
+ * 0005-util-grub-protect-Add-new-tool.patch
+
+-------------------------------------------------------------------
+Mon Oct 2 08:11:56 UTC 2023 - Michael Chang <mch...@suse.com>
+
+- Remove build require for gcc-32bit, target platform didn't rely on libgcc
+ function shipped with compiler but rather using functions supplied in grub
+ directly.
+
+-------------------------------------------------------------------
+Fri Sep 29 08:38:13 UTC 2023 - Fabian Vogt <fv...@suse.com>
+
+- Add BuildIgnore to break cycle with the branding package
+
+-------------------------------------------------------------------
New:
----
0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.elWAPU/_old 2023-10-06 21:13:11.913157002 +0200
+++ /var/tmp/diff_new_pack.elWAPU/_new 2023-10-06 21:13:11.913157002 +0200
@@ -28,14 +28,6 @@
%endif
Name: grub2
-%ifarch x86_64 ppc64
-BuildRequires: gcc-32bit
-BuildRequires: glibc-32bit
-BuildRequires: glibc-devel-32bit
-%else
-BuildRequires: gcc
-BuildRequires: glibc-devel
-%endif
BuildRequires: automake
BuildRequires: bison
BuildRequires: device-mapper-devel
@@ -43,6 +35,8 @@
BuildRequires: flex
BuildRequires: freetype2-devel
BuildRequires: fuse-devel
+BuildRequires: gcc
+BuildRequires: glibc-devel
%if 0%{?suse_version} >= 1140
BuildRequires: dejavu-fonts
BuildRequires: gnu-unifont
@@ -157,6 +151,9 @@
%endif
%ifarch %{efi}
+# The branding package requires grub2. It's not necessary here,
+# so break the dep to avoid a cycle.
+#!BuildIgnore: grub2
BuildRequires: grub2-branding
BuildRequires: squashfs
%endif
@@ -383,6 +380,7 @@
Patch188: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
Patch189: grub2-mkconfig-riscv64.patch
Patch190: arm64-Use-proper-memory-type-for-kernel-allocation.patch
+Patch191: 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
++++++ 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch ++++++
>From f903b9a9adb64e733e581771d2a24efae7fbe529 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fv...@suse.de>
Date: Thu, 5 Oct 2023 11:02:25 +0200
Subject: [PATCH] fs/btrfs: Zero file data not backed by extents
Implicit holes in file data need to be zeroed explicitly, instead of
just leaving the data in the buffer uninitialized.
This led to kernels randomly failing to boot in "fun" ways when loaded
from btrfs with the no_holes feature enabled, because large blocks of
zeros in the kernel file contained random data instead.
Signed-off-by: Fabian Vogt <fv...@suse.de>
---
grub-core/fs/btrfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 19bff4610..ba0c58352 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1603,6 +1603,8 @@ grub_btrfs_extent_read (struct grub_btrfs_data *data,
csize = grub_le_to_cpu64 (key_out.offset) - pos;
if (csize > len)
csize = len;
+
+ grub_memset (buf, 0, csize);
buf += csize;
pos += csize;
len -= csize;
--
2.42.0
++++++ 0002-tpm2-Add-TPM-Software-Stack-TSS.patch ++++++
--- /var/tmp/diff_new_pack.elWAPU/_old 2023-10-06 21:13:12.053162060 +0200
+++ /var/tmp/diff_new_pack.elWAPU/_new 2023-10-06 21:13:12.057162205 +0200
@@ -1,7 +1,7 @@
-From a4f5c4aa64e0484b08dcb9b7798395c55ca45ead Mon Sep 17 00:00:00 2001
+From c5a42cf3340aa740132bcdb8e8cee22c23306ef5 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:54 -0800
-Subject: [PATCH 2/5] tpm2: Add TPM Software Stack (TSS)
+Subject: [PATCH v6 09/20] tpm2: Add TPM Software Stack (TSS)
A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose, submit, and parse TPM commands and responses.
@@ -38,11 +38,11 @@
include/grub/tpm2/buffer.h | 65 ++
include/grub/tpm2/internal/functions.h | 117 ++++
include/grub/tpm2/internal/structs.h | 675 +++++++++++++++++++++
- include/grub/tpm2/internal/types.h | 372 ++++++++++++
+ include/grub/tpm2/internal/types.h | 370 ++++++++++++
include/grub/tpm2/mu.h | 292 +++++++++
include/grub/tpm2/tcg2.h | 34 ++
include/grub/tpm2/tpm2.h | 34 ++
- 11 files changed, 3445 insertions(+)
+ 11 files changed, 3443 insertions(+)
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
@@ -55,6 +55,9 @@
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
+diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
+new file mode 100644
+index 000000000..cb9f29497
--- /dev/null
+++ b/grub-core/tpm2/buffer.c
@@ -0,0 +1,145 @@
@@ -203,6 +206,9 @@
+ buffer->offset += sizeof (tmp);
+ *value = grub_be_to_cpu32 (tmp);
+}
+diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
+new file mode 100644
+index 000000000..1617f37cd
--- /dev/null
+++ b/grub-core/tpm2/mu.c
@@ -0,0 +1,807 @@
@@ -1013,6 +1019,9 @@
+ for (grub_uint32_t i = 0; i < digest->count; i++)
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
+}
+diff --git a/grub-core/tpm2/tcg2.c b/grub-core/tpm2/tcg2.c
+new file mode 100644
+index 000000000..9e4b7f565
--- /dev/null
+++ b/grub-core/tpm2/tcg2.c
@@ -0,0 +1,143 @@
@@ -1153,12 +1162,15 @@
+ return err;
+
+ status = protocol->submit_command (protocol, input_size, input,
-+ output_size, output);
++ output_size, output);
+ if (status != GRUB_EFI_SUCCESS)
+ return GRUB_ERR_INVALID_COMMAND;
+
+ return GRUB_ERR_NONE;
+}
+diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
+new file mode 100644
+index 000000000..d67699a24
--- /dev/null
+++ b/grub-core/tpm2/tpm2.c
@@ -0,0 +1,761 @@
@@ -1923,6 +1935,9 @@
+
+ return TPM_RC_SUCCESS;
+}
+diff --git a/include/grub/tpm2/buffer.h b/include/grub/tpm2/buffer.h
+new file mode 100644
+index 000000000..87dcd8d6c
--- /dev/null
+++ b/include/grub/tpm2/buffer.h
@@ -0,0 +1,65 @@
@@ -1991,6 +2006,9 @@
+grub_tpm2_buffer_unpack_u32 (grub_tpm2_buffer_t buffer, grub_uint32_t* value);
+
+#endif /* ! GRUB_TPM2_BUFFER_HEADER */
+diff --git a/include/grub/tpm2/internal/functions.h
b/include/grub/tpm2/internal/functions.h
+new file mode 100644
+index 000000000..9380f26a2
--- /dev/null
+++ b/include/grub/tpm2/internal/functions.h
@@ -0,0 +1,117 @@
@@ -2111,6 +2129,9 @@
+ TPMS_AUTH_RESPONSE *authResponse);
+
+#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
+diff --git a/include/grub/tpm2/internal/structs.h
b/include/grub/tpm2/internal/structs.h
+new file mode 100644
+index 000000000..72d71eb70
--- /dev/null
+++ b/include/grub/tpm2/internal/structs.h
@@ -0,0 +1,675 @@
@@ -2789,9 +2810,12 @@
+typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
+
+#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
+diff --git a/include/grub/tpm2/internal/types.h
b/include/grub/tpm2/internal/types.h
+new file mode 100644
+index 000000000..9118cad5d
--- /dev/null
+++ b/include/grub/tpm2/internal/types.h
-@@ -0,0 +1,372 @@
+@@ -0,0 +1,370 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -3077,8 +3101,8 @@
+#define TPM_RH_AUTH_FF ((TPM_RH) 0x4000010F)
+#define TPM_RH_LAST ((TPM_RH) 0x4000010F)
+
-+/* TPM2_ECC_CURVE Constants */
-+typedef grub_uint16_t TPM2_ECC_CURVE;
++/* TPM_ECC_CURVE Constants */
++typedef grub_uint16_t TPM_ECC_CURVE;
+
+#define TPM_ECC_NONE ((TPM_ECC_CURVE) 0x0000)
+#define TPM_ECC_NIST_P192 ((TPM_ECC_CURVE) 0x0001)
@@ -3153,8 +3177,6 @@
+typedef grub_uint16_t TPM_KEY_BITS;
+
+/* TPM_ECC_CURVE Types */
-+typedef grub_uint16_t TPM_ECC_CURVE;
-+
+typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
+
+/* TPMI_RH_PROVISION Type */
@@ -3164,6 +3186,9 @@
+typedef TPM_HANDLE TPMI_DH_PERSISTENT;
+
+#endif /* ! GRUB_TPM2_INTERNAL_TYPES_HEADER */
+diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
+new file mode 100644
+index 000000000..c545976db
--- /dev/null
+++ b/include/grub/tpm2/mu.h
@@ -0,0 +1,292 @@
@@ -3459,6 +3484,9 @@
+ TPML_DIGEST* digest);
+
+#endif /* ! GRUB_TPM2_MU_HEADER */
+diff --git a/include/grub/tpm2/tcg2.h b/include/grub/tpm2/tcg2.h
+new file mode 100644
+index 000000000..553b3fd93
--- /dev/null
+++ b/include/grub/tpm2/tcg2.h
@@ -0,0 +1,34 @@
@@ -3496,6 +3524,9 @@
+ grub_uint8_t *output);
+
+#endif /* ! GRUB_TPM2_TCG2_HEADER */
+diff --git a/include/grub/tpm2/tpm2.h b/include/grub/tpm2/tpm2.h
+new file mode 100644
+index 000000000..cfdc9edcd
--- /dev/null
+++ b/include/grub/tpm2/tpm2.h
@@ -0,0 +1,34 @@
@@ -3533,4 +3564,7 @@
+} TPM2_SEALED_KEY;
+
+#endif /* ! GRUB_TPM2_TPM2_HEADER */
+--
+2.35.3
+
++++++ 0003-protectors-Add-TPM2-Key-Protector.patch ++++++
--- /var/tmp/diff_new_pack.elWAPU/_old 2023-10-06 21:13:12.089163361 +0200
+++ /var/tmp/diff_new_pack.elWAPU/_new 2023-10-06 21:13:12.093163505 +0200
@@ -1,7 +1,7 @@
-From ab730e5bc42bae528da62178680284efdd64278e Mon Sep 17 00:00:00 2001
+From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:55 -0800
-Subject: [PATCH 3/5] protectors: Add TPM2 Key Protector
+Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
@@ -77,18 +77,18 @@
For instance, to unseal the raw sealed key file:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key
-cryptomount DISK1 -P tpm2
+cryptomount -u <PART1_UUID> -P tpm2
tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key --pcrs=7,11
-cryptomount DISK2 -P tpm2
+cryptomount -u <PART2_UUID> -P tpm2
Or, to unseal the TPM 2.0 Key file:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
-cryptomount DISK1 -P tpm2
+cryptomount -u <PART1_UUID> -P tpm2
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm --pcrs=7,11
-cryptomount DISK2 -P tpm2
+cryptomount -u <PART2_UUID> -P tpm2
If a user does not initialize the key protector and attempts to use it
anyway, the protector returns an error.
@@ -117,14 +117,14 @@
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/Makefile.core.def | 13 +
- grub-core/tpm2/args.c | 131 ++++
- grub-core/tpm2/module.c | 1033 +++++++++++++++++++++++++++++
+ grub-core/tpm2/args.c | 177 +++++
+ grub-core/tpm2/module.c | 1040 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 31 +
grub-core/tpm2/tpm2key.c | 440 ++++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
- include/grub/tpm2/internal/args.h | 39 ++
+ include/grub/tpm2/internal/args.h | 41 ++
include/grub/tpm2/tpm2key.h | 83 +++
- 8 files changed, 1811 insertions(+)
+ 8 files changed, 1866 insertions(+)
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/tpm2key.asn
@@ -133,12 +133,15 @@
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/tpm2key.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 5831d4265..38571119e 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
-@@ -2599,6 +2599,19 @@
+@@ -2553,6 +2553,19 @@ module = {
+ enable = efi;
};
- module = {
++module = {
+ name = tpm2;
+ common = tpm2/args.c;
+ common = tpm2/buffer.c;
@@ -151,13 +154,15 @@
+ enable = efi;
+};
+
-+module = {
+ module = {
name = tr;
common = commands/tr.c;
- };
+diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
+new file mode 100644
+index 000000000..274f4fef0
--- /dev/null
+++ b/grub-core/tpm2/args.c
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,177 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -237,12 +242,58 @@
+}
+
+grub_err_t
-+grub_tpm2_protector_parse_asymmetric (const char *value, TPM_ALG_ID
*asymmetric)
++grub_tpm2_protector_parse_asymmetric (const char *value,
++ TPM_ALG_ID *asymmetric,
++ TPM_KEY_BITS *rsa_bits,
++ TPM_ECC_CURVE *ecc_curve)
+{
-+ if (grub_strcasecmp (value, "ECC") == 0)
-+ *asymmetric = TPM_ALG_ECC;
-+ else if (grub_strcasecmp (value, "RSA") == 0)
-+ *asymmetric = TPM_ALG_RSA;
++ if (grub_strcasecmp (value, "ECC") == 0 ||
++ grub_strcasecmp (value, "ECC_NIST_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P256;
++ }
++ else if (grub_strcasecmp (value, "RSA") == 0 ||
++ grub_strcasecmp (value, "RSA2048") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 2048;
++ }
++ else if (grub_strcasecmp (value, "RSA3072") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 3072;
++ }
++ else if (grub_strcasecmp (value, "RSA4096") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 4096;
++ }
++ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P384;
++ }
++ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P521;
++ }
++ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_BN_P256;
++ }
++ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_BN_P638;
++ }
++ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_SM2_P256;
++ }
+ else
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Value '%s' is not a valid asymmetric key type"),
@@ -289,9 +340,12 @@
+
+ return GRUB_ERR_NONE;
+}
+diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
+new file mode 100644
+index 000000000..9605ddbc7
--- /dev/null
+++ b/grub-core/tpm2/module.c
-@@ -0,0 +1,1033 @@
+@@ -0,0 +1,1040 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -352,6 +406,8 @@
+ grub_uint8_t pcrs[TPM_MAX_PCRS];
+ grub_uint8_t pcr_count;
+ TPM_ALG_ID asymmetric;
++ TPM_KEY_BITS rsa_bits;
++ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID bank;
+ const char *tpm2key;
+ const char *keyfile;
@@ -390,7 +446,7 @@
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
-+ "SHA1, SHA256 (default), or SHA384."),
++ "SHA1, SHA256 (default), SHA384 or SHA512."),
+ },
+ /* SRK-mode options */
+ {
@@ -431,7 +487,10 @@
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
-+ N_("In SRK mode, the type of SRK: RSA (default) or ECC."),
++ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
++ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
++ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
++ "(default is RSA2048)"),
+ },
+ /* NV Index-mode options */
+ {
@@ -696,7 +755,7 @@
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
++ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (ctx->asymmetric == TPM_ALG_ECC)
@@ -705,7 +764,7 @@
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
++ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
@@ -977,10 +1036,7 @@
+ /* Get the SRK to unseal the sealed key */
+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
+ if (err != GRUB_ERR_NONE)
-+ {
-+ grub_error (err, N_("Failed to retrieve the SRK"));
-+ goto exit1;
-+ }
++ goto exit1;
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
@@ -1148,7 +1204,10 @@
+ ctx->srk = TPM2_SRK_HANDLE;
+
+ if (!ctx->asymmetric)
-+ ctx->asymmetric = TPM_ALG_RSA;
++ {
++ ctx->asymmetric = TPM_ALG_RSA;
++ ctx->rsa_bits = 2048;
++ }
+ }
+
+ return GRUB_ERR_NONE;
@@ -1252,7 +1311,9 @@
+ if (state[OPTION_ASYMMETRIC].set) /* asymmetric */
+ {
+ err = grub_tpm2_protector_parse_asymmetric
(state[OPTION_ASYMMETRIC].arg,
-+
&grub_tpm2_protector_ctx.asymmetric);
++
&grub_tpm2_protector_ctx.asymmetric,
++
&grub_tpm2_protector_ctx.rsa_bits,
++
&grub_tpm2_protector_ctx.ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
@@ -1325,6 +1386,9 @@
+ grub_unregister_extcmd (grub_tpm2_protector_clear_cmd);
+ grub_unregister_extcmd (grub_tpm2_protector_init_cmd);
+}
+diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
+new file mode 100644
+index 000000000..e3b6a03e0
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.asn
@@ -0,0 +1,31 @@
@@ -1359,6 +1423,9 @@
+}
+
+END
+diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
+new file mode 100644
+index 000000000..62f6d865b
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.c
@@ -0,0 +1,440 @@
@@ -1802,6 +1869,9 @@
+ grub_free (authpol);
+ }
+}
+diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c
b/grub-core/tpm2/tpm2key_asn1_tab.c
+new file mode 100644
+index 000000000..551fc46ec
--- /dev/null
+++ b/grub-core/tpm2/tpm2key_asn1_tab.c
@@ -0,0 +1,41 @@
@@ -1846,9 +1916,12 @@
+ { "privkey", 7, NULL },
+ { NULL, 0, NULL }
+};
+diff --git a/include/grub/tpm2/internal/args.h
b/include/grub/tpm2/internal/args.h
+new file mode 100644
+index 000000000..58d13e031
--- /dev/null
+++ b/include/grub/tpm2/internal/args.h
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,41 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -1879,7 +1952,9 @@
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
-+ TPM_ALG_ID *asymmetric);
++ TPM_ALG_ID *asymmetric,
++ TPM_KEY_BITS *rsa_bits,
++ TPM_ECC_CURVE *ecc_curve);
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
@@ -1888,6 +1963,9 @@
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE *handle);
+
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
+diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h
+new file mode 100644
+index 000000000..df46203e3
--- /dev/null
+++ b/include/grub/tpm2/tpm2key.h
@@ -0,0 +1,83 @@
@@ -1974,4 +2052,7 @@
+grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq);
+
+#endif /* GRUB_TPM2_TPM2KEY_HEADER */
+--
+2.35.3
+
++++++ 0005-util-grub-protect-Add-new-tool.patch ++++++
--- /var/tmp/diff_new_pack.elWAPU/_old 2023-10-06 21:13:12.141165239 +0200
+++ /var/tmp/diff_new_pack.elWAPU/_new 2023-10-06 21:13:12.145165384 +0200
@@ -1,7 +1,7 @@
-From 38ebade1341ee99593568d97e0300f5b6aa626f3 Mon Sep 17 00:00:00 2001
+From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:57 -0800
-Subject: [PATCH 5/5] util/grub-protect: Add new tool
+Subject: [PATCH v6 12/20] util/grub-protect: Add new tool
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
@@ -15,8 +15,8 @@
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
-ensures the cryptomount command is included in GRUB's boot script and
-that it carries the requisite key protector (-P) parameter.
+has to ensure the cryptomount command is included in GRUB's boot script
+and that it carries the requisite key protector (-P) parameter.
Sample usage:
@@ -41,14 +41,12 @@
Then, in the boot script, for TPM 2.0 Key File:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
-cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
+cryptomount -u <SDB1_UUID> -P tpm2
Or, for the raw sealed key:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key
-cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
-
-where the UUID corresponds to /dev/sdb1.
+cryptomount -u <SDB1_UUID> -P tpm2
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
@@ -56,13 +54,15 @@
.gitignore | 2 +
Makefile.util.def | 22 +
configure.ac | 9 +
- util/grub-protect.c | 1508 +++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 1541 insertions(+)
+ util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 1557 insertions(+)
create mode 100644 util/grub-protect.c
---- a/Makefile.util.def
-+++ b/Makefile.util.def
-@@ -208,6 +208,28 @@
+Index: grub-2.12~rc1/Makefile.util.def
+===================================================================
+--- grub-2.12~rc1.orig/Makefile.util.def
++++ grub-2.12~rc1/Makefile.util.def
+@@ -208,6 +208,28 @@ program = {
};
program = {
@@ -91,9 +91,11 @@
name = grub-mkrelpath;
mansection = 1;
---- a/configure.ac
-+++ b/configure.ac
-@@ -76,6 +76,7 @@
+Index: grub-2.12~rc1/configure.ac
+===================================================================
+--- grub-2.12~rc1.orig/configure.ac
++++ grub-2.12~rc1/configure.ac
+@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
grub_TRANSFORM([grub-probe])
@@ -101,7 +103,7 @@
grub_TRANSFORM([grub-reboot])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
-@@ -1992,6 +1993,14 @@
+@@ -1992,6 +1993,14 @@ fi
AC_SUBST([LIBZFS])
AC_SUBST([LIBNVPAIR])
@@ -116,9 +118,11 @@
LIBS=""
AC_SUBST([FONT_SOURCE])
+Index: grub-2.12~rc1/util/grub-protect.c
+===================================================================
--- /dev/null
-+++ b/util/grub-protect.c
-@@ -0,0 +1,1508 @@
++++ grub-2.12~rc1/util/grub-protect.c
+@@ -0,0 +1,1524 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -227,6 +231,8 @@
+ grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+ grub_uint8_t tpm2_pcr_count;
+ TPM_ALG_ID tpm2_asymmetric;
++ TPM_KEY_BITS rsa_bits;
++ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID tpm2_bank;
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
@@ -280,11 +286,11 @@
+ {
+ .name = "tpm2-bank",
+ .key = GRUB_PROTECT_OPT_TPM2_BANK,
-+ .arg = "SHA1|SHA256|SHA384",
++ .arg = "ALG",
+ .flags = 0,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
-+ "SHA1, SHA256 (default), or SHA384."),
++ "SHA1, SHA256 (default), or SHA512."),
+ .group = 0
+ },
+ {
@@ -319,10 +325,13 @@
+ {
+ .name = "tpm2-asymmetric",
+ .key = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
-+ .arg = "RSA|ECC",
++ .arg = "TYPE",
+ .flags = 0,
+ .doc =
-+ N_("The type of SRK: RSA (default) or ECC."),
++ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
++ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
++ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
++ "(default is RSA2048)"),
+ .group = 0
+ },
+ {
@@ -648,6 +657,13 @@
+ pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA256;
+ break;
++ case TPM_ALG_SHA512:
++ pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
++ hash_spec = GRUB_MD_SHA512;
++ break;
++ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
++ it's not supported by the built-in libgcrypt, and we won't be able to
++ calculate the PCR digest, so SHA384 is marked as unsupported. */
+ default:
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
@@ -797,7 +813,7 @@
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
++ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ break;
+
@@ -806,7 +822,7 @@
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
++ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ break;
+
@@ -1257,7 +1273,10 @@
+ args->tpm2_srk = TPM2_SRK_HANDLE;
+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
-+ args->tpm2_asymmetric = TPM_ALG_RSA;
++ {
++ args->tpm2_asymmetric = TPM_ALG_RSA;
++ args->rsa_bits = 2048;
++ }
+
+ if (args->tpm2_bank == TPM_ALG_ERROR)
+ args->tpm2_bank = TPM_ALG_SHA256;
@@ -1426,7 +1445,8 @@
+ return EINVAL;
+ }
+
-+ err = grub_tpm2_protector_parse_asymmetric (arg,
&args->tpm2_asymmetric);
++ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric,
++ &args->rsa_bits,
&args->ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ {
+ if (grub_errno != GRUB_ERR_NONE)
