Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2023-11-22 18:54:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Wed Nov 22 18:54:05 2023 rev:308 rq:1127831 version:2.12~rc1
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2023-11-17
20:49:30.945088883 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new.25432/grub2.changes 2023-11-22
18:54:09.418581619 +0100
@@ -1,0 +2,9 @@
+Thu Nov 16 06:39:46 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update the TPM2 patches to skip the persistent SRK handle if not
+ specified and improve the error messages
+ + 0003-protectors-Add-TPM2-Key-Protector.patch
+ + 0005-util-grub-protect-Add-new-tool.patch
+ + 0004-tpm2-Support-authorized-policy.patch
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ 0003-protectors-Add-TPM2-Key-Protector.patch ++++++
--- /var/tmp/diff_new_pack.vlU3tr/_old 2023-11-22 18:54:12.598698329 +0100
+++ /var/tmp/diff_new_pack.vlU3tr/_new 2023-11-22 18:54:12.598698329 +0100
@@ -1,7 +1,7 @@
-From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001
+From 2a63876ca714d177f919b2392d8efa0e3bd3ebe2 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:55 -0800
-Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector
+Subject: [PATCH v7 10/20] protectors: Add TPM2 Key Protector
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
@@ -111,20 +111,20 @@
Currently, there is only one supported policy command: TPM2_PolicyPCR.
The command set can be extended to support advanced features, such as
-as authorized policy, in the future.
+authorized policy, in the future.
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/Makefile.core.def | 13 +
grub-core/tpm2/args.c | 177 +++++
- grub-core/tpm2/module.c | 1040 +++++++++++++++++++++++++++++
+ grub-core/tpm2/module.c | 1028 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 31 +
- grub-core/tpm2/tpm2key.c | 440 ++++++++++++
+ grub-core/tpm2/tpm2key.c | 447 +++++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
include/grub/tpm2/internal/args.h | 41 ++
include/grub/tpm2/tpm2key.h | 83 +++
- 8 files changed, 1866 insertions(+)
+ 8 files changed, 1861 insertions(+)
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/tpm2key.asn
@@ -342,10 +342,10 @@
+}
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
new file mode 100644
-index 000000000..9605ddbc7
+index 000000000..df0727215
--- /dev/null
+++ b/grub-core/tpm2/module.c
-@@ -0,0 +1,1040 @@
+@@ -0,0 +1,1028 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -477,8 +477,7 @@
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
-+ N_("In SRK mode, the SRK handle if the SRK is persistent "
-+ "(default is 0x81000001)."),
++ N_("In SRK mode, the SRK handle if the SRK is persistent."),
+ },
+ {
+ .longarg = "asymmetric",
@@ -519,51 +518,58 @@
+ grub_off_t file_size;
+ void *read_buffer;
+ grub_off_t read_n;
++ grub_err_t err;
+
+ /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into
PCR9
+ * otherwise we'll never be able to predict the value of PCR9 at unseal
time */
+ file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
+ if (file == NULL)
+ {
-+ grub_dprintf ("tpm2", "Could not open file: %s\n", filepath);
-+ /* grub_file_open sets grub_errno on error, and if we do no unset it,
-+ * future calls to grub_file_open will fail (and so will anybody up the
-+ * stack who checks the value, if any). */
-+ grub_errno = GRUB_ERR_NONE;
-+ return GRUB_ERR_FILE_NOT_FOUND;
++ /* Push errno from grub_file_open() into the error message stack */
++ grub_error_push();
++ err = grub_error (GRUB_ERR_FILE_NOT_FOUND,
++ N_("Could not open file: %s\n"),
++ filepath);
++ goto error;
+ }
+
+ file_size = grub_file_size (file);
+ if (file_size == 0)
+ {
-+ grub_dprintf ("tpm2", "Could not read file size: %s\n", filepath);
-+ grub_file_close (file);
-+ return GRUB_ERR_OUT_OF_RANGE;
++ err = grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("Could not read file size: %s"),
++ filepath);
++ goto error;
+ }
+
+ read_buffer = grub_malloc (file_size);
+ if (read_buffer == NULL)
+ {
-+ grub_dprintf ("tpm2", "Could not allocate buffer for %s.\n", filepath);
-+ grub_file_close (file);
-+ return GRUB_ERR_OUT_OF_MEMORY;
++ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
++ N_("Could not allocate buffer for %s"),
++ filepath);
++ goto error;
+ }
+
+ read_n = grub_file_read (file, read_buffer, file_size);
+ if (read_n != file_size)
+ {
-+ grub_dprintf ("tpm2", "Could not retrieve file contents: %s\n",
filepath);
+ grub_free (read_buffer);
-+ grub_file_close (file);
-+ return GRUB_ERR_FILE_READ_ERROR;
++ err = grub_error (GRUB_ERR_FILE_READ_ERROR,
++ N_("Could not retrieve file contents: %s"),
++ filepath);
++ goto error;
+ }
+
-+ grub_file_close (file);
-+
+ *buffer = read_buffer;
+ *buffer_size = file_size;
+
-+ return GRUB_ERR_NONE;
++ err = GRUB_ERR_NONE;
++
++error:
++ grub_file_close (file);
++
++ return err;
+}
+
+static grub_err_t
@@ -575,12 +581,9 @@
+
+ grub_tpm2_buffer_init (&buf);
+ if (sealed_key_size > buf.cap)
-+ {
-+ grub_dprintf ("tpm2", "Sealed key file is larger than decode buffer "
-+ "(%" PRIuGRUB_SIZE " vs %" PRIuGRUB_SIZE "
bytes).\n",
-+ sealed_key_size, buf.cap);
-+ return GRUB_ERR_BAD_ARGUMENT;
-+ }
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
++ buf.cap);
+
+ grub_memcpy (buf.data, sealed_key, sealed_key_size);
+ buf.size = sealed_key_size;
@@ -589,11 +592,7 @@
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
+
+ if (buf.error)
-+ {
-+ grub_dprintf ("tpm2", "Could not unmarshal sealed key file, it is
likely "
-+ "malformed.\n");
-+ return GRUB_ERR_BAD_ARGUMENT;
-+ }
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key
file"));
+
+ return GRUB_ERR_NONE;
+}
@@ -668,10 +667,9 @@
+ grub_tpm2_buffer_init (&buf);
+ if (sealed_pub_size + sealed_priv_size > buf.cap)
+ {
-+ grub_dprintf ("tpm2", "Sealed key is larger than decode buffer "
-+ "(%" PRIuGRUB_SIZE " vs %" PRIuGRUB_SIZE "
bytes).\n",
-+ sealed_pub_size, buf.cap);
-+ err = GRUB_ERR_BAD_ARGUMENT;
++ err = grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
++ buf.cap);
+ goto error;
+ }
+
@@ -685,9 +683,7 @@
+
+ if (buf.error)
+ {
-+ grub_dprintf ("tpm2", "Could not unmarshal sealed key, it is likely "
-+ "malformed.\n");
-+ err = GRUB_ERR_BAD_ARGUMENT;
++ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM 2.0 key
file"));
+ goto error;
+ }
+
@@ -720,21 +716,19 @@
+ TPM2B_NAME srkName = { 0 };
+ TPM_HANDLE srkHandle;
+
-+ /* Find SRK */
-+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
-+ if (rc == TPM_RC_SUCCESS)
++ if (ctx->srk != 0)
+ {
-+ *srk = ctx->srk;
-+ return GRUB_ERR_NONE;
-+ }
++ /* Find SRK */
++ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
++ if (rc == TPM_RC_SUCCESS)
++ {
++ *srk = ctx->srk;
++ return GRUB_ERR_NONE;
++ }
+
-+ /* The handle exists but its public area could not be read. */
-+ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
-+ {
-+ grub_dprintf ("tpm2", "The SRK handle (0x%x) exists on the TPM but its "
-+ "public area could not be read (TPM2_ReadPublic "
-+ "failed with TSS/TPM error %u).\n", ctx->srk, rc);
-+ return GRUB_ERR_BAD_DEVICE;
++ return grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to retrieve SRK (TPM2_ReadPublic: 0x%x)"),
++ rc);
+ }
+
+ /* Create SRK */
@@ -768,7 +762,7 @@
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm"));
+
+ rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
+ &outsideInfo, &creationPcr, &srkHandle, &outPublic,
@@ -931,8 +925,8 @@
+ &session, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE,
-+ N_("Failed to start auth session (TPM2_StartAuthSession:
"
-+ "0x%x)"), rc);
++ N_("Failed to start auth session (TPM2_StartAuthSession:
0x%x)"),
++ rc);
+
+ /* Enforce the policy command sequence */
+ err = grub_tpm2_protector_enforce_policy_seq (policy_seq, session);
@@ -944,9 +938,9 @@
+ rc = TPM2_Unseal (sealed_handle, &authCmd, &data, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to unseal sealed key (TPM2_Unseal: 0x%x)"),
-+ rc);
++ err = grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to unseal sealed key (TPM2_Unseal: 0x%x)"),
++ rc);
+ goto error;
+ }
+
@@ -954,8 +948,8 @@
+ key_out = grub_malloc (data.size);
+ if (key_out == NULL)
+ {
-+ err = GRUB_ERR_OUT_OF_MEMORY;
-+ grub_error (err, N_("No memory left to allocate unlock key buffer"));
++ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
++ N_("No memory left to allocate unlock key buffer"));
+ goto error;
+ }
+
@@ -999,7 +993,7 @@
+ err = grub_tpm2_protector_srk_read_file (ctx->tpm2key, &file_bytes,
+ &file_size);
+ if (err != GRUB_ERR_NONE)
-+ return grub_error (err, N_("Failed to read key file %s"), ctx->tpm2key);
++ return err;
+
+ err = grub_tpm2_protector_srk_unmarshal_tpm2key (file_bytes,
+ file_size,
@@ -1008,29 +1002,21 @@
+ &parent_handle,
+ &sealed_key);
+ if (err != GRUB_ERR_NONE)
-+ {
-+ grub_error (err, N_("Failed to unmarshal key, ensure the key file is
in "
-+ "TPM 2.0 Key File format"));
-+ goto exit1;
-+ }
++ goto exit1;
+ }
+ else
+ {
+ err = grub_tpm2_protector_srk_read_file (ctx->keyfile, &file_bytes,
+ &file_size);
+ if (err != GRUB_ERR_NONE)
-+ return grub_error (err, N_("Failed to read key file %s"), ctx->keyfile);
++ return err;
+
+ parent_handle = TPM_RH_OWNER;
+ err = grub_tpm2_protector_srk_unmarshal_keyfile (file_bytes,
+ file_size,
+ &sealed_key);
+ if (err != GRUB_ERR_NONE)
-+ {
-+ grub_error (err, N_("Failed to unmarshal key, ensure the key file is
in "
-+ "TPM wire format"));
-+ goto exit1;
-+ }
++ goto exit1;
+ }
+
+ /* Get the SRK to unseal the sealed key */
@@ -1044,11 +1030,16 @@
+ &sealed_handle, &name, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to load sealed key (TPM2_Load: 0x%x)"), rc);
++ err = grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
++ rc);
+ goto exit2;
+ }
+
++ /*
++ * Set err to an error code to trigger the standalone policy sequence
++ * if there is no authpolicy sequence
++ */
+ err = GRUB_ERR_READ_ERROR;
+
+ /* Iterate the authpolicy sequence to find one that unseals the key */
@@ -1200,9 +1191,6 @@
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK)
+ {
-+ if (!ctx->srk)
-+ ctx->srk = TPM2_SRK_HANDLE;
-+
+ if (!ctx->asymmetric)
+ {
+ ctx->asymmetric = TPM_ALG_RSA;
@@ -1425,10 +1413,10 @@
+END
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
new file mode 100644
-index 000000000..62f6d865b
+index 000000000..a26c287c9
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.c
-@@ -0,0 +1,440 @@
+@@ -0,0 +1,447 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2023 SUSE LLC
@@ -1543,24 +1531,29 @@
+ */
+ ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Failed to parse TPM2KEY ASN.1 array"));
+
+ ret = asn1_create_element (tpm2key_asn1, "TPM2KEY.TPMKey", &tpm2key);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Failed to create TPM2KEY.TPMKey"));
+
+ ret = asn1_der_decoding (&tpm2key, data, size, NULL);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Failed to decode TPM2KEY DER"));
+
+ /* Check if 'type' is Sealed Key or not */
+ ret = asn1_allocate_and_read (tpm2key, "type", &type_oid, &type_oid_size);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_BAD_FILE_TYPE;
++ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ N_("Not a valid TPM2KEY file"));
+
+ if (grub_memcmp (sealed_key_oid, type_oid, type_oid_size) != 0)
+ {
-+ err = GRUB_ERR_BAD_FILE_TYPE;
++ err = grub_error (GRUB_ERR_BAD_FILE_TYPE,
++ N_("Not a valid TPM2KEY file"));
+ goto error;
+ }
+
@@ -1568,7 +1561,7 @@
+ ret = asn1_allocate_and_read (tpm2key, "emptyAuth", &empty_auth,
&empty_auth_size);
+ if (ret != ASN1_SUCCESS || grub_strncmp ("TRUE", empty_auth,
empty_auth_size) != 0)
+ {
-+ err = GRUB_ERR_BAD_ARGUMENT;
++ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("emptyAuth not TRUE"));
+ goto error;
+ }
+
@@ -1576,7 +1569,8 @@
+ ret = asn1_read_value (tpm2key, "secret", NULL, &tmp_size);
+ if (ret != ASN1_ELEMENT_NOT_FOUND)
+ {
-+ err = GRUB_ERR_BAD_ARGUMENT;
++ err = grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("\"secret\" not allowed for Sealed Key"));
+ goto error;
+ }
+
@@ -1608,14 +1602,14 @@
+ int ret;
+
+ if (parent == NULL)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("NULL pointer detected"));
+
+ if (tpm2key == NULL)
-+ return GRUB_ERR_READ_ERROR;
++ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid parent node"));
+
+ ret = asn1_read_uint32 (tpm2key, "parent", parent);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_READ_ERROR;
++ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve parent"));
+
+ return GRUB_ERR_NONE;
+}
@@ -1626,14 +1620,16 @@
+ int ret;
+
+ if (name == NULL || data == NULL || size == NULL)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter(s)"));
+
+ if (tpm2key == NULL)
-+ return GRUB_ERR_READ_ERROR;
++ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid %s node"), name);
+
+ ret = asn1_allocate_and_read (tpm2key, name, data, size);
+ if (ret != ASN1_SUCCESS)
-+ return GRUB_ERR_READ_ERROR;
++ return grub_error (GRUB_ERR_READ_ERROR,
++ N_("Failed to retrieve %s"),
++ name);
+
+ return GRUB_ERR_NONE;
+}
@@ -1764,9 +1760,7 @@
+ return GRUB_ERR_NONE;
+ }
+ else if (ret != ASN1_SUCCESS)
-+ {
-+ return GRUB_ERR_READ_ERROR;
-+ }
++ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve policy"));
+
+ return GRUB_ERR_NONE;
+}
@@ -1806,13 +1800,12 @@
+ return GRUB_ERR_NONE;
+ }
+ else if (ret != ASN1_SUCCESS)
-+ {
-+ return GRUB_ERR_READ_ERROR;
-+ }
++ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve
authPolicy"));
+
+ /* Limit the number of authPolicy elements to two digits (99) */
+ if (authpol_n > 100 || authpol_n < 1)
-+ return GRUB_ERR_OUT_OF_RANGE;
++ return grub_error (GRUB_ERR_OUT_OF_RANGE,
++ N_("Invalid number of autoPolicy elements"));
+
+ /*
+ * Iterate the authPolicy elements backwards since grub_list_push() prepends
@@ -1822,7 +1815,8 @@
+ authpol = grub_zalloc (sizeof (struct tpm2key_authpolicy));
+ if (authpol == NULL)
+ {
-+ err = GRUB_ERR_OUT_OF_MEMORY;
++ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
++ N_("Failed to allocate memory for authPolicy"));
+ goto error;
+ }
+ grub_snprintf (authpol_pol, AUTHPOLICY_POL_MAX, "authPolicy.?%d.Policy",
i);
@@ -1830,7 +1824,8 @@
+ ret = tpm2key_get_policy_seq (tpm2key, authpol_pol, &authpol->policy_seq);
+ if (ret != ASN1_SUCCESS)
+ {
-+ err = GRUB_ERR_READ_ERROR;
++ err = grub_error (GRUB_ERR_READ_ERROR,
++ N_("Failed to retrieve policy from authPolicy"));
+ goto error;
+ }
+
++++++ 0004-tpm2-Support-authorized-policy.patch ++++++
--- /var/tmp/diff_new_pack.vlU3tr/_old 2023-11-22 18:54:12.634699650 +0100
+++ /var/tmp/diff_new_pack.vlU3tr/_new 2023-11-22 18:54:12.638699797 +0100
@@ -1,31 +1,73 @@
-From d6e2d32d53d9a1aac2383fc6c075f3827111b643 Mon Sep 17 00:00:00 2001
+From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
-Subject: [PATCH 4/4] tpm2: Support authorized policy
+Subject: [PATCH v7 16/20] tpm2: Support authorized policy
-TPM2_PolicyAuthorize is the key command to support authorized policy
-which allows the users to sign TPM policies with their own keys.
+This commit handles the TPM2_PolicyAuthorize command from the key file
+in TPM 2.0 Key File format.
-Per TPM 2.0 Key File(*), CommandPolicy for TPM2_PolicyAuthorize
+TPM2_PolicyAuthorize is the essential command to support authorized
+policy which allows the users to sign TPM policies with their own keys.
+Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
-'TPMT_SIGNATURE signature'. This commit unmarshals those data
-structures, fetches the current policy digest, hashes the policy digest
-with the hash algorithm written in 'signature', and then verifies
-'signature' with 'pubkey'. If everything goes well, TPM2_PolicyAuthorize
-is invoked to authorize the signed policy.
+'TPMT_SIGNATURE signature'. To verify the signature, the current policy
+digest is hashed with the hash algorithm written in 'signature', and then
+'signature' is verified with the hashed policy digest and 'pubkey'. Once
+TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
+signed policy.
-(*) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
+To create the key file with authorized policy, here are the pcr-oracle(*2)
+commands:
+
+ # Generate the RSA key and create the authorized policy file
+ $ pcr-oracle \
+ --rsa-generate-key \
+ --private-key policy-key.pem \
+ --auth authorized.policy \
+ create-authorized-policy 0,2,4,7,9
+
+ # Seal the secret with the authorized policy
+ $ pcr-oracle \
+ --key-format tpm2.0 \
+ --auth authorized.policy \
+ --input disk-secret.txt \
+ --output sealed.key \
+ seal-secret
+
+ # Sign the predicted PCR policy
+ $ pcr-oracle \
+ --key-format tpm2.0 \
+ --private-key policy-key.pem \
+ --from eventlog \
+ --stop-event "grub-file=grub.cfg" \
+ --after \
+ --input sealed.key \
+ --output sealed.tpm \
+ sign 0,2,4,7.9
+
+Then specify the key file and the key protector to grub.cfg in the EFI
+system partition:
+
+tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
+cryptomount -u <PART_UUID> -P tpm2
+
+For any change in the boot components, just run the 'sign' command again
+to update the signature in sealed.tpm, and TPM can unseal the key file
+with the updated PCR policy.
+
+(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
+(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <g...@suse.com>
---
- grub-core/tpm2/module.c | 98 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 98 insertions(+)
+ grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 84 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index 5274296b7..e5235c2ac 100644
+index df0727215..0cbfd06e8 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
-@@ -454,6 +454,101 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION
session,
+@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION
session,
return GRUB_ERR_NONE;
}
@@ -49,59 +91,45 @@
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
+ if (cmd_buf->error != 0)
-+ {
-+ err = GRUB_ERR_BAD_ARGUMENT;
-+ return grub_error (err, N_("Failed to unmarshal the buffer for "
-+ "TPM2_PolicyAuthorize"));
-+ }
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Failed to unmarshal the buffer for
TPM2_PolicyAuthorize"));
+
+ /* Retrieve Policy Digest */
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
+ if (rc != TPM_RC_SUCCESS)
-+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to get policy digest (TPM error: 0x%x)."),
-+ rc);
-+ return err;
-+ }
++ return grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to get policy digest (TPM2_PolicyGetDigest:
0x%x)."),
++ rc);
+
+ /* Calculate the digest of the polcy for VerifySignature */
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
+ if (sig_hash == TPM_ALG_NULL)
-+ {
-+ err = GRUB_ERR_BAD_ARGUMENT;
-+ grub_error (err, N_("Failed to get the hash algorithm of the
signature"));
-+ return err;
-+ }
++ return grub_error (GRUB_ERR_BAD_ARGUMENT,
++ N_("Failed to get the hash algorithm of the signature"));
++
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
-+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to create PCR policy hash (TPM2_Hash failed
"
-+ "with TSS/TPM error %u)"), rc);
-+ return err;
-+ }
++ return grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
++ rc);
+
+ /* Load the public key */
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
+ &pubkey_handle, &pubname, NULL);
+ if (rc != TPM_RC_SUCCESS)
-+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to load public key (TPM2_LoadExternal
failed "
-+ "with TSS/TPM error %u)"), rc);
-+ return err;
-+ }
++ return grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to load public key (TPM2_LoadExternal:
0x%x)"),
++ rc);
+
+ /* Verify the signature against the public key and the policy digest */
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash,
&signature,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to verify signature (TPM2_VerifySignature "
-+ "failed with TSS/TPM error %u)"), rc);
++ err = grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to verify signature (TPM2_VerifySignature:
0x%x)"),
++ rc);
+ goto error;
+ }
+
@@ -110,9 +138,9 @@
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ err = GRUB_ERR_BAD_DEVICE;
-+ grub_error (err, N_("Failed to authorize PCR policy
(TPM2_PolicyAuthorize "
-+ "failed with TSS/TPM error: 0x%u).\n"), rc);
++ err = grub_error (GRUB_ERR_BAD_DEVICE,
++ N_("Failed to authorize PCR policy
(TPM2_PolicyAuthorize: 0x%x)"),
++ rc);
+ goto error;
+ }
+
@@ -127,7 +155,7 @@
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy,
TPMI_SH_AUTH_SESSION session)
{
-@@ -473,6 +568,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t
policy, TPMI_SH_AUTH_SESSIO
+@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t
policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;
++++++ 0005-util-grub-protect-Add-new-tool.patch ++++++
--- /var/tmp/diff_new_pack.vlU3tr/_old 2023-11-22 18:54:12.658700531 +0100
+++ /var/tmp/diff_new_pack.vlU3tr/_new 2023-11-22 18:54:12.662700677 +0100
@@ -1,7 +1,7 @@
-From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001
+From 1116bc4b9a27aceaec53421e89eb887e6ad3aef8 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:57 -0800
-Subject: [PATCH v6 12/20] util/grub-protect: Add new tool
+Subject: [PATCH v7 12/20] util/grub-protect: Add new tool
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
@@ -51,21 +51,21 @@
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
---
- .gitignore | 2 +
Makefile.util.def | 22 +
configure.ac | 9 +
- util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 1557 insertions(+)
+ util/grub-protect.c | 1492 +++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 1525 insertions(+)
create mode 100644 util/grub-protect.c
-Index: grub-2.12~rc1/Makefile.util.def
-===================================================================
---- grub-2.12~rc1.orig/Makefile.util.def
-+++ grub-2.12~rc1/Makefile.util.def
-@@ -208,6 +208,28 @@ program = {
+diff --git a/Makefile.util.def b/Makefile.util.def
+index e89abb38f..f43c223b9 100644
+--- a/Makefile.util.def
++++ b/Makefile.util.def
+@@ -207,6 +207,28 @@ program = {
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
- program = {
++program = {
+ name = grub-protect;
+
+ common = grub-core/osdep/init.c;
@@ -87,14 +87,13 @@
+ enable = efi;
+};
+
-+program = {
+ program = {
name = grub-mkrelpath;
mansection = 1;
-
-Index: grub-2.12~rc1/configure.ac
-===================================================================
---- grub-2.12~rc1.orig/configure.ac
-+++ grub-2.12~rc1/configure.ac
+diff --git a/configure.ac b/configure.ac
+index c19779c14..9796e5f9b 100644
+--- a/configure.ac
++++ b/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
@@ -103,7 +102,7 @@
grub_TRANSFORM([grub-reboot])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
-@@ -1992,6 +1993,14 @@ fi
+@@ -2018,6 +2019,14 @@ fi
AC_SUBST([LIBZFS])
AC_SUBST([LIBNVPAIR])
@@ -118,11 +117,12 @@
LIBS=""
AC_SUBST([FONT_SOURCE])
-Index: grub-2.12~rc1/util/grub-protect.c
-===================================================================
+diff --git a/util/grub-protect.c b/util/grub-protect.c
+new file mode 100644
+index 000000000..c6d41ea40
--- /dev/null
-+++ grub-2.12~rc1/util/grub-protect.c
-@@ -0,0 +1,1524 @@
++++ b/util/grub-protect.c
+@@ -0,0 +1,1492 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@@ -184,7 +184,6 @@
+ GRUB_PROTECT_OPT_TPM2_SRK,
+ GRUB_PROTECT_OPT_TPM2_KEYFILE,
+ GRUB_PROTECT_OPT_TPM2_OUTFILE,
-+ GRUB_PROTECT_OPT_TPM2_PERSIST,
+ GRUB_PROTECT_OPT_TPM2_EVICT,
+ GRUB_PROTECT_OPT_TPM2_TPM2KEY
+} grub_protect_opt;
@@ -203,9 +202,8 @@
+ GRUB_PROTECT_ARG_TPM2_SRK = 1 << 6,
+ GRUB_PROTECT_ARG_TPM2_KEYFILE = 1 << 7,
+ GRUB_PROTECT_ARG_TPM2_OUTFILE = 1 << 8,
-+ GRUB_PROTECT_ARG_TPM2_PERSIST = 1 << 9,
-+ GRUB_PROTECT_ARG_TPM2_EVICT = 1 << 10,
-+ GRUB_PROTECT_ARG_TPM2_TPM2KEY = 1 << 11
++ GRUB_PROTECT_ARG_TPM2_EVICT = 1 << 9,
++ GRUB_PROTECT_ARG_TPM2_TPM2KEY = 1 << 10
+} grub_protect_arg_t;
+
+typedef enum grub_protect_protector
@@ -237,7 +235,6 @@
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
+ const char *tpm2_outfile;
-+ int tpm2_persist;
+ int tpm2_evict;
+ int tpm2_tpm2key;
+};
@@ -318,8 +315,7 @@
+ .arg = "NUM",
+ .flags = 0,
+ .doc =
-+ N_("The SRK handle if the SRK is to be made persistent "
-+ "(default is 0x81000001)."),
++ N_("The SRK handle if the SRK is to be made persistent."),
+ .group = 0
+ },
+ {
@@ -335,16 +331,6 @@
+ .group = 0
+ },
+ {
-+ .name = "tpm2-persist",
-+ .key = GRUB_PROTECT_OPT_TPM2_PERSIST,
-+ .arg = NULL,
-+ .flags = 0,
-+ .doc =
-+ N_("Whether to persist the SRK onto the TPM, otherwise it is recreated "
-+ "ephemerally during boot (default is to not persist it)."),
-+ .group = 0
-+ },
-+ {
+ .name = "tpm2-evict",
+ .key = GRUB_PROTECT_OPT_TPM2_EVICT,
+ .arg = NULL,
@@ -634,7 +620,7 @@
+ rc = TPM2_PCR_Read (NULL, &pcr_sel, NULL, &pcr_sel_out, &pcr_values, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ fprintf (stderr, _("Failed to read PCRs (TPM error: 0x%x).\n"), rc);
++ fprintf (stderr, _("Failed to read PCRs (TPM2_PCR_Read: 0x%x).\n"), rc);
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
@@ -711,7 +697,7 @@
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr,
-+ _("Failed to start trial policy session (TPM error: 0x%x).\n"),
++ _("Failed to start trial policy session (TPM2_StartAuthSession:
0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit2;
@@ -723,7 +709,7 @@
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ fprintf (stderr, _("Failed to submit PCR policy (TPM error: 0x%x).\n"),
++ fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR:
0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
@@ -733,7 +719,7 @@
+ rc = TPM2_PolicyGetDigest (session, NULL, &policy_digest, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ fprintf (stderr, _("Failed to get policy digest (TPM error: 0x%x).\n"),
++ fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest:
0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
@@ -772,26 +758,25 @@
+ TPM2B_NAME srkName = { 0 };
+ TPM_HANDLE srkHandle;
+
-+ /* Find SRK */
-+ rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
-+ if (rc == TPM_RC_SUCCESS)
++ if (args->tpm2_srk != 0)
+ {
-+ if (args->tpm2_persist)
-+ fprintf (stderr,
-+ _("Warning: --tpm2-persist was specified but the SRK already "
-+ "exists on the TPM. Continuing anyway...\n"));
-+
-+ *srk = TPM2_SRK_HANDLE;
-+ return GRUB_ERR_NONE;
-+ }
++ /* Find SRK */
++ rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
++ if (rc == TPM_RC_SUCCESS)
++ {
++ printf (_("Read SRK from 0x%x\n"), args->tpm2_srk);
++ *srk = args->tpm2_srk;
++ return GRUB_ERR_NONE;
++ }
+
-+ /* The handle exists but its public area could not be read. */
-+ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
-+ {
-+ fprintf (stderr,
-+ _("The SRK exists on the TPM but its public area cannot be read "
-+ "(TPM error: 0x%x).\n"), rc);
-+ return GRUB_ERR_BAD_DEVICE;
++ /* The handle exists but its public area could not be read. */
++ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
++ {
++ fprintf (stderr,
++ _("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic:
0x%x).\n"),
++ args->tpm2_srk, rc);
++ return GRUB_ERR_BAD_DEVICE;
++ }
+ }
+
+ /* Create SRK */
@@ -836,12 +821,12 @@
+ &srkName, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ fprintf (stderr, _("Failed to create SRK (TPM error: 0x%x).\n"), rc);
++ fprintf (stderr, _("Failed to create SRK (TPM2_CreatePrimary:
0x%x).\n"), rc);
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
+ /* Persist SRK */
-+ if (args->tpm2_persist)
++ if (args->tpm2_srk != 0)
+ {
+ rc = TPM2_EvictControl (TPM_RH_OWNER, srkHandle, &authCommand,
+ args->tpm2_srk, NULL);
@@ -852,8 +837,8 @@
+ }
+ else
+ fprintf (stderr,
-+ _("Warning: Failed to persist SRK (TPM error: 0x%x\n). "
-+ "Continuing anyway...\n"), rc);
++ _("Warning: Failed to persist SRK (0x%x) (TPM2_EvictControl:
0x%x\n). "
++ "Continuing anyway...\n"), args->tpm2_srk, rc);
+ }
+
+ /* Epilogue */
@@ -891,7 +876,7 @@
+ &pcr_sel, &outPrivate, &outPublic, NULL, NULL, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
-+ fprintf (stderr, _("Failed to seal key (TPM error: 0x%x).\n"), rc);
++ fprintf (stderr, _("Failed to seal key (TPM2_Create: 0x%x).\n"), rc);
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
@@ -1202,7 +1187,7 @@
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr,
-+ _("Failed to evict SRK with handle 0x%x (TPM Error: 0x%x).\n"),
++ _("Failed to evict SRK with handle 0x%x (TPM2_EvictControl:
0x%x).\n"),
+ args->tpm2_srk, rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit2;
@@ -1269,9 +1254,6 @@
+ args->tpm2_pcr_count = 1;
+ }
+
-+ if (args->tpm2_srk == 0)
-+ args->tpm2_srk = TPM2_SRK_HANDLE;
-+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
+ {
+ args->tpm2_asymmetric = TPM_ALG_RSA;
@@ -1319,19 +1301,16 @@
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
-+ if (args->args & GRUB_PROTECT_ARG_TPM2_PERSIST)
++ if (args->tpm2_srk == 0)
+ {
+ fprintf (stderr,
-+ _("--tpm2-persist is invalid when --action is 'remove'.\n"));
++ _("--tpm2-srk is not specified when --action is
'remove'.\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ if (args->tpm2_device == NULL)
+ args->tpm2_device = "/dev/tpm0";
+
-+ if (args->tpm2_srk == 0)
-+ args->tpm2_srk = TPM2_SRK_HANDLE;
-+
+ break;
+
+ default:
@@ -1497,17 +1476,6 @@
+ args->args |= GRUB_PROTECT_ARG_TPM2_OUTFILE;
+ break;
+
-+ case GRUB_PROTECT_OPT_TPM2_PERSIST:
-+ if (args->args & GRUB_PROTECT_ARG_TPM2_PERSIST)
-+ {
-+ fprintf (stderr, _("--tpm2-persist can only be specified once.\n"));
-+ return EINVAL;
-+ }
-+
-+ args->tpm2_persist = 1;
-+ args->args |= GRUB_PROTECT_ARG_TPM2_PERSIST;
-+ break;
-+
+ case GRUB_PROTECT_OPT_TPM2_EVICT:
+ if (args->args & GRUB_PROTECT_ARG_TPM2_EVICT)
+ {
@@ -1647,4 +1615,7 @@
+
+ return err;
+}
+--
+2.35.3
+
