GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by Hernan Gatta to introduce the key protector framework and TPM2 stack to GRUB2, and this could be a useful feature for the systems to implement full disk encryption. To support TPM 2.0 Key File format(*2), patch 1~5,7 are grabbed from Daniel Axtens's "appended signature secure boot support" (*3) to import libtasn1 into grub2. Besides, the libtasn1 version is upgraded to 4.19.0 instead of 4.16.0 in the original patch. Patch 6 fixes a potential buffer overrun in libtasn1. (https://gitlab.com/gnutls/libtasn1/-/issues/49) Patch 8 adds the document for libtasn1 and the steps to upgrade the library. Patch 9~13 are Hernan Gatta's patches with the follow-up fixes and improvements: - Converting 8 spaces into 1 tab - Merging the minor build fix from Michael Chang - Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf - Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def - Rebasing "cryptodisk: Support key protectors" to the git master - Removing the measurement on the sealed key - Based on the patch from Olaf Kirch <o...@suse.com> - Adjusting the input parameters of TPM2_EvictControl to match the order in "TCG TPM2 Part3 Commands" - Declaring the input arguments of TPM2 functions as const - Resending TPM2 commands on TPM_RC_RETRY - Adding checks for the parameters of TPM2 commands - Packing the missing authorization command for TPM2_PCR_Read - Tweaking the TPM2 command functions to allow some parameters to be NULL so that we don't have to declare empty variables - Only enabling grub-protect for "efi" since the TPM2 stack currently relies on the EFI TCG2 protocol to send TPM2 commands - Using grub_cpu_to_be*() in the TPM2 stack instead of grub_swap_bytes*() which may cause problems in big-indian machines - Changing the short name of "--protector" of "cryptomount" from "-k" to "-P" to avoid the conflict with "--key-file" - Supporting TPM 2.0 Key File Format besides the raw sealed key - Adding the external libtasn1 dependency to grub-protect to write the TPM 2.0 Key files - Extending the TPM2 TSS stack to support authorized policy Patch 14 implements the authorized policy support. Patch 15 implements the missing NV index mode. (Thanks to Patrick Colp) Patch 16 improves the 'cryptomount' command to fall back to the passphrase mode when the key protector fails to unlock the encrypted partition. (Another patch from Patrick Colp) Patch 17 and 18 fix the potential security issues spotted by Fabian Vogt. Patch 19 and 20 implement the TPM key unsealing testcases. To utilize the TPM2 key protector to unlock the encrypted partition (sdb1), here are the sample steps: 1. Add an extra random key for LUKS (luks-key) $ dd if=/dev/urandom of=luks-key bs=1 count=32 $ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 2. Seal the key $ sudo grub-protect --action=add \ --protector=tpm2 \ --tpm2key \ --tpm2-keyfile=luks-key \ --tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm 3. Unseal the key with the proper commands in grub.cfg: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm cryptomount -u <SDB1_UUID> -P tpm2 (*1) https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00006.html (*2) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html (*3) https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00044.html v11: - Adding the missing default: handlers in grub-core/tpm2/mu.c - Updating the help messages and commit messages to reflect the change of the default SRK algorithm (RSA2048 -> ECC_NIST_P256) - Adding the testcase for the NV index mode v10: - https://lists.gnu.org/archive/html/grub-devel/2024-04/msg00019.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v10 - Fixing the coverity issues: CID 435775, CID 435771, CID 435770, CID 435769, CID 435767, CID 435761 https://lists.gnu.org/archive/html/grub-devel/2024-02/txtKIuUb5lf3O.txt - Fixing the potential memory leak (CID 435775) - Removing the unnecessary grub_protect_get_grub_drive_for_file() from util/grub-protect.c (CID 435771) - Using the grub_tpm2_mu_TPM2B_*_Unmarshal functions to unmarshal the TPM2B structs instead of a generic grub_tpm2_mu_TPM2B_Unmarshal (CID 435770) - Fixing Null pointer dereference (CID 435769) - Adding bound checks to grub_tpm2_mu_TPML_DIGEST_Unmarshal() (CID 435767) - Improving the check for the return value of ftell() (CID 435761) - Adding a quick fix for CID 435762 - Removing the empty ending line in tests/asn1_test.in - Fixing docs/grub-dev.texi and updating the libtasn1 patches in grub-core/lib/libtasn1-patches/ - Merging all the TPM2 TSS stack patches into one to reduce the total patch number - Switching the default asymmetric algorithm from RSA2048 to TPM_ECC_NIST_P256 for the faster key generation - Adding the fallback SRK templates to try a few more SRK types in case grub2 failed to associate the sealed key with the SRK in the persistent handle or the default SRK - Improving the test script to add tests for the persistent handle and the fallback SRKs v9: - https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00007.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v9 - Introducing c-ctype.h to posix_wrap and implementing strncat - Adding the descriptive comments to the disabled code in libtasn1 - Replacing strcat with the bound-checked _asn1_str_cat in libtasn1 and including c-ctype.h directly - Integrating the asn1 testcases into "functional_test" - Updating the libtasn1 patches mentioned in the documentation - Moving the key protector to a module - Amending configure.ac to enable/disable grub-protect - Fixing an timeout issue in the tpm2_test script by feeding the config through stdin v8: - https://lists.gnu.org/archive/html/grub-devel/2024-01/msg00013.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v8 - Introducing TPM device support to grub-emu and adding the TPM key unsealing testcase v7: - https://lists.gnu.org/archive/html/grub-devel/2023-11/msg00127.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v7 - Stopping reading SRK from the well-known persistent handle (TPM2_SRK_HANDLE, i.e. 0x81000001) by default since the persistent handle may be created by other OS and causes unsealing failure due to SRK mismatching - The user now has to specify the persistent handle with "--srk" explicitly. - Utilizing grub_error() to print more error messages - Unifying the format of the error messages from TPM2 commands v6: - https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00026.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v6 - Supporting more SRK types than RSA2048 and ECC_NIST_P256 - Documenting SHA512 as the supported PCR bank type in the tpm2 protector - Removing the redundant error message for grub_tpm2_protector_srk_get() since it may overwrite the real error message. - Updating the supported SRK types and PCR bank types in grub-protect - Removing the unused type: TPM2_ECC_CURVE v5: - https://lists.gnu.org/archive/html/grub-devel/2023-08/msg00113.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v5 - Rebasing to the latest git HEAD and improving the commit messages - Implementing authorized poilcy support - Implementing NV index mode - Improving the 'cryptomount' command to fall back to the passphrase mode when the key protector fails to unlock the encrypted partition - Fixing the potential security issues v4: - https://lists.gnu.org/archive/html/grub-devel/2023-04/msg00104.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v4 - Improving the error condition checks in cryptodisk.c - Moving the code to unseal with the standalone policy sequence below the code for authpolicy sequence - The standalone policy sequence was mistakenly prepended to to the authpolicy sequence with grub_list_push() while it should be appended. - Pushing the error messages from the authpolicy sequence into the grub_error stack so that we can list all errors from the sequence - Improving the error messages in the TPM2 protector - Amending the calculation of the max string lengths of 'Policy', 'CommandCode' and 'CommandPolicy' - Skipping the error path in grub_tpm2key_get_authpolicy_seq() on success to avoid freeing the authpolicy sequence v3: - https://lists.gnu.org/archive/html/grub-devel/2023-04/msg00055.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v3 - Adding the document for libtasn1 - Improving the error condition checks ex: "if (!ptr)" ==> "if (ptr == NULL)" "if (err)" ==> "if (err != GRUB_ERR_NONE)" "if (rc)" ==> "if (rc != TPM_RC_SUCCESS)" - Supporting the "TPMPolicy" and "TPMAuthPolicy" sequence in the TPM 2.0 key File - Refactoring the key recover function to support "TPMPolicy" and "TPMAuthPolicy" sequence - Using TPMS_PCR_SELECTION_SelectPCR() to set the PCR bit mask - Also dropping TPM2_PCR_TO_SELECT() and TPM2_PCR_TO_BIT() which are not necessary anymore - Removing the redundant variable, 'crd', from grub_cryptodisk_scan_device_real() - Fixing the spaces/tabs in cryptodisk.c - Fixing the comment format in cryptodisk.h - Adding the defensive check for "cargs->protectors" in grub_cryptodisk_scan_device() - Improving 'grub-protect' for the better support of TPM 2.0 Key File - Adding more comments v2: - https://lists.gnu.org/archive/html/grub-devel/2023-03/msg00094.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v2 v1: - https://lists.gnu.org/archive/html/grub-devel/2023-02/msg00130.html - GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock Daniel Axtens (6): posix_wrap: tweaks in preparation for libtasn1 libtasn1: import libtasn1-4.19.0 libtasn1: disable code not needed in grub libtasn1: changes for grub compatibility libtasn1: compile into asn1 module asn1_test: test module for libtasn1 Gary Lin (7): libtasn1: fix the potential buffer overrun libtasn1: Add the documentation tpm2: Support authorized policy cryptodisk: wipe out the cached keys from protectors diskfilter: look up cryptodisk devices first tpm2: Enable tpm2 module for grub-emu tests: Add tpm2_test Hernan Gatta (5): key_protector: Add key protectors framework tpm2: Add TPM Software Stack (TSS) key_protector: Add TPM2 Key Protector cryptodisk: Support key protectors util/grub-protect: Add new tool Patrick Colp (2): tpm2: Implement NV index cryptodisk: Fallback to passphrase .gitignore | 2 + Makefile.util.def | 35 + configure.ac | 30 + docs/grub-dev.texi | 28 + grub-core/Makefile.am | 1 + grub-core/Makefile.core.def | 48 + grub-core/disk/cryptodisk.c | 183 +- grub-core/disk/diskfilter.c | 35 +- grub-core/disk/key_protector.c | 78 + grub-core/kern/emu/main.c | 11 +- grub-core/kern/emu/misc.c | 51 + ...asn1-disable-code-not-needed-in-grub.patch | 320 +++ ...tasn1-changes-for-grub-compatibility.patch | 135 + ...sn1-fix-the-potential-buffer-overrun.patch | 35 + grub-core/lib/libtasn1/COPYING | 16 + grub-core/lib/libtasn1/README.md | 98 + grub-core/lib/libtasn1/lib/coding.c | 1433 ++++++++++ grub-core/lib/libtasn1/lib/decoding.c | 2503 +++++++++++++++++ grub-core/lib/libtasn1/lib/element.c | 1109 ++++++++ grub-core/lib/libtasn1/lib/element.h | 42 + grub-core/lib/libtasn1/lib/errors.c | 103 + grub-core/lib/libtasn1/lib/gstr.c | 74 + grub-core/lib/libtasn1/lib/gstr.h | 50 + grub-core/lib/libtasn1/lib/int.h | 220 ++ grub-core/lib/libtasn1/lib/parser_aux.c | 1178 ++++++++ grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++ grub-core/lib/libtasn1/lib/structure.c | 1227 ++++++++ grub-core/lib/libtasn1/lib/structure.h | 46 + grub-core/lib/libtasn1_wrap/wrap.c | 26 + grub-core/lib/posix_wrap/c-ctype.h | 114 + grub-core/lib/posix_wrap/limits.h | 1 + grub-core/lib/posix_wrap/stdlib.h | 8 + grub-core/lib/posix_wrap/string.h | 21 + grub-core/lib/posix_wrap/sys/types.h | 1 + .../tests/asn1/CVE-2018-1000654-1_asn1_tab.h | 32 + .../tests/asn1/CVE-2018-1000654-2_asn1_tab.h | 36 + grub-core/tests/asn1/CVE-2018-1000654.c | 58 + grub-core/tests/asn1/Test_overflow.c | 134 + grub-core/tests/asn1/Test_simple.c | 205 ++ grub-core/tests/asn1/Test_strings.c | 142 + grub-core/tests/asn1/asn1_test.c | 49 + grub-core/tests/asn1/asn1_test.h | 44 + grub-core/tests/asn1/object-id-decoding.c | 109 + grub-core/tests/asn1/object-id-encoding.c | 114 + grub-core/tests/asn1/octet-string.c | 199 ++ grub-core/tests/asn1/reproducers.c | 80 + grub-core/tests/lib/functional_test.c | 1 + grub-core/tpm2/args.c | 175 ++ grub-core/tpm2/buffer.c | 145 + grub-core/tpm2/module.c | 1313 +++++++++ grub-core/tpm2/mu.c | 1168 ++++++++ grub-core/tpm2/tcg2-emu.c | 52 + grub-core/tpm2/tcg2.c | 143 + grub-core/tpm2/tpm2.c | 1221 ++++++++ grub-core/tpm2/tpm2key.asn | 31 + grub-core/tpm2/tpm2key.c | 447 +++ grub-core/tpm2/tpm2key_asn1_tab.c | 41 + include/grub/cryptodisk.h | 16 + include/grub/emu/misc.h | 5 + include/grub/key_protector.h | 46 + include/grub/libtasn1.h | 657 +++++ include/grub/tpm2/buffer.h | 65 + include/grub/tpm2/internal/args.h | 49 + include/grub/tpm2/internal/functions.h | 178 ++ include/grub/tpm2/internal/structs.h | 768 +++++ include/grub/tpm2/internal/types.h | 406 +++ include/grub/tpm2/mu.h | 396 +++ include/grub/tpm2/tcg2.h | 34 + include/grub/tpm2/tpm2.h | 34 + include/grub/tpm2/tpm2key.h | 83 + tests/asn1_test.in | 11 + tests/tpm2_test.in | 351 +++ tests/util/grub-shell.in | 6 +- util/grub-protect.c | 1396 +++++++++ 74 files changed, 19831 insertions(+), 43 deletions(-) create mode 100644 grub-core/disk/key_protector.c create mode 100644 grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch create mode 100644 grub-core/lib/libtasn1-patches/0002-libtasn1-changes-for-grub-compatibility.patch create mode 100644 grub-core/lib/libtasn1-patches/0003-libtasn1-fix-the-potential-buffer-overrun.patch create mode 100644 grub-core/lib/libtasn1/COPYING create mode 100644 grub-core/lib/libtasn1/README.md create mode 100644 grub-core/lib/libtasn1/lib/coding.c create mode 100644 grub-core/lib/libtasn1/lib/decoding.c create mode 100644 grub-core/lib/libtasn1/lib/element.c create mode 100644 grub-core/lib/libtasn1/lib/element.h create mode 100644 grub-core/lib/libtasn1/lib/errors.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.c create mode 100644 grub-core/lib/libtasn1/lib/gstr.h create mode 100644 grub-core/lib/libtasn1/lib/int.h create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h create mode 100644 grub-core/lib/libtasn1/lib/structure.c create mode 100644 grub-core/lib/libtasn1/lib/structure.h create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c create mode 100644 grub-core/lib/posix_wrap/c-ctype.h create mode 100644 grub-core/tests/asn1/CVE-2018-1000654-1_asn1_tab.h create mode 100644 grub-core/tests/asn1/CVE-2018-1000654-2_asn1_tab.h create mode 100644 grub-core/tests/asn1/CVE-2018-1000654.c create mode 100644 grub-core/tests/asn1/Test_overflow.c create mode 100644 grub-core/tests/asn1/Test_simple.c create mode 100644 grub-core/tests/asn1/Test_strings.c create mode 100644 grub-core/tests/asn1/asn1_test.c create mode 100644 grub-core/tests/asn1/asn1_test.h create mode 100644 grub-core/tests/asn1/object-id-decoding.c create mode 100644 grub-core/tests/asn1/object-id-encoding.c create mode 100644 grub-core/tests/asn1/octet-string.c create mode 100644 grub-core/tests/asn1/reproducers.c create mode 100644 grub-core/tpm2/args.c create mode 100644 grub-core/tpm2/buffer.c create mode 100644 grub-core/tpm2/module.c create mode 100644 grub-core/tpm2/mu.c create mode 100644 grub-core/tpm2/tcg2-emu.c create mode 100644 grub-core/tpm2/tcg2.c create mode 100644 grub-core/tpm2/tpm2.c create mode 100644 grub-core/tpm2/tpm2key.asn create mode 100644 grub-core/tpm2/tpm2key.c create mode 100644 grub-core/tpm2/tpm2key_asn1_tab.c create mode 100644 include/grub/key_protector.h create mode 100644 include/grub/libtasn1.h create mode 100644 include/grub/tpm2/buffer.h create mode 100644 include/grub/tpm2/internal/args.h create mode 100644 include/grub/tpm2/internal/functions.h create mode 100644 include/grub/tpm2/internal/structs.h create mode 100644 include/grub/tpm2/internal/types.h create mode 100644 include/grub/tpm2/mu.h create mode 100644 include/grub/tpm2/tcg2.h create mode 100644 include/grub/tpm2/tpm2.h create mode 100644 include/grub/tpm2/tpm2key.h create mode 100644 tests/asn1_test.in create mode 100644 tests/tpm2_test.in create mode 100644 util/grub-protect.c Range-diff against v10: -: --------- > 1: c1343113c posix_wrap: tweaks in preparation for libtasn1 -: --------- > 2: 1c60bdbbe libtasn1: import libtasn1-4.19.0 -: --------- > 3: 715f65934 libtasn1: disable code not needed in grub -: --------- > 4: d13793c21 libtasn1: changes for grub compatibility -: --------- > 5: 8f7c3c3b2 libtasn1: fix the potential buffer overrun -: --------- > 6: 8515ccc24 libtasn1: compile into asn1 module -: --------- > 7: 24c129e64 asn1_test: test module for libtasn1 -: --------- > 8: 7a1aced55 libtasn1: Add the documentation -: --------- > 9: 957b048f2 key_protector: Add key protectors framework 1: ca024f496 ! 10: cbeaf8472 tpm2: Add TPM Software Stack (TSS) @@ Commit message TPM2_SequenceComplete, TPM2_Hash, TPM2_VerifySignature, TPM2_PolicyAuthorize, TPM2_TestParms + Cc: Stefan Berger <stef...@linux.ibm.com> Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com> Signed-off-by: Gary Lin <g...@suse.com> @@ grub-core/tpm2/mu.c (new) + break; + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ grub-core/tpm2/mu.c (new) + case TPM_ALG_XOR: + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ grub-core/tpm2/mu.c (new) + case TPM_ALG_ECC: + grub_tpm2_mu_TPMS_ECC_POINT_Marshal (buffer, &p->ecc); + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ grub-core/tpm2/mu.c (new) + break; + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ grub-core/tpm2/mu.c (new) + case TPM_ALG_XOR: + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ grub-core/tpm2/mu.c (new) + case TPM_ALG_ECC: + grub_tpm2_mu_TPMS_ECC_POINT_Unmarshal (buffer, &p->ecc); + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + 2: 5ecd4ef2f ! 11: d65a0631d key_protector: Add TPM2 Key Protector @@ grub-core/tpm2/module.c (new) + N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, " + "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, " + "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " -+ "(default is RSA2048)"), ++ "(default is ECC_NIST_P256)"), + }, + /* NV Index-mode options */ + { 3: 94f0f74c6 = 12: 0d9998ab2 cryptodisk: Support key protectors 4: 161d8c56f ! 13: 0ce5fc0e6 util/grub-protect: Add new tool @@ util/grub-protect.c (new) + N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, " + "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, " + "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " -+ "(default is RSA2048)"), ++ "(default is ECC_NIST_P256)"), + .group = 0 + }, + { 5: c1deb7fe6 ! 14: 7e3dcf00f tpm2: Support authorized policy @@ Commit message Then specify the key file and the key protector to grub.cfg in the EFI system partition: - tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm + tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm cryptomount -u <PART_UUID> -P tpm2 For any change in the boot components, just run the 'sign' command again 6: abb4c9461 ! 15: fe01fa1e8 tpm2: Implement NV index @@ Commit message tpm2_getrandom 32 > key.dat # Create primary object. - tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx + tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx # Create policy object. `pcrs.dat` contains the PCR values to seal against. tpm2_startauthsession -S session.dat 7: 1f9d2b3a2 = 16: dfe806dc0 cryptodisk: Fallback to passphrase 8: 976072355 = 17: b9f27bfba cryptodisk: wipe out the cached keys from protectors 9: 188abeb62 = 18: b7eb5c903 diskfilter: look up cryptodisk devices first 10: 62e5e2c43 = 19: 624a8583f tpm2: Enable tpm2 module for grub-emu 11: ef7d48126 ! 20: ce096c966 tests: Add tpm2_test @@ Commit message swtpm_cuse and PCR 0 and 1 are extended. There are several test cases in the script to test various settings. Each - test case uses grub-protect to seal the LUKS password against PCR 0 and - PCR 1. Then grub-emu is launched to load the LUKS image, try to mount - the image with tpm2_key_protector_init and cryptomount, and verify the - result. + test case uses grub-protect or tpm2-tools to seal the LUKS password + against PCR 0 and PCR 1. Then grub-emu is launched to load the LUKS image, + try to mount the image with tpm2_key_protector_init and cryptomount, and + verify the result. Based on the idea from Michael Chang. @@ tests/tpm2_test.in (new) + return $ret +} + ++tpm2_seal_unseal_nv() { ++ local persistent_handle="0x81000000" ++ local primary_file=${tpm2testdir}/primary.ctx ++ local session_file=${tpm2testdir}/session.dat ++ local policy_file=${tpm2testdir}/policy.dat ++ local keypub_file=${tpm2testdir}/key.pub ++ local keypriv_file=${tpm2testdir}/key.priv ++ local name_file=${tpm2testdir}/sealing.name ++ local sealing_ctx_file=${tpm2testdir}/sealing.ctx ++ ++ # Since we don't run a resource manager on our swtpm instance, it has ++ # to flush the transient handles after tpm2_createprimary, tpm2_create ++ # and tpm2_load to avoid the potential out-of-memory (0x902) errors. ++ # Ref: https://github.com/tpm2-software/tpm2-tools/issues/1338#issuecomment-469689398 ++ ++ # Create the primary object ++ tpm2_createprimary -C o -g sha256 -G ecc -c ${primary_file} ++ tpm2_flushcontext -t ++ ++ # Create the policy object ++ tpm2_startauthsession -S ${session_file} ++ tpm2_policypcr -S ${session_file} -l sha256:0,1 -L ${policy_file} ++ tpm2_flushcontext ${session_file} ++ ++ # Seal the key into TPM ++ tpm2_create -C ${primary_file} -u ${keypub_file} -r ${keypriv_file} -L ${policy_file} -i ${lukskeyfile} ++ tpm2_flushcontext -t ++ tpm2_load -C ${primary_file} -u ${keypub_file} -r ${keypriv_file} -n ${name_file} -c ${sealing_ctx_file} ++ tpm2_flushcontext -t ++ tpm2_evictcontrol -C o -c ${sealing_ctx_file} ${persistent_handle} ++ ++ # Write the TPM unsealing script ++ cat > ${tpm2testdir}/testcase.cfg <<EOF ++loopback luks (host)${luksfile} ++tpm2_key_protector_init --mode=nv --nvindex=${persistent_handle} --pcrs=0,1 ++if cryptomount -a --protector tpm2; then ++ echo "${vtext}" ++fi ++EOF ++ ++ # Test TPM unsealing with the same PCR ++ ${grubshell} --timeout=$timeout --grub-emu-opts="-t ${tpm2dev}" < ${tpm2testdir}/testcase.cfg > ${testoutput} ++ ret=$? ++ ++ # Remove the persistent handle ++ grub-protect \ ++ --tpm2-device=${tpm2dev} \ ++ --protector=tpm2 \ ++ --action=remove \ ++ --tpm2-srk=${persistent_handle} \ ++ --tpm2-evict ++ ++ return $ret ++} ++ +tpm2_seal_unseal RSA transient no_fallback_srk +ret=$? +if [ "$ret" -eq 0 ]; then @@ tests/tpm2_test.in (new) + exit $ret +fi + ++tpm2_seal_unseal_nv ++ret=$? ++if [ "$ret" -eq 0 ]; then ++ if ! grep -q "^${vtext}$" "$testoutput"; then ++ echo "error: test not verified [`cat $testoutput`]" >&2 ++ exit 1 ++ fi ++else ++ echo "grub-emu exited with error: $ret" >&2 ++ exit $ret ++fi ++ +exit $ret ## tests/util/grub-shell.in ## -- 2.35.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel