On Fri, Apr 12, 2024 at 12:09:36PM -0400, Stefan Berger wrote: > > > On 4/9/24 04:30, Gary Lin via Grub-devel wrote: > > For the tpm2 module, the TCG2 command submission function is the only > > difference between the a QEMU instance and grub-emu. To test TPM key > > unsealing with a QEMU instance, it requires an extra OS image to invoke > > grub-protect to seal the LUKS key, rather than a simple grub-shell rescue > > CD image. On the other hand, grub-emu can share the emulated TPM device > > with the host, so that we can seal the LUKS key on host and test key > > unsealing with grub-emu. > > > > This test script firstly creates a simple LUKS image to be loaded as a > > loopback device in grub-emu. Then an emulated TPM device is created by > > swtpm_cuse and PCR 0 and 1 are extended. > > My concern here would be that distros for example don't build swtpm with the > CUSE interface but build it with the socket and chardev interfaces. If you > don't want users to have to build their own version of swtpm then I would > suggest to use either 'swtpm chardev' with the vtpm_proxy module (it is > quite commonly available on recent distros) or 'swtpm socket'. > > The chardev usage is for example described here and should be least involved > to convert to: > > https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#character-device-using-tpm_vtpm_proxy > > You could start it like this with UnixIO control port (needs adjustment to > swtpm_ioctl in your code). > > swtpm chardev --vtpm-proxy --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl > type=unixio,path=/tmp/myvtpm/ctrl --flags startup-clear --daemon > logfile > > No need to run 'swtpm_ioctl -i' and tpm2_startup with the startup-clear > passed. > > One of my test cases determines the created device (/dev/tpmXYZ) like this: > > for ((i = 0; i < 200; i ++)); do > if [ -z "${TPM_DEVICE}" ]; then > TPM_DEVICE=$(sed -n 's,.*\(/dev/tpm[0-9]\+\).*,\1,p' > "logfile") > if [ -n "${TPM_DEVICE}" ]; then > echo "Using ${TPM_DEVICE}." > fi > fi > if [ -n "${TPM_DEVICE}" ]; then > [ -c "${TPM_DEVICE}" ] && break > fi > sleep 0.1 > done > > shutdown: sudo swtpm_ioctl -s --unix /tmp/myvtpm/ctrl > > > Otherwise you could use the socket version described here: > > https://github.com/stefanberger/swtpm/wiki/Using-the-Intel-TSS-with-swtpm#socket-interface > > It needs the swtpm tcti as a dependency, though. > Thanks for the suggestion. Using 'swtpm socket' requires additional changes to grub-emu and grub-protect. To minimize the impact, I'd convert the test script to use 'swtpm chardev'.
Gary Lin > Stefan > > > > > There are several test cases in the script to test various settings. Each > > test case uses grub-protect to seal the LUKS password against PCR 0 and > > PCR 1. Then grub-emu is launched to load the LUKS image, try to mount > > the image with tpm2_key_protector_init and cryptomount, and verify the > > result. > > > > Based on the idea from Michael Chang. > > > > Cc: Michael Chang <mch...@suse.com> > > Signed-off-by: Gary Lin <g...@suse.com> _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel