On 4/15/24 05:45, Gary Lin wrote:
On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:
On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encryption.
You also need to extend the documentation with the command line steps and a
IMO there has to be a warning for VM users that sealing to PCRs inside a VM
is dangerous since the next packages update may bring an update to TianoCore
UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
work then.
For baremetal users, it still could happen after upgrading the firmware.
Right but this is much rarer.
We surely need a place to notice users this situation when using PCR
0~7.
PCRs 8-9 probably have to be all zeros at the time of sealing (running
the user space application for seting this up) so they have the values
at the time before grub measures kernel and initramfs, right?
Thanks,
Gary Lin
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
