On Fri, Jun 28, 2024 at 04:18:43PM +0800, Gary Lin via Grub-devel wrote: > GIT repo for v18: https://github.com/lcp/grub2/tree/tpm2-unlock-v18 > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by > Hernan Gatta to introduce the key protector framework and TPM2 stack > to GRUB2, and this could be a useful feature for the systems to > implement full disk encryption. > > To support TPM 2.0 Key File format(*2), patch 1~6,8-10 are grabbed from > Daniel Axtens's "appended signature secure boot support" (*3) to import > libtasn1 into grub2. Besides, the libtasn1 version is upgraded to > 4.19.0 instead of 4.16.0 in the original patch. > > Patch 7 fixes a potential buffer overrun in libtasn1. > (https://gitlab.com/gnutls/libtasn1/-/issues/49) > > Patch 11 adds the document for libtasn1 and the steps to upgrade the > library. > > Patch 12~18 are based on Hernan Gatta's patches with the follow-up fixes > and improvements: > - Converting 8 spaces into 1 tab > - Merging the minor build fix from Michael Chang > - Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf > - Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def > - Rebasing "cryptodisk: Support key protectors" to the git master > - Removing the measurement on the sealed key > - Based on the patch from Olaf Kirch <o...@suse.com> > - Adjusting the input parameters of TPM2_EvictControl to match the order > in "TCG TPM2 Part3 Commands" > - Declaring the input arguments of TPM2 functions as const > - Resending TPM2 commands on TPM_RC_RETRY > - Adding checks for the parameters of TPM2 commands > - Packing the missing authorization command for TPM2_PCR_Read > - Tweaking the TPM2 command functions to allow some parameters to be > NULL so that we don't have to declare empty variables > - Using grub_cpu_to_be*() in the TPM2 stack instead of grub_swap_bytes*() > which may cause problems in big-indian machines > - Changing the short name of "--protector" of "cryptomount" from "-k" to > "-P" to avoid the conflict with "--key-file" > - Supporting TPM 2.0 Key File Format besides the raw sealed key > - Adding the external libtasn1 dependency to grub-protect to write the > TPM 2.0 Key files > - Extending the TPM2 TSS stack to support authorized policy > > Patch 19 implements the authorized policy support. > > Patch 20 implements the missing NV index mode. (Thanks to Patrick Colp) > > Patch 21 improves the 'cryptomount' command to fall back to the > passphrase mode when the key protector fails to unlock the encrypted > partition. (Another patch from Patrick Colp) > > Patch 22 and 23 fix the potential security issues spotted by Fabian Vogt. > > Patch 24 and 25 implement the TPM2 key unsealing testcases.
It seems to me this patch set misses usage documentation with examples. Could you add it to the docs/grub.texi? Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel