Signed-off-by: Yann Diorcet <[email protected]>
---
Makefile.util.def | 1 +
grub-core/Makefile.core.def | 1 +
.../commands/tpm2_key_protector/module.c | 164 ---------------
grub-core/commands/tpm2_key_protector/tpm2.h | 10 +
.../commands/tpm2_key_protector/tpm2_args.h | 13 +-
.../commands/tpm2_key_protector/tpm2srk.c | 191 ++++++++++++++++++
.../commands/tpm2_key_protector/tpm2srk.h | 44 ++++
util/grub-protect.c | 55 +----
8 files changed, 252 insertions(+), 227 deletions(-)
create mode 100644 grub-core/commands/tpm2_key_protector/tpm2srk.c
create mode 100644 grub-core/commands/tpm2_key_protector/tpm2srk.h
diff --git a/Makefile.util.def b/Makefile.util.def
index 3a80e6d28..3b0839bc8 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -218,6 +218,7 @@ program = {
common = grub-core/lib/tss2/tpm2_cmd.c;
common = grub-core/commands/tpm2_key_protector/args.c;
common = grub-core/commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+ common = grub-core/commands/tpm2_key_protector/tpm2srk.c;
common = util/grub-protect.c;
common = util/probe.c;
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 4daa5689e..0dfe85ab6 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2584,6 +2584,7 @@ module = {
common = commands/tpm2_key_protector/module.c;
common = commands/tpm2_key_protector/tpm2key.c;
common = commands/tpm2_key_protector/tpm2key_asn1_tab.c;
+ common = commands/tpm2_key_protector/tpm2srk.c;
/* The plaform support of tpm2_key_protector depends on the tcg2
implementation in tss2. */
enable = efi;
enable = emu;
diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
index 857f3753f..618cc4d32 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -400,170 +400,6 @@ tpm2_protector_unmarshal_tpm2key (void *sealed_key,
return err;
}
-/* Check if the SRK exists in the specified handle */
-static grub_err_t
-tpm2_protector_srk_check (const TPM_HANDLE_t srk_handle)
-{
- TPM_RC_t rc;
- TPM2B_PUBLIC_t public;
-
- /* Find SRK */
- rc = grub_tpm2_readpublic (srk_handle, NULL, &public);
- if (rc == TPM_RC_SUCCESS)
- return GRUB_ERR_NONE;
-
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to retrieve SRK from 0x%x
(TPM2_ReadPublic: 0x%x)", srk_handle, rc);
-}
-
-/* Get the SRK with the template */
-static grub_err_t
-tpm2_protector_srk_get (const grub_srk_type_t srk_type,
- const TPM_HANDLE_t parent,
- TPM_HANDLE_t *srk_handle)
-{
- TPM_RC_t rc;
- TPMT_PUBLIC_PARMS_t parms = {0};
- TPMS_AUTH_COMMAND_t authCommand = {0};
- TPM2B_SENSITIVE_CREATE_t inSensitive = {0};
- TPM2B_PUBLIC_t inPublic = {0};
- TPM2B_DATA_t outsideInfo = {0};
- TPML_PCR_SELECTION_t creationPcr = {0};
- TPM2B_PUBLIC_t outPublic = {0};
- TPM2B_CREATION_DATA_t creationData = {0};
- TPM2B_DIGEST_t creationHash = {0};
- TPMT_TK_CREATION_t creationTicket = {0};
- TPM2B_NAME_t srkName = {0};
- TPM_HANDLE_t tmp_handle = 0;
-
- inPublic.publicArea.type = srk_type.type;
- inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
- inPublic.publicArea.objectAttributes.restricted = 1;
- inPublic.publicArea.objectAttributes.userWithAuth = 1;
- inPublic.publicArea.objectAttributes.decrypt = 1;
- inPublic.publicArea.objectAttributes.fixedTPM = 1;
- inPublic.publicArea.objectAttributes.fixedParent = 1;
- inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
- inPublic.publicArea.objectAttributes.noDA = 1;
-
- if (srk_type.type == TPM_ALG_RSA)
- {
- inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm =
TPM_ALG_AES;
- inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
- inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
- inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
- inPublic.publicArea.parameters.rsaDetail.keyBits =
srk_type.detail.rsa_bits;
- inPublic.publicArea.parameters.rsaDetail.exponent = 0;
- }
- else if (srk_type.type == TPM_ALG_ECC)
- {
- inPublic.publicArea.parameters.eccDetail.symmetric.algorithm =
TPM_ALG_AES;
- inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
- inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
- inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
- inPublic.publicArea.parameters.eccDetail.curveID =
srk_type.detail.ecc_curve;
- inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
- }
- else
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown SRK algorithm");
-
- /* Test the parameters before SRK generation */
- parms.type = srk_type.type;
- grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters,
- sizeof (TPMU_PUBLIC_PARMS_t));
-
- rc = grub_tpm2_testparms (&parms, NULL);
- if (rc != TPM_RC_SUCCESS)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, "unsupported SRK template
(TPM2_TestParms: 0x%x)", rc);
-
- /* Create SRK */
- authCommand.sessionHandle = TPM_RS_PW;
- rc = grub_tpm2_createprimary (parent, &authCommand, &inSensitive, &inPublic,
- &outsideInfo, &creationPcr, &tmp_handle,
&outPublic,
- &creationData, &creationHash, &creationTicket,
- &srkName, NULL);
- if (rc != TPM_RC_SUCCESS)
- return grub_error (GRUB_ERR_BAD_DEVICE, "could not create SRK
(TPM2_CreatePrimary: 0x%x)", rc);
-
- *srk_handle = tmp_handle;
-
- return GRUB_ERR_NONE;
-}
-
-/*
- * Load the SRK from the persistent handle or create one with a given type of
- * template, and then associate the sealed key with the SRK
- * Return values:
- * - GRUB_ERR_NONE: Everything is fine.
- * - GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one.
- * - Other: Something went wrong.
- */
-static grub_err_t
-tpm2_protector_srk_load (const grub_srk_type_t srk_type,
- const tpm2_sealed_key_t *sealed_key,
- const TPM_HANDLE_t parent,
- TPM_HANDLE_t *sealed_handle,
- TPM_HANDLE_t *srk_handle)
-{
- TPMS_AUTH_COMMAND_t authCmd = {0};
- TPM2B_NAME_t name = {0};
- TPM_RC_t rc;
- grub_err_t err;
-
- if (srk_handle == NULL)
- return GRUB_ERR_BUG;
-
- if (*srk_handle != 0)
- {
- err = tpm2_protector_srk_check (*srk_handle);
- if (err != GRUB_ERR_NONE)
- return err;
- }
- else
- {
- err = tpm2_protector_srk_get (srk_type, parent, srk_handle);
- if (err != GRUB_ERR_NONE)
- return err;
- }
-
- /* Load the sealed key and associate it with the SRK */
- authCmd.sessionHandle = TPM_RS_PW;
- rc = grub_tpm2_load (*srk_handle, &authCmd, &sealed_key->private,
&sealed_key->public,
- sealed_handle, &name, NULL);
- /*
- * If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it
- * implies the wrong SRK is used.
- */
- if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1))
- {
- err = grub_error (GRUB_ERR_BAD_ARGUMENT, "SRK not matched");
- goto error;
- }
- else if (rc != TPM_RC_SUCCESS)
- {
- err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to load sealed key
(TPM2_Load: 0x%x)", rc);
- goto error;
- }
-
- return GRUB_ERR_NONE;
-
- error:
- if (!TPM_HT_IS_PERSISTENT (*srk_handle))
- grub_tpm2_flushcontext (*srk_handle);
-
- return err;
-}
-
-static const char *
-srk_type_to_name (grub_srk_type_t srk_type)
-{
- if (srk_type.type == TPM_ALG_ECC && srk_type.detail.ecc_curve ==
TPM_ECC_NIST_P256)
- return "ECC_NIST_P256";
- else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
- return "RSA2048";
-
- return "Unknown";
-}
-
static grub_err_t
tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
const tpm2_sealed_key_t *sealed_key,
diff --git a/grub-core/commands/tpm2_key_protector/tpm2.h
b/grub-core/commands/tpm2_key_protector/tpm2.h
index 1c1d871b4..bb86b2e20 100644
--- a/grub-core/commands/tpm2_key_protector/tpm2.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2.h
@@ -33,4 +33,14 @@ struct tpm2_sealed_key {
};
typedef struct tpm2_sealed_key tpm2_sealed_key_t;
+struct grub_srk_type
+{
+ TPMI_ALG_PUBLIC_t type;
+ union {
+ TPM_KEY_BITS_t rsa_bits;
+ TPM_ECC_CURVE_t ecc_curve;
+ } detail;
+};
+typedef struct grub_srk_type grub_srk_type_t;
+
#endif /* ! GRUB_TPM2_TPM2_HEADER */
diff --git a/grub-core/commands/tpm2_key_protector/tpm2_args.h
b/grub-core/commands/tpm2_key_protector/tpm2_args.h
index bdbf9f373..ae051dcc8 100644
--- a/grub-core/commands/tpm2_key_protector/tpm2_args.h
+++ b/grub-core/commands/tpm2_key_protector/tpm2_args.h
@@ -21,18 +21,7 @@
#define GRUB_TPM2_INTERNAL_ARGS_HEADER 1
#include <grub/err.h>
-
-#include "tpm2.h"
-
-struct grub_srk_type
-{
- TPMI_ALG_PUBLIC_t type;
- union {
- TPM_KEY_BITS_t rsa_bits;
- TPM_ECC_CURVE_t ecc_curve;
- } detail;
-};
-typedef struct grub_srk_type grub_srk_type_t;
+#include "tpm2srk.h"
extern grub_err_t
grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs, grub_uint8_t
*pcr_count);
diff --git a/grub-core/commands/tpm2_key_protector/tpm2srk.c
b/grub-core/commands/tpm2_key_protector/tpm2srk.c
new file mode 100644
index 000000000..8eae091ce
--- /dev/null
+++ b/grub-core/commands/tpm2_key_protector/tpm2srk.c
@@ -0,0 +1,191 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "tpm2srk.h"
+
+#include <grub/dl.h>
+#include <grub/misc.h>
+#include <grub/types.h>
+#include <stddef.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+/* Check if the SRK exists in the specified handle */
+grub_err_t
+tpm2_protector_srk_check (const TPM_HANDLE_t srk_handle)
+{
+ TPM_RC_t rc;
+ TPM2B_PUBLIC_t public;
+
+ /* Find SRK */
+ rc = grub_tpm2_readpublic (srk_handle, NULL, &public);
+ if (rc == TPM_RC_SUCCESS)
+ return GRUB_ERR_NONE;
+
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to retrieve SRK from 0x%x
(TPM2_ReadPublic: 0x%x)", srk_handle, rc);
+}
+
+/* Get the SRK with the template */
+grub_err_t
+tpm2_protector_srk_get (const grub_srk_type_t srk_type,
+ const TPM_HANDLE_t parent,
+ TPM_HANDLE_t *srk_handle)
+{
+ TPM_RC_t rc;
+ TPMT_PUBLIC_PARMS_t parms = {0};
+ TPMS_AUTH_COMMAND_t authCommand = {0};
+ TPM2B_SENSITIVE_CREATE_t inSensitive = {0};
+ TPM2B_PUBLIC_t inPublic = {0};
+ TPM2B_DATA_t outsideInfo = {0};
+ TPML_PCR_SELECTION_t creationPcr = {0};
+ TPM2B_PUBLIC_t outPublic = {0};
+ TPM2B_CREATION_DATA_t creationData = {0};
+ TPM2B_DIGEST_t creationHash = {0};
+ TPMT_TK_CREATION_t creationTicket = {0};
+ TPM2B_NAME_t srkName = {0};
+ TPM_HANDLE_t tmp_handle = 0;
+
+ inPublic.publicArea.type = srk_type.type;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.objectAttributes.restricted = 1;
+ inPublic.publicArea.objectAttributes.userWithAuth = 1;
+ inPublic.publicArea.objectAttributes.decrypt = 1;
+ inPublic.publicArea.objectAttributes.fixedTPM = 1;
+ inPublic.publicArea.objectAttributes.fixedParent = 1;
+ inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+ inPublic.publicArea.objectAttributes.noDA = 1;
+
+ if (srk_type.type == TPM_ALG_RSA)
+ {
+ inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm =
TPM_ALG_AES;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits =
srk_type.detail.rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (srk_type.type == TPM_ALG_ECC)
+ {
+ inPublic.publicArea.parameters.eccDetail.symmetric.algorithm =
TPM_ALG_AES;
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID =
srk_type.detail.ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown SRK algorithm");
+
+ /* Test the parameters before SRK generation */
+ parms.type = srk_type.type;
+ grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters,
+ sizeof (TPMU_PUBLIC_PARMS_t));
+
+ rc = grub_tpm2_testparms (&parms, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "unsupported SRK template
(TPM2_TestParms: 0x%x)", rc);
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ rc = grub_tpm2_createprimary (parent, &authCommand, &inSensitive, &inPublic,
+ &outsideInfo, &creationPcr, &tmp_handle,
&outPublic,
+ &creationData, &creationHash, &creationTicket,
+ &srkName, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "could not create SRK
(TPM2_CreatePrimary: 0x%x)", rc);
+
+ *srk_handle = tmp_handle;
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * Load the SRK from the persistent handle or create one with a given type of
+ * template, and then associate the sealed key with the SRK
+ * Return values:
+ * - GRUB_ERR_NONE: Everything is fine.
+ * - GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one.
+ * - Other: Something went wrong.
+ */
+grub_err_t
+tpm2_protector_srk_load (const grub_srk_type_t srk_type,
+ const tpm2_sealed_key_t *sealed_key,
+ const TPM_HANDLE_t parent,
+ TPM_HANDLE_t *sealed_handle,
+ TPM_HANDLE_t *srk_handle)
+{
+ TPMS_AUTH_COMMAND_t authCmd = {0};
+ TPM2B_NAME_t name = {0};
+ TPM_RC_t rc;
+ grub_err_t err;
+
+ if (srk_handle == NULL)
+ return GRUB_ERR_BUG;
+
+ if (*srk_handle != 0)
+ {
+ err = tpm2_protector_srk_check (*srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+ else
+ {
+ err = tpm2_protector_srk_get (srk_type, parent, srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
+ rc = grub_tpm2_load (*srk_handle, &authCmd, &sealed_key->private,
&sealed_key->public,
+ sealed_handle, &name, NULL);
+ /*
+ * If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it
+ * implies the wrong SRK is used.
+ */
+ if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1))
+ {
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, "SRK not matched");
+ goto error;
+ }
+ else if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to load sealed key
(TPM2_Load: 0x%x)", rc);
+ goto error;
+ }
+
+ return GRUB_ERR_NONE;
+
+ error:
+ if (!TPM_HT_IS_PERSISTENT (*srk_handle))
+ grub_tpm2_flushcontext (*srk_handle);
+
+ return err;
+}
+
+const char *
+srk_type_to_name (grub_srk_type_t srk_type)
+{
+ if (srk_type.type == TPM_ALG_ECC && srk_type.detail.ecc_curve ==
TPM_ECC_NIST_P256)
+ return "ECC_NIST_P256";
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
+ return "RSA2048";
+
+ return "Unknown";
+}
\ No newline at end of file
diff --git a/grub-core/commands/tpm2_key_protector/tpm2srk.h
b/grub-core/commands/tpm2_key_protector/tpm2srk.h
new file mode 100644
index 000000000..d84e67054
--- /dev/null
+++ b/grub-core/commands/tpm2_key_protector/tpm2srk.h
@@ -0,0 +1,44 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_TPM2_INTERNAL_SRK_HEADER
+#define GRUB_TPM2_INTERNAL_SRK_HEADER 1
+
+#include <grub/err.h>
+#include "tpm2.h"
+
+grub_err_t
+tpm2_protector_srk_check (const TPM_HANDLE_t srk_handle);
+
+grub_err_t
+tpm2_protector_srk_get (const grub_srk_type_t srk_type,
+ const TPM_HANDLE_t parent,
+ TPM_HANDLE_t *srk_handle);
+
+grub_err_t
+tpm2_protector_srk_load (const grub_srk_type_t srk_type,
+ const tpm2_sealed_key_t *sealed_key,
+ const TPM_HANDLE_t parent,
+ TPM_HANDLE_t *sealed_handle,
+ TPM_HANDLE_t *srk_handle);
+
+const char *
+srk_type_to_name (grub_srk_type_t srk_type);
+
+#endif //GRUB_TPM2_INTERNAL_SRK_HEADER
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 40d4a3fc5..bda7ec239 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -534,18 +534,10 @@ protect_tpm2_get_policy_digest (protect_args_t *args,
TPM2B_DIGEST_t *digest)
static grub_err_t
protect_tpm2_get_srk (protect_args_t *args, TPM_HANDLE_t *srk)
{
+ grub_err_t ret;
TPM_RC_t rc;
TPM2B_PUBLIC_t public;
TPMS_AUTH_COMMAND_t authCommand = {0};
- TPM2B_SENSITIVE_CREATE_t inSensitive = {0};
- TPM2B_PUBLIC_t inPublic = {0};
- TPM2B_DATA_t outsideInfo = {0};
- TPML_PCR_SELECTION_t creationPcr = {0};
- TPM2B_PUBLIC_t outPublic = {0};
- TPM2B_CREATION_DATA_t creationData = {0};
- TPM2B_DIGEST_t creationHash = {0};
- TPMT_TK_CREATION_t creationTicket = {0};
- TPM2B_NAME_t srkName = {0};
TPM_HANDLE_t srkHandle;
if (args->tpm2_srk != 0)
@@ -567,50 +559,11 @@ protect_tpm2_get_srk (protect_args_t *args, TPM_HANDLE_t
*srk)
}
}
- /* Create SRK */
authCommand.sessionHandle = TPM_RS_PW;
- inPublic.publicArea.type = args->srk_type.type;
- inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
- inPublic.publicArea.objectAttributes.restricted = 1;
- inPublic.publicArea.objectAttributes.userWithAuth = 1;
- inPublic.publicArea.objectAttributes.decrypt = 1;
- inPublic.publicArea.objectAttributes.fixedTPM = 1;
- inPublic.publicArea.objectAttributes.fixedParent = 1;
- inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
- inPublic.publicArea.objectAttributes.noDA = 1;
-
- switch (args->srk_type.type)
- {
- case TPM_ALG_RSA:
- inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm =
TPM_ALG_AES;
- inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
- inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
- inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
- inPublic.publicArea.parameters.rsaDetail.keyBits =
args->srk_type.detail.rsa_bits;
- inPublic.publicArea.parameters.rsaDetail.exponent = 0;
- break;
-
- case TPM_ALG_ECC:
- inPublic.publicArea.parameters.eccDetail.symmetric.algorithm =
TPM_ALG_AES;
- inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
- inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
- inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
- inPublic.publicArea.parameters.eccDetail.curveID =
args->srk_type.detail.ecc_curve;
- inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
- break;
-
- default:
- return GRUB_ERR_BAD_ARGUMENT;
- }
-
- rc = grub_tpm2_createprimary (TPM_RH_OWNER, &authCommand, &inSensitive,
&inPublic,
- &outsideInfo, &creationPcr, &srkHandle,
&outPublic,
- &creationData, &creationHash, &creationTicket,
- &srkName, NULL);
- if (rc != TPM_RC_SUCCESS)
+ ret = tpm2_protector_srk_get(args->srk_type, TPM_RH_OWNER, &srkHandle);
+ if (ret != GRUB_ERR_NONE)
{
- fprintf (stderr, "Failed to create SRK (TPM2_CreatePrimary: 0x%x).\n",
rc);
- return GRUB_ERR_BAD_DEVICE;
+ return ret;
}
/* Persist SRK */
--
2.39.5
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
