> On 15 Jul 2025, at 11:06 AM, Gary Lin <g...@suse.com> wrote: > > This commit introduces the definition of grub_tcg2_cap_pcr(), a new > function designed to enhance the security of sealed keys. Its primary > purpose is to "cap" a specific PCR by extending it with an EV_SEPARATOR > event. This action cryptographically alters the PCR value, making it > impossible to unseal any key that was previously sealed to the original > PCR state. Consequently, the sealed key remains protected against > unauthorized unsealing attempts until the associated PCRs are reset to > their initial configuration, typically occurring during a subsequent > system boot. > > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com <mailto:sudha...@linux.ibm.com>> Thanks, Sudhakar > --- > grub-core/lib/tss2/tcg2.h | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h > index 3d26373dd..c7e80d355 100644 > --- a/grub-core/lib/tss2/tcg2.h > +++ b/grub-core/lib/tss2/tcg2.h > @@ -23,6 +23,8 @@ > #include <grub/err.h> > #include <grub/types.h> > > +#define EV_SEPARATOR 0x04 > + > extern grub_err_t > grub_tcg2_get_max_output_size (grub_size_t *size); > > @@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size, > grub_size_t output_size, > grub_uint8_t *output); > > +extern grub_err_t > +grub_tcg2_cap_pcr (grub_uint8_t pcr); > + > #endif /* ! GRUB_TPM2_TCG2_HEADER */ > -- > 2.43.0 >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
