For users who require a sealed key to be unsealable only once per boot
process, a straightforward technique involves "capping" the key by
extending the associated PCRs. This patch set introduces PCR capping
support for the TPM2 key protector, allowing users to select specific
PCRs to extend immediately after the key is unsealed.
v3:
- Amending the conditional check for the event buffer in efi/tcg2.c
v2:
- Fixing typos
- Moving the error message to grub_ieee1275_ibmvtpm_2hash_ext_log()
- Replacing 'SEPARATOR' with 'EV_SEPARATOR'
- Amending the conditional check for grub_tpm2_buffer.error
- Removing the unnecessary 'extern' from grub_tpm2_pcr_event()
Gary Lin (7):
tss2: Add TPM2_PCR_Event command
tss2: Introduce grub_tcg2_cap_pcr()
tss2: Implement grub_tcg2_cap_pcr() for EFI
tss2: Implement grub_tcg2_cap_pcr() for ieee1275
tss2: Implement grub_tcg2_cap_pcr() for EMU
tpm2_key_protector: Support PCR capping
tests/tpm2_key_protector_test: Add a test for PCR Capping
docs/grub.texi | 20 +++++-
grub-core/commands/ieee1275/ibmvtpm.c | 59 ++---------------
.../commands/tpm2_key_protector/module.c | 56 +++++++++++++++-
grub-core/lib/efi/tcg2.c | 40 ++++++++++++
grub-core/lib/ieee1275/tcg2.c | 65 +++++++++++++++++++
grub-core/lib/tss2/tcg2.h | 5 ++
grub-core/lib/tss2/tcg2_emu.c | 20 ++++++
grub-core/lib/tss2/tpm2_cmd.c | 51 +++++++++++++++
grub-core/lib/tss2/tpm2_cmd.h | 7 ++
grub-core/lib/tss2/tss2_mu.c | 18 +++++
grub-core/lib/tss2/tss2_mu.h | 4 ++
grub-core/lib/tss2/tss2_structs.h | 7 ++
grub-core/lib/tss2/tss2_types.h | 1 +
grub-core/normal/main.c | 2 +-
include/grub/ieee1275/tpm.h | 5 ++
tests/tpm2_key_protector_test.in | 65 +++++++++++++++++++
16 files changed, 367 insertions(+), 58 deletions(-)
Range-diff against v2:
1: e5d305b83 ! 1: 7af983a49 tss2: Add TPM2_PCR_Event command
@@ Commit message
only available method to extend PCRs.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## grub-core/lib/tss2/tpm2_cmd.c ##
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_flushcontext (const
TPMI_DH_CONTEXT_t handle)
2: 5b30f6086 ! 2: 49989cc29 tss2: Introduce grub_tcg2_cap_pcr()
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## grub-core/lib/tss2/tcg2.h ##
@@
3: 18d5616e5 ! 3: 2e13a73ee tss2: Implement grub_tcg2_cap_pcr() for EFI
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## grub-core/lib/efi/tcg2.c ##
@@
@@ grub-core/lib/efi/tcg2.c: grub_tcg2_submit_command (grub_size_t
input_size,
+ return err;
+
+ event = grub_zalloc (sizeof (EFI_TCG2_EVENT) + sizeof (separator));
-+ if (!event)
++ if (event == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
+ N_("cannot allocate TPM event buffer"));
+
4: 90fa6721e = 4: 74c21cb37 tss2: Implement grub_tcg2_cap_pcr() for ieee1275
5: ecce46cea ! 5: b8d3a3311 tss2: Implement grub_tcg2_cap_pcr() for EMU
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## grub-core/lib/tss2/tcg2_emu.c ##
@@
6: 51bc918a6 = 6: 567c8067c tpm2_key_protector: Support PCR capping
7: 7d101189b = 7: d09ab8a1e tests/tpm2_key_protector_test: Add a test for PCR
Capping
--
2.51.0
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
