For users who require a sealed key to be unsealable only once per boot
process, a straightforward technique involves "capping" the key by
extending the associated PCRs. This patch set introduces PCR capping
support for the TPM2 key protector, allowing users to select specific
PCRs to extend immediately after the key is unsealed.
v4:
- Replacing 'EV_SEPARATOR' with 'GRUB_EV_SEPARATOR'
v3:
- Amending the conditional check for the event buffer in efi/tcg2.c
v2:
- Fixing typos
- Moving the error message to grub_ieee1275_ibmvtpm_2hash_ext_log()
- Replacing 'SEPARATOR' with 'EV_SEPARATOR'
- Amending the conditional check for grub_tpm2_buffer.error
- Removing the unnecessary 'extern' from grub_tpm2_pcr_event()
Gary Lin (7):
tss2: Add TPM2_PCR_Event command
tss2: Introduce grub_tcg2_cap_pcr()
tss2: Implement grub_tcg2_cap_pcr() for EFI
tss2: Implement grub_tcg2_cap_pcr() for ieee1275
tss2: Implement grub_tcg2_cap_pcr() for EMU
tpm2_key_protector: Support PCR capping
tests/tpm2_key_protector_test: Add a test for PCR Capping
docs/grub.texi | 20 +++++-
grub-core/commands/ieee1275/ibmvtpm.c | 59 ++---------------
.../commands/tpm2_key_protector/module.c | 56 +++++++++++++++-
grub-core/lib/efi/tcg2.c | 40 ++++++++++++
grub-core/lib/ieee1275/tcg2.c | 65 +++++++++++++++++++
grub-core/lib/tss2/tcg2.h | 5 ++
grub-core/lib/tss2/tcg2_emu.c | 20 ++++++
grub-core/lib/tss2/tpm2_cmd.c | 51 +++++++++++++++
grub-core/lib/tss2/tpm2_cmd.h | 7 ++
grub-core/lib/tss2/tss2_mu.c | 18 +++++
grub-core/lib/tss2/tss2_mu.h | 4 ++
grub-core/lib/tss2/tss2_structs.h | 7 ++
grub-core/lib/tss2/tss2_types.h | 1 +
grub-core/normal/main.c | 2 +-
include/grub/ieee1275/tpm.h | 5 ++
tests/tpm2_key_protector_test.in | 65 +++++++++++++++++++
16 files changed, 367 insertions(+), 58 deletions(-)
Range-diff against v3:
1: 7af983a49 ! 1: 745fd15f1 tss2: Add TPM2_PCR_Event command
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## grub-core/lib/tss2/tpm2_cmd.c ##
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_flushcontext (const
TPMI_DH_CONTEXT_t handle)
2: 49989cc29 ! 2: 9afe3c7a0 tss2: Introduce grub_tcg2_cap_pcr()
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## grub-core/lib/tss2/tcg2.h ##
@@
#include <grub/err.h>
#include <grub/types.h>
-+#define EV_SEPARATOR 0x04
++#define GRUB_EV_SEPARATOR 0x04
+
extern grub_err_t
grub_tcg2_get_max_output_size (grub_size_t *size);
3: 2e13a73ee ! 3: b99969cdc tss2: Implement grub_tcg2_cap_pcr() for EFI
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## grub-core/lib/efi/tcg2.c ##
@@
@@ grub-core/lib/efi/tcg2.c: grub_tcg2_submit_command (grub_size_t
input_size,
+ event->Header.HeaderSize = sizeof (EFI_TCG2_EVENT_HEADER);
+ event->Header.HeaderVersion = 1;
+ event->Header.PCRIndex = pcr;
-+ event->Header.EventType = EV_SEPARATOR;
++ event->Header.EventType = GRUB_EV_SEPARATOR;
+ event->Size = sizeof (*event) - sizeof (event->Event) + sizeof
(separator);
+ grub_memcpy (event->Event, separator, sizeof (separator));
+
4: 74c21cb37 ! 4: 85cfbbb5f tss2: Implement grub_tcg2_cap_pcr() for ieee1275
@@ Commit message
and exported as a global function.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## grub-core/commands/ieee1275/ibmvtpm.c ##
@@
@@ grub-core/lib/ieee1275/tcg2.c: grub_tcg2_submit_command (grub_size_t
input_size,
+ static int error_displayed = 0;
+ grub_err_t err;
+
-+ err = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_SEPARATOR,
++ err = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, GRUB_EV_SEPARATOR,
+ separator, sizeof(separator),
+ separator, sizeof(separator));
+ if (err != GRUB_ERR_NONE && !error_displayed)
5: b8d3a3311 ! 5: bf26100d1 tss2: Implement grub_tcg2_cap_pcr() for EMU
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## grub-core/lib/tss2/tcg2_emu.c ##
@@
6: 567c8067c ! 6: 8640cd6a1 tpm2_key_protector: Support PCR capping
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## docs/grub.texi ##
@@ docs/grub.texi: either @var{expression1} or @var{expression2} is true
7: d09ab8a1e ! 7: 2c5543cad tests/tpm2_key_protector_test: Add a test for PCR
Capping
@@ Commit message
Signed-off-by: Gary Lin <[email protected]>
Reviewed-by: Stefan Berger <[email protected]>
Reviewed-by: Sudhakar Kuppusamy <[email protected]>
+ Reviewed-by: Daniel Kiper <[email protected]>
## tests/tpm2_key_protector_test.in ##
@@ tests/tpm2_key_protector_test.in: EOF
--
2.51.0
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
