[PATCH 0/3] Add Multi-Factor Authentication (MFA) key protector

Thu, 15 Jan 2026 22:13:43 -0800 

This patch series introduces the Multi-Factor Authentication (MFA) key
protector module to GRUB.

Currently, GRUB supports unlocking encrypted partitions (e.g., LUKS) via
single-factor methods such as a passphrase, a key file, or the key
unsealed by TPM2. To enhance security, this series implements a
split-key architecture where the final disk encryption key is derived by
combining partial keys from two distinct sources. This ensures that
compromising a single factor (e.g., stealing a USB drive with a key file)
is insufficient to unlock the disk.

The mfa module acts as a meta-protector that orchestrates the retrieval
of key segments from two underlying key protectors. The final key is
constructed by concatenating the output of Factor 1 and Factor 2.

To support this, the series also introduces two basic key protectors:
- File key protector: Reads a key (or partial key) from a file on disk.
- Password key protector: Prompts the user for a passphrase
                          (or uses a static string).

A typical workflow involves combining a key file stored on an external
drive with a user-supplied passphrase:

  file_key_protector_init -k (hd0,gpt1)/efi/grub/keyfile.bin
  mfa_key_protector_init -1 file -2 password
  cryptomount -u <UUID> -P mfa

Alternatively, the key file can be sealed with the TPM.

  tpm2_key_protector_init -T (hd0,gpt1)/efi/grub/sealed.tpm
  mfa_key_protector_init -1 tpm2 -2 password
  cryptomount -u <UUID> -P mfa

NOTE: Password key protector is initialized implicitly so
      'pw_key_protector_init' is usually omitted.

Gary Lin (3):
  key_protector: Add MFA key protector
  docs: Add documentation for MFA key protector
  tests: Add mfa_key_protector_test

 Makefile.util.def               |   6 +
 docs/grub.texi                  | 188 +++++++++++
 grub-core/Makefile.core.def     |   5 +
 grub-core/commands/mfa.c        | 576 ++++++++++++++++++++++++++++++++
 tests/mfa_key_protector_test.in | 123 +++++++
 5 files changed, 898 insertions(+)
 create mode 100644 grub-core/commands/mfa.c
 create mode 100644 tests/mfa_key_protector_test.in

-- 
2.51.0


_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to