Re: [PATCH 1/1] util/grub-mkrescue: Check existence of option arguments

2024-06-19 Thread Daniel Kiper 
On Mon, Jun 17, 2024 at 09:03:00PM +0200, Thomas Schmitt via Grub-devel wrote:
> As reported by Victoriia Egorova in bug 65880, grub-mkrescue does not
> verify that the expected argument of an option like -d or -k does really
> exist in argv.
> So check the loop counter before incrementing it inside the loop which
> copies argv to argp_argv. Issue an error message similar to what older
> versions of grub-mkrescue did with a missing argument (e.g 2.02).
>
> Fixes: https://savannah.gnu.org/bugs/index.php?65880
> Signed-off-by: Thomas Schmitt 

Reviewed-by: Daniel Kiper 

Daniel

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v17 11/20] key_protector: Add TPM2 Key Protector

2024-06-19 Thread Daniel Kiper via Grub-devel 
On Fri, Jun 14, 2024 at 02:45:44PM +0800, Gary Lin wrote:
> From: Hernan Gatta 
>
> The TPM2 key protector is a module that enables the automatic retrieval
> of a fully-encrypted disk's unlocking key from a TPM 2.0.
>
> The theory of operation is such that the module accepts various
> arguments, most of which are optional and therefore possess reasonable
> defaults. One of these arguments is the keyfile/tpm2key parameter, which
> is mandatory. There are two supported key formats:
>
> 1. Raw Sealed Key (--keyfile)
>When sealing a key with TPM2_Create, the public portion of the sealed
>key is stored in TPM2B_PUBLIC, and the private portion is in
>TPM2B_PRIVATE. The raw sealed key glues the fully marshalled
>TPM2B_PUBLIC and TPM2B_PRIVATE into one file.
>
> 2. TPM 2.0 Key (--tpm2key)
>The following is the ASN.1 definition of TPM 2.0 Key File:
>
>TPMPolicy ::= SEQUENCE {
>  CommandCode   [0] EXPLICIT INTEGER
>  CommandPolicy [1] EXPLICIT OCTET STRING
>}
>
>TPMAuthPolicy ::= SEQUENCE {
>  Name[0] EXPLICIT UTF8STRING OPTIONAL
>  Policy  [1] EXPLICIT SEQUENCE OF TPMPolicy
>}
>
>TPMKey ::= SEQUENCE {
>  typeOBJECT IDENTIFIER
>  emptyAuth   [0] EXPLICIT BOOLEAN OPTIONAL
>  policy  [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
>  secret  [2] EXPLICIT OCTET STRING OPTIONAL
>  authPolicy  [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL
>  description [4] EXPLICIT UTF8String OPTIONAL,
>  rsaParent   [5] EXPLICIT BOOLEAN OPTIONAL,
>  parent  INTEGER
>  pubkey  OCTET STRING
>  privkey OCTET STRING
>}
>
>   The TPM2 key protector only expects a "sealed" key in DER encoding,
>   so 'type' is always 2.23.133.10.1.5, 'emptyAuth' is 'TRUE', and
>   'secret' is empty. 'policy' and 'authPolicy' are the possible policy
>   command sequences to construst the policy digest to unseal the key.
>   Similar to the raw sealed key, the public portion (TPM2B_PUBLIC) of
>   the sealed key is stored in 'pubkey', and the private portion
>   (TPM2B_PRIVATE) is in 'privkey'.
>
>   For more details: 
> https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
>
> This sealed key file is created via the grub-protect tool. The tool
> utilizes the TPM's sealing functionality to seal (i.e., encrypt) an
> unlocking key using a Storage Root Key (SRK) to the values of various
> Platform Configuration Registers (PCRs). These PCRs reflect the state
> of the system as it boots. If the values are as expected, the system
> may be considered trustworthy, at which point the TPM allows for a
> caller to utilize the private component of the SRK to unseal (i.e.,
> decrypt) the sealed key file. The caller, in this case, is this key
> protector.
>
> The TPM2 key protector registers two commands:
>
> - tpm2_key_protector_init: Initializes the state of the TPM2 key
>protector for later usage, clearing any
>previous state, too, if any.
>
> - tpm2_key_protector_clear: Clears any state set by tpm2_key_protector_init.
>
> The way this is expected to be used requires the user to, either
> interactively or, normally, via a boot script, initialize/configure
> the key protector and then specify that it be used by the 'cryptomount'
> command (modifications to this command are in a different patch).
>
> For instance, to unseal the raw sealed key file:
>
> tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key
> cryptomount -u  -P tpm2
>
> tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key 
> --pcrs=7,11
> cryptomount -u  -P tpm2
>
> Or, to unseal the TPM 2.0 Key file:
>
> tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
> cryptomount -u  -P tpm2
>
> tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm 
> --pcrs=7,11
> cryptomount -u  -P tpm2
>
> If a user does not initialize the key protector and attempts to use it
> anyway, the protector returns an error.
>
> Before unsealing the key, the TPM2 key protector follows the "TPMPolicy"
> sequences to enforce the TPM policy commands to construct a valid policy
> digest to unseal the key.
>
> For the TPM 2.0 Key files, 'authPolicy' may contain multiple "TPMPolicy"
> sequences, the TPM2 key protector iterates 'authPolicy' to find a valid
> sequence to unseal key. If 'authPolicy' is empty or all sequences in
> 'authPolicy' fail, the protector tries the one from 'policy'. In case
> 'policy' is also empty, the protector creates a "TPMPolicy" sequence
> based on the given PCR selection.
>
> For the raw sealed key, the TPM2 key protector treats the key file as a
> TPM 2.0 Key file without 'authPolicy' and 'policy', so the "TPMPolicy"
> sequence is always based on the PCR selection from the command
> parameters.
>
> This commit only supports one policy command: TPM2_PolicyPCR. The
> command set will be extended to support advanced features, such as
> authorized policy, in the later

Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)

2024-06-19 Thread Daniel Kiper via Grub-devel 
On Wed, Jun 19, 2024 at 02:41:13PM +0800, Gary Lin wrote:
> On Tue, Jun 18, 2024 at 03:30:03PM +0200, Daniel Kiper wrote:
> > On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > > From: Hernan Gatta 
> > >
> > > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > > compose and submit TPM commands and parse reponses.
> > >
> > > A limited number of TPM commands may be accessed via the EFI TCG2
> > > protocol. This protocol exposes functionality that is primarily geared
> > > toward TPM usage within the context of Secure Boot. For all other TPM
> > > commands, however, such as sealing and unsealing, this protocol does not
> > > provide any help, with the exception of passthrough command submission.
> > >
> > > The SubmitCommand method allows a caller to send raw commands to the
> > > system's TPM and to receive the corresponding response. These
> > > command/response pairs are formatted using the TPM wire protocol. To
> > > construct commands in this way, and to parse the TPM's response, it is
> > > necessary to, first, possess knowledge of the various TPM structures, and,
> > > second, of the TPM wire protocol itself.
> > >
> > > As such, this patch includes a set of header files that define the
> > > necessary TPM structures and TSS functions, implementations of various
> > > TPM2_* functions (inventoried below), and logic to write and read command
> > > and response buffers, respectively, using the TPM wire protocol.
> > >
> > > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > > TPM2_PolicyAuthorize, TPM2_TestParms
> > >
> > > Signed-off-by: Hernan Gatta 
> > > Signed-off-by: Gary Lin 
> > > Reviewed-by: Stefan Berger 
> > > ---
> > >  grub-core/tpm2/buffer.c|  145 +++
> > >  grub-core/tpm2/mu.c| 1168 
> > >  grub-core/tpm2/tcg2.c  |  143 +++
> > >  grub-core/tpm2/tpm2.c  | 1048 +
> > >  include/grub/tpm2/buffer.h |   65 ++
> > >  include/grub/tpm2/internal/functions.h |  156 
> > >  include/grub/tpm2/internal/structs.h   |  768 
> > >  include/grub/tpm2/internal/types.h |  403 
> > >  include/grub/tpm2/mu.h |  396 
> > >  include/grub/tpm2/tcg2.h   |   34 +
> > >  include/grub/tpm2/tpm2.h   |   34 +
> > >  11 files changed, 4360 insertions(+)
> > >  create mode 100644 grub-core/tpm2/buffer.c
> > >  create mode 100644 grub-core/tpm2/mu.c
> > >  create mode 100644 grub-core/tpm2/tcg2.c
> > >  create mode 100644 grub-core/tpm2/tpm2.c
> > >  create mode 100644 include/grub/tpm2/buffer.h
> > >  create mode 100644 include/grub/tpm2/internal/functions.h
> > >  create mode 100644 include/grub/tpm2/internal/structs.h
> > >  create mode 100644 include/grub/tpm2/internal/types.h
> > >  create mode 100644 include/grub/tpm2/mu.h
> > >  create mode 100644 include/grub/tpm2/tcg2.h
> > >  create mode 100644 include/grub/tpm2/tpm2.h
> > >
> > > diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
> > > new file mode 100644
> > > index 0..cb9f29497
> > > --- /dev/null
> > > +++ b/grub-core/tpm2/buffer.c
> >
> > I think this together with other TPM2 driver files should go to the
> > grub-core/commands/efi/tpm2 directory.
> >
> The TPM2 stack is not EFI only. The only EFI related code is in

Ah, right... Then I think we should have two GRUB modules. One TPM2
generic and one strictly EFI which depends on generic one.

> grub-core/tpm2/tcg2.c which mainly implements how the TPM2 commands to
> be submitted. I'd propose to move them to grub-core/commands/tpm2 and
> rename tcg2.c to tcg2-efi.c.

One should land in the grub-core/commands/tss2 directory and another in
the grub-core/commands/efi or grub-core/commands/efi/tmp2 if needed.

[...]

> > > diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
> > > new file mode 100644
> > > index 0..10ed71c04
> > > --- /dev/null
> > > +++ b/grub-core/tpm2/mu.c
> >
> > I can imagine where it comes from but I think it should be efi.c instead
> > of mu.c.
> >
> No, it's not from the MU firmware but stands for Marshal/Unmarshal.
> The similar naming policy from tpm2-tss:
>
> https://github.com/tpm2-software/tpm2-tss/blob/master/include/tss2/tss2_mu.h

Then I would rename mu.c file to tss2_mu.c and replace "_tpm2_mu_"
with "_Tss2_MU_" in function names.

> > > @@ -0,0 +1,1168 @@
> > > +/*
> > > + *  GRUB  --  GRand Unified Bootloader
> > > + *  Copyright (C) 2022 Microsoft Corporation
> > > + *
> > > + *  GRUB is free software: you can redistribute it and/or modify
> > > + *  it under the terms of the GNU General Public License as published by
> > > + *  the Free Software Foundation, either version 3 of the

Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)

2024-06-19 Thread Daniel Kiper via Grub-devel 
On Wed, Jun 19, 2024 at 02:43:08PM +0800, Gary Lin wrote:
> On Tue, Jun 18, 2024 at 05:41:13PM +0200, Daniel Kiper wrote:
> > On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > > From: Hernan Gatta 
> > >
> > > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > > compose and submit TPM commands and parse reponses.
> > >
> > > A limited number of TPM commands may be accessed via the EFI TCG2
> > > protocol. This protocol exposes functionality that is primarily geared
> > > toward TPM usage within the context of Secure Boot. For all other TPM
> > > commands, however, such as sealing and unsealing, this protocol does not
> > > provide any help, with the exception of passthrough command submission.
> > >
> > > The SubmitCommand method allows a caller to send raw commands to the
> > > system's TPM and to receive the corresponding response. These
> > > command/response pairs are formatted using the TPM wire protocol. To
> > > construct commands in this way, and to parse the TPM's response, it is
> > > necessary to, first, possess knowledge of the various TPM structures, and,
> > > second, of the TPM wire protocol itself.
> > >
> > > As such, this patch includes a set of header files that define the
> > > necessary TPM structures and TSS functions, implementations of various
> > > TPM2_* functions (inventoried below), and logic to write and read command
> > > and response buffers, respectively, using the TPM wire protocol.
> > >
> > > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > > TPM2_PolicyAuthorize, TPM2_TestParms
> > >
> > > Signed-off-by: Hernan Gatta 
> > > Signed-off-by: Gary Lin 
> > > Reviewed-by: Stefan Berger 
> > > ---
> > >  grub-core/tpm2/buffer.c|  145 +++
> > >  grub-core/tpm2/mu.c| 1168 
> > >  grub-core/tpm2/tcg2.c  |  143 +++
> > >  grub-core/tpm2/tpm2.c  | 1048 +
> > >  include/grub/tpm2/buffer.h |   65 ++
> > >  include/grub/tpm2/internal/functions.h |  156 
> > >  include/grub/tpm2/internal/structs.h   |  768 
> > >  include/grub/tpm2/internal/types.h |  403 
> > >  include/grub/tpm2/mu.h |  396 
> > >  include/grub/tpm2/tcg2.h   |   34 +
> > >  include/grub/tpm2/tpm2.h   |   34 +
> > >  11 files changed, 4360 insertions(+)
> > >  create mode 100644 grub-core/tpm2/buffer.c
> > >  create mode 100644 grub-core/tpm2/mu.c
> > >  create mode 100644 grub-core/tpm2/tcg2.c
> > >  create mode 100644 grub-core/tpm2/tpm2.c
> > >  create mode 100644 include/grub/tpm2/buffer.h
> > >  create mode 100644 include/grub/tpm2/internal/functions.h
> > >  create mode 100644 include/grub/tpm2/internal/structs.h
> > >  create mode 100644 include/grub/tpm2/internal/types.h
> > >  create mode 100644 include/grub/tpm2/mu.h
> > >  create mode 100644 include/grub/tpm2/tcg2.h
> > >  create mode 100644 include/grub/tpm2/tpm2.h
> >
> > And I think this patch can be broken up to smaller parts...
> >
> Then I'll try to split the patch to 3 patches: buffer, mu/structs, and
> TPM2 commands.

Makes sense for me...

Daniel

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v3] Add --noefistub option for linux

2024-06-19 Thread Julian Andres Klode 
On Mon, Jun 17, 2024 at 02:52:07PM GMT, Vladimir Serbinenko wrote:
> In some cases like loading kernel from native disk (e.g. nvme) not
> supported by EFI in question efi stub is not an option. Allow
> user to disable efi stub and fallback to older protocol

I'm not sure I follow. The disk does not need to be supported by
EFI for the EFI stub to work, we are loading the kernel into memory
and then running it from a memory device path.

Hence you can run EFI stub fine from anywhere, whether it's an
nvme disk or a squashfs image.

There is a specific problem with looking up the device path which
I said before, it always uses (root) instead of the actual device
you loaded the kernel from which is silly.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer  i speak de, en

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)

2024-06-19 Thread Gary Lin via Grub-devel 
On Tue, Jun 18, 2024 at 05:41:13PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > From: Hernan Gatta 
> >
> > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > compose and submit TPM commands and parse reponses.
> >
> > A limited number of TPM commands may be accessed via the EFI TCG2
> > protocol. This protocol exposes functionality that is primarily geared
> > toward TPM usage within the context of Secure Boot. For all other TPM
> > commands, however, such as sealing and unsealing, this protocol does not
> > provide any help, with the exception of passthrough command submission.
> >
> > The SubmitCommand method allows a caller to send raw commands to the
> > system's TPM and to receive the corresponding response. These
> > command/response pairs are formatted using the TPM wire protocol. To
> > construct commands in this way, and to parse the TPM's response, it is
> > necessary to, first, possess knowledge of the various TPM structures, and,
> > second, of the TPM wire protocol itself.
> >
> > As such, this patch includes a set of header files that define the
> > necessary TPM structures and TSS functions, implementations of various
> > TPM2_* functions (inventoried below), and logic to write and read command
> > and response buffers, respectively, using the TPM wire protocol.
> >
> > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > TPM2_PolicyAuthorize, TPM2_TestParms
> >
> > Signed-off-by: Hernan Gatta 
> > Signed-off-by: Gary Lin 
> > Reviewed-by: Stefan Berger 
> > ---
> >  grub-core/tpm2/buffer.c|  145 +++
> >  grub-core/tpm2/mu.c| 1168 
> >  grub-core/tpm2/tcg2.c  |  143 +++
> >  grub-core/tpm2/tpm2.c  | 1048 +
> >  include/grub/tpm2/buffer.h |   65 ++
> >  include/grub/tpm2/internal/functions.h |  156 
> >  include/grub/tpm2/internal/structs.h   |  768 
> >  include/grub/tpm2/internal/types.h |  403 
> >  include/grub/tpm2/mu.h |  396 
> >  include/grub/tpm2/tcg2.h   |   34 +
> >  include/grub/tpm2/tpm2.h   |   34 +
> >  11 files changed, 4360 insertions(+)
> >  create mode 100644 grub-core/tpm2/buffer.c
> >  create mode 100644 grub-core/tpm2/mu.c
> >  create mode 100644 grub-core/tpm2/tcg2.c
> >  create mode 100644 grub-core/tpm2/tpm2.c
> >  create mode 100644 include/grub/tpm2/buffer.h
> >  create mode 100644 include/grub/tpm2/internal/functions.h
> >  create mode 100644 include/grub/tpm2/internal/structs.h
> >  create mode 100644 include/grub/tpm2/internal/types.h
> >  create mode 100644 include/grub/tpm2/mu.h
> >  create mode 100644 include/grub/tpm2/tcg2.h
> >  create mode 100644 include/grub/tpm2/tpm2.h
> 
> And I think this patch can be broken up to smaller parts...
> 
Then I'll try to split the patch to 3 patches: buffer, mu/structs, and
TPM2 commands.

Gary Lin

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS)

2024-06-19 Thread Gary Lin via Grub-devel 
On Tue, Jun 18, 2024 at 03:30:03PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > From: Hernan Gatta 
> >
> > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > compose and submit TPM commands and parse reponses.
> >
> > A limited number of TPM commands may be accessed via the EFI TCG2
> > protocol. This protocol exposes functionality that is primarily geared
> > toward TPM usage within the context of Secure Boot. For all other TPM
> > commands, however, such as sealing and unsealing, this protocol does not
> > provide any help, with the exception of passthrough command submission.
> >
> > The SubmitCommand method allows a caller to send raw commands to the
> > system's TPM and to receive the corresponding response. These
> > command/response pairs are formatted using the TPM wire protocol. To
> > construct commands in this way, and to parse the TPM's response, it is
> > necessary to, first, possess knowledge of the various TPM structures, and,
> > second, of the TPM wire protocol itself.
> >
> > As such, this patch includes a set of header files that define the
> > necessary TPM structures and TSS functions, implementations of various
> > TPM2_* functions (inventoried below), and logic to write and read command
> > and response buffers, respectively, using the TPM wire protocol.
> >
> > Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl,
> > TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest,
> > TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal,
> > TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature,
> > TPM2_PolicyAuthorize, TPM2_TestParms
> >
> > Signed-off-by: Hernan Gatta 
> > Signed-off-by: Gary Lin 
> > Reviewed-by: Stefan Berger 
> > ---
> >  grub-core/tpm2/buffer.c|  145 +++
> >  grub-core/tpm2/mu.c| 1168 
> >  grub-core/tpm2/tcg2.c  |  143 +++
> >  grub-core/tpm2/tpm2.c  | 1048 +
> >  include/grub/tpm2/buffer.h |   65 ++
> >  include/grub/tpm2/internal/functions.h |  156 
> >  include/grub/tpm2/internal/structs.h   |  768 
> >  include/grub/tpm2/internal/types.h |  403 
> >  include/grub/tpm2/mu.h |  396 
> >  include/grub/tpm2/tcg2.h   |   34 +
> >  include/grub/tpm2/tpm2.h   |   34 +
> >  11 files changed, 4360 insertions(+)
> >  create mode 100644 grub-core/tpm2/buffer.c
> >  create mode 100644 grub-core/tpm2/mu.c
> >  create mode 100644 grub-core/tpm2/tcg2.c
> >  create mode 100644 grub-core/tpm2/tpm2.c
> >  create mode 100644 include/grub/tpm2/buffer.h
> >  create mode 100644 include/grub/tpm2/internal/functions.h
> >  create mode 100644 include/grub/tpm2/internal/structs.h
> >  create mode 100644 include/grub/tpm2/internal/types.h
> >  create mode 100644 include/grub/tpm2/mu.h
> >  create mode 100644 include/grub/tpm2/tcg2.h
> >  create mode 100644 include/grub/tpm2/tpm2.h
> >
> > diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
> > new file mode 100644
> > index 0..cb9f29497
> > --- /dev/null
> > +++ b/grub-core/tpm2/buffer.c
> 
> I think this together with other TPM2 driver files should go to the
> grub-core/commands/efi/tpm2 directory.
> 
The TPM2 stack is not EFI only. The only EFI related code is in
grub-core/tpm2/tcg2.c which mainly implements how the TPM2 commands to
be submitted. I'd propose to move them to grub-core/commands/tpm2 and
rename tcg2.c to tcg2-efi.c.

> > @@ -0,0 +1,145 @@
> > +/*
> > + *  GRUB  --  GRand Unified Bootloader
> > + *  Copyright (C) 2022 Microsoft Corporation
> > + *
> > + *  GRUB is free software: you can redistribute it and/or modify
> > + *  it under the terms of the GNU General Public License as published by
> > + *  the Free Software Foundation, either version 3 of the License, or
> > + *  (at your option) any later version.
> > + *
> > + *  GRUB is distributed in the hope that it will be useful,
> > + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + *  GNU General Public License for more details.
> > + *
> > + *  You should have received a copy of the GNU General Public License
> > + *  along with GRUB.  If not, see .
> > + */
> > +
> > +#include 
> > +#include 
> > +
> > +void grub_tpm2_buffer_init (grub_tpm2_buffer_t buffer)
> > +{
> > +  grub_memset (buffer->data, 0xDD, sizeof (buffer->data));
> 
> If you init the buffer->data with 0xDD instead of 0 then it begs for
> a comment. And s/0xDD/0xdd/...
> 
It should be 0. I'll fix in v18.

> > +  buffer->size = 0;
> > +  buffer->offset = 0;
> > +  buffer->cap = sizeof (buffer->data);
> > +  buffer->error = 0;
> > +}
> > +
> > +void
> > +grub_tpm2_buffer_pack (grub_tpm2_buffer_t buffer, const void* data,
> > +  grub_size_t size)
> >