From a1d205fd6c10c1f7fad1c16f4524106f49c3eb8f39310e071c6e96e1f490fb0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 23 Aug 2024 18:23:36 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main grub2 revision 3895553f59bc334a749e833369c92c1a --- ...persistence-of-root-file-system-moun.patch | 51 + ...key-protection-on-boot-interruptions.patch | 20 +- ...-check-to-enable-btrfs-relative-path.patch | 7 +- ...-install-bailout-root-device-probing.patch | 138 +- ...otector-Add-key-protectors-framework.patch | 86 +- ...1275-ofnet-Remove-200-ms-timeout-in-.patch | 60 + ...canonical-path-handling-for-bootpath.patch | 170 +++ ...pes-structures-and-command-constants.patch | 204 --- 0001-tpm2-Add-extra-RSA-SRK-types.patch | 97 ++ ...atch => 0001-tpm2-Implement-NV-index.patch | 12 +- ... 0001-tpm2-Support-authorized-policy.patch | 15 +- ...pletion-Fix-for-bash-completion-2.12.patch | 188 +++ ...le-grub-protect-only-for-EFI-systems.patch | 33 + 0002-cryptodisk-Fallback-to-passphrase.patch | 8 +- 0002-tpm2-Add-TPM-Software-Stack-TSS.patch | 1232 ++++++++++++++--- ...Add-more-marshal-unmarshal-functions.patch | 427 ------ ...-out-the-cached-keys-from-protectors.patch | 8 +- ...key_protector-Add-TPM2-Key-Protector.patch | 565 +++++--- 0003-tpm2-Implement-more-TPM2-commands.patch | 543 -------- 0004-cryptodisk-Support-key-protectors.patch | 114 +- ...ter-look-up-cryptodisk-devices-first.patch | 18 +- 0005-util-grub-protect-Add-new-tool.patch | 386 +++--- ...b-switch-to-blscfg-adapt-to-openSUSE.patch | 45 +- 0009-10_linux-Some-refinement-for-BLS.patch | 196 ++- 20_memtest86+ | 88 -- ...ey_protector-implement-the-blocklist.patch | 35 +- grub2-btrfs-06-subvol-mount.patch | 50 +- grub2-fix-menu-in-xen-host-server.patch | 7 +- grub2-grubenv-in-btrfs-header.patch | 33 +- grub2-pass-corret-root-for-nfsroot.patch | 8 +- grub2-s390x-set-hostonly.patch | 52 + grub2-xen-pv-firmware.cfg | 6 + grub2.changes | 135 +- grub2.spec | 185 +-- 34 files changed, 3055 insertions(+), 2167 deletions(-) create mode 100644 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch rename 0001-protectors-Add-key-protectors-framework.patch => 0001-key_protector-Add-key-protectors-framework.patch (73%) create mode 100644 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch create mode 100644 0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch delete mode 100644 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch create mode 100644 0001-tpm2-Add-extra-RSA-SRK-types.patch rename 0001-protectors-Implement-NV-index.patch => 0001-tpm2-Implement-NV-index.patch (87%) rename 0004-tpm2-Support-authorized-policy.patch => 0001-tpm2-Support-authorized-policy.patch (92%) create mode 100644 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch create mode 100644 0001-util-enable-grub-protect-only-for-EFI-systems.patch delete mode 100644 0002-tpm2-Add-more-marshal-unmarshal-functions.patch rename 0003-protectors-Add-TPM2-Key-Protector.patch => 0003-key_protector-Add-TPM2-Key-Protector.patch (82%) delete mode 100644 0003-tpm2-Implement-more-TPM2-commands.patch delete mode 100644 20_memtest86+ create mode 100644 grub2-s390x-set-hostonly.patch diff --git a/0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch b/0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch new file mode 100644 index 0000000..fdd199f --- /dev/null +++ b/0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch @@ -0,0 +1,51 @@ +From 28440c9b5f83b82b4715554fa5c2d3f013b769e6 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Tue, 26 Mar 2024 13:55:53 +0800 +Subject: [PATCH] 10_linux: Ensure persistence of root file system mounting + +This commit addresses the issue where the by-uuid or by-partuuid device +symlinks might be unavailable in an installation system. Despite the +absence of these symlinks, the resulting system remains fully functional +for mounting the root file system by using persistent names +(root=(UUID|PARTUUID)=). + +The patch implemented in this commit aims to prevent fallback to the OS +name as the root= parameter, as persistent names are preferred for +stability and predictability. + +To achieve this, the fallback to the OS name won't be triggered if the +corresponding by-uuid or by-partuuid symlinks are missing, ensuring the +use of persistent names. Instead, a warning will be logged for the +missing symlinks, providing visibility into the issue. + +Signed-off-by: Michael Chang +--- + util/grub.d/10_linux.in | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index 5531239eb..4d8bdeac2 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -54,14 +54,16 @@ esac + if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \ + || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \ + && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \ +- || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \ +- && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \ + || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then + LINUX_ROOT_DEVICE=${GRUB_DEVICE} + elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \ + || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then ++ test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" || ++ echo "WARN: Use PARTUUID=${GRUB_DEVICE_PARTUUID} despite missing by-partuuid symlink" >&2 + LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID} + else ++ test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" || ++ echo "WARN: Use UUID=${GRUB_DEVICE_UUID} despite missing by-uuid symlink" >&2 + LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID} + fi + +-- +2.44.0 + diff --git a/0001-Improve-TPM-key-protection-on-boot-interruptions.patch b/0001-Improve-TPM-key-protection-on-boot-interruptions.patch index 3669f4e..3888637 100644 --- a/0001-Improve-TPM-key-protection-on-boot-interruptions.patch +++ b/0001-Improve-TPM-key-protection-on-boot-interruptions.patch @@ -1,7 +1,7 @@ -From fe7ed9104cef56f9e532a0c9a7164393d5d69ae1 Mon Sep 17 00:00:00 2001 +From 27b3e919b9b51a4fedeb3a5aef19c87f0cd7b687 Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Fri, 17 Nov 2023 12:32:59 +0800 -Subject: [PATCH 1/4] Improve TPM key protection on boot interruptions +Subject: [PATCH] Improve TPM key protection on boot interruptions The unattended boot process for full disk encryption relies on an authorized TPM policy to ensure the system's integrity before releasing @@ -125,7 +125,7 @@ index c2217ca98..9397bede9 100644 static grub_command_t cmd; diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index c79d4125a..d90ca06dc 100644 +index aa0d43562..babc94868 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name, @@ -139,14 +139,14 @@ index c79d4125a..d90ca06dc 100644 dev = grub_cryptodisk_get_by_source_disk (source); @@ -1183,6 +1186,9 @@ grub_cryptodisk_scan_device_real (const char *name, - ret = grub_cryptodisk_insert (dev, name, source); - if (ret != GRUB_ERR_NONE) - goto error; + ret = grub_cryptodisk_insert (dev, name, source); + if (ret != GRUB_ERR_NONE) + goto error; +#ifndef GRUB_UTIL -+ is_tpmkey = 1; ++ is_tpmkey = 1; +#endif - goto cleanup; - } + goto cleanup; + } } @@ -1244,7 +1250,7 @@ grub_cryptodisk_scan_device_real (const char *name, @@ -282,5 +282,5 @@ index 113c53cfc..f86404686 100644 +grub_cryptokey_tpmkey_discard (void); #endif /* ! GRUB_CRYPTTAB_HEADER */ -- -2.42.1 +2.35.3 diff --git a/0001-Unify-the-check-to-enable-btrfs-relative-path.patch b/0001-Unify-the-check-to-enable-btrfs-relative-path.patch index a201875..32f051f 100644 --- a/0001-Unify-the-check-to-enable-btrfs-relative-path.patch +++ b/0001-Unify-the-check-to-enable-btrfs-relative-path.patch @@ -98,7 +98,7 @@ Signed-off-by: Michael Chang { if (!load_cfg_f) load_cfg_f = grub_util_fopen (load_cfg, "wb"); -@@ -1670,21 +1708,13 @@ +@@ -1670,22 +1708,14 @@ #ifdef __linux__ @@ -108,6 +108,7 @@ Signed-off-by: Michael Chang { char *subvol = NULL; char *mount_path = NULL; + grub_uint64_t subvolid = 0; - char **rootdir_devices = NULL; - char *t = grub_util_path_concat (2, "/", rootdir); - char *rootdir_path = grub_canonicalize_file_name (t); @@ -117,10 +118,10 @@ Signed-off-by: Michael Chang - - if (rootdir_devices && rootdir_devices[0]) - if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0) -- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path); +- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid); + + if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0) -+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path); ++ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid); if (subvol && mount_path) { diff --git a/0001-grub-install-bailout-root-device-probing.patch b/0001-grub-install-bailout-root-device-probing.patch index 36ab2a3..4e7fffc 100644 --- a/0001-grub-install-bailout-root-device-probing.patch +++ b/0001-grub-install-bailout-root-device-probing.patch @@ -1,4 +1,4 @@ -From 58dcf7985b20de876a6fc44a591aa377d0a0302c Mon Sep 17 00:00:00 2001 +From db67bd0800c69f94fa3696351e7387515464d30c Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Thu, 10 Feb 2022 22:16:58 +0800 Subject: [PATCH] grub-install: bailout root device probing @@ -15,14 +15,26 @@ filesystem in it's own right. The command is also used by grub-mkconfig for the same purpose. +v2: + +Test the root device first before probing to avoid encountering +unexpected errors. If this test fails, the device is considered +irrelevant and of no interest, as it is not useful. + +v2.1: +Besides verifying that the target's canonical path can be resolved, +ensure that the target is a block device file. + Signed-off-by: Michael Chang --- - grub-core/osdep/basic/no_platform.c | 5 +++++ - grub-core/osdep/unix/platform.c | 34 +++++++++++++++++++++++++++++ - grub-core/osdep/windows/platform.c | 6 +++++ - include/grub/util/install.h | 3 +++ - util/grub-install.c | 31 ++++++++++++++++++-------- - 5 files changed, 70 insertions(+), 9 deletions(-) + grub-core/osdep/basic/no_platform.c | 5 +++ + grub-core/osdep/unix/getroot.c | 67 +++++++++++++++++++++++++++++ + grub-core/osdep/unix/platform.c | 34 +++++++++++++++ + grub-core/osdep/windows/platform.c | 6 +++ + include/grub/emu/getroot.h | 3 ++ + include/grub/util/install.h | 3 ++ + util/grub-install.c | 45 +++++++++++++++---- + 7 files changed, 154 insertions(+), 9 deletions(-) --- a/grub-core/osdep/basic/no_platform.c +++ b/grub-core/osdep/basic/no_platform.c @@ -35,6 +47,82 @@ Signed-off-by: Michael Chang +{ + return NULL; +} +--- a/grub-core/osdep/unix/getroot.c ++++ b/grub-core/osdep/unix/getroot.c +@@ -489,6 +489,73 @@ + return 0; + } + ++#ifdef __linux__ ++int ++grub_can_guess_from_mountinfo (const char *dir_in) ++{ ++ char **cur; ++ char **os_dev = NULL; ++ char *dir = grub_canonicalize_file_name (dir_in); ++ int ret = 0; ++ ++ if (!dir) ++ return 0; ++ ++ os_dev = grub_find_root_devices_from_mountinfo (dir, NULL); ++ ++ if (!os_dev) ++ os_dev = find_root_devices_from_libzfs (dir); ++ ++ if (!os_dev) ++ { ++ free (dir); ++ return 0; ++ } ++ ++ for (cur = os_dev; *cur; cur++) ++ { ++ if (strcmp (*cur, "/dev/root") == 0 ++ || strncmp (*cur, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0) ++ /* Assume known and good names */ ++ continue; ++ else ++ { ++ struct stat st; ++ ++ char *tmp = grub_canonicalize_file_name (*cur); ++ if (tmp == NULL) ++ break; ++ ++ if (strncmp (tmp, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0) ++ continue; ++ ++ if (lstat (tmp, &st) < 0) ++ { ++ free (tmp); ++ break; ++ } ++ free (tmp); ++ if (! S_ISBLK (st.st_mode)) ++ /* only block device allowed */ ++ break; ++ } ++ } ++ ++ if (*cur == NULL) ++ /* no bogus device left, good */ ++ ret = 1; ++ else ++ grub_util_info ("`%s' is not os device", *cur); ++ ++ for (cur = os_dev; *cur; cur++) ++ free (*cur); ++ free (os_dev); ++ free (dir); ++ ++ return ret; ++} ++#endif /* __linux__ */ ++ + char ** + grub_guess_root_devices (const char *dir_in) + { --- a/grub-core/osdep/unix/platform.c +++ b/grub-core/osdep/unix/platform.c @@ -250,3 +250,37 @@ @@ -87,6 +175,18 @@ Signed-off-by: Michael Chang +{ + return NULL; +} +--- a/include/grub/emu/getroot.h ++++ b/include/grub/emu/getroot.h +@@ -35,6 +35,9 @@ + + char *grub_find_device (const char *dir, dev_t dev); + void grub_util_pull_device (const char *osname); ++#ifdef __linux__ ++int grub_can_guess_from_mountinfo (const char *dir); ++#endif + char **grub_guess_root_devices (const char *dir); + int grub_util_get_dev_abstraction (const char *os_dev); + char *grub_make_system_path_relative_to_its_root (const char *path); --- a/include/grub/util/install.h +++ b/include/grub/util/install.h @@ -251,6 +251,9 @@ @@ -101,7 +201,7 @@ Signed-off-by: Michael Chang int --- a/util/grub-install.c +++ b/util/grub-install.c -@@ -887,7 +887,6 @@ +@@ -922,7 +922,6 @@ const char *efi_file = NULL; char **grub_devices; grub_fs_t grub_fs; @@ -109,7 +209,7 @@ Signed-off-by: Michael Chang grub_device_t grub_dev = NULL; enum grub_install_plat platform; char *grubdir, *device_map; -@@ -1067,8 +1066,10 @@ +@@ -1102,10 +1101,22 @@ grub_host_init (); { @@ -121,8 +221,20 @@ Signed-off-by: Michael Chang + char *t = grub_util_path_concat (2, "/", rootdir); ++#ifdef __linux__ ++ if (!grub_can_guess_from_mountinfo (t)) ++ { ++ free(t); ++ /* We can safely ignore the root probe here; whichever cannot be ++ * reliably detected is irrelevant and of no interest */ ++ goto skip_root_probe; ++ } ++#endif ++ rootdir_path = grub_canonicalize_file_name (t); -@@ -1089,20 +1090,32 @@ + if (!rootdir_path) + grub_util_error (_("failed to get canonical path of `%s'"), t); +@@ -1124,22 +1135,38 @@ rootdir_devices[0]); rootdir_grub_dev = grub_device_open (rootdir_grub_devname); @@ -160,4 +272,10 @@ Signed-off-by: Michael Chang + grub_device_close (rootdir_grub_dev); } ++#ifdef __linux__ ++ skip_root_probe: ++#endif ++ switch (platform) + { + case GRUB_INSTALL_PLATFORM_I386_EFI: diff --git a/0001-protectors-Add-key-protectors-framework.patch b/0001-key_protector-Add-key-protectors-framework.patch similarity index 73% rename from 0001-protectors-Add-key-protectors-framework.patch rename to 0001-key_protector-Add-key-protectors-framework.patch index e412879..a59e7bb 100644 --- a/0001-protectors-Add-key-protectors-framework.patch +++ b/0001-key_protector-Add-key-protectors-framework.patch @@ -1,7 +1,7 @@ -From 5affde982dea827580e36ccc658e439397f51ce8 Mon Sep 17 00:00:00 2001 +From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:53 -0800 -Subject: [PATCH 1/5] protectors: Add key protectors framework +Subject: [PATCH 1/5] key_protector: Add key protectors framework A key protector encapsulates functionality to retrieve an unlocking key for a fully-encrypted disk from a specific source. A key protector @@ -15,40 +15,53 @@ invoking a key protector by name. If a key protector with the specified name exists and if an unlocking key is successfully retrieved by it, the function returns to the caller the retrieved key and its length. +Cc: Vladimir Serbinenko Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- - grub-core/Makefile.am | 1 + - grub-core/Makefile.core.def | 1 + - grub-core/kern/protectors.c | 75 +++++++++++++++++++++++++++++++++++++ - include/grub/protector.h | 48 ++++++++++++++++++++++++ - 4 files changed, 125 insertions(+) - create mode 100644 grub-core/kern/protectors.c - create mode 100644 include/grub/protector.h + grub-core/Makefile.am | 1 + + grub-core/Makefile.core.def | 5 +++ + grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++ + include/grub/key_protector.h | 46 ++++++++++++++++++++ + 4 files changed, 130 insertions(+) + create mode 100644 grub-core/disk/key_protector.c + create mode 100644 include/grub/key_protector.h +diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am +index f18550c1c..9d3d5f519 100644 --- a/grub-core/Makefile.am +++ b/grub-core/Makefile.am -@@ -90,6 +90,7 @@ +@@ -90,6 +90,7 @@ endif KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h -+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/protector.h ++KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index bc893e547..4307b8e2d 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def -@@ -149,6 +149,7 @@ - common = kern/misc.c; - common = kern/parser.c; - common = kern/partition.c; -+ common = kern/protectors.c; - common = kern/rescue_parser.c; - common = kern/rescue_reader.c; - common = kern/term.c; +@@ -1302,6 +1302,11 @@ module = { + common = disk/raid6_recover.c; + }; + ++module = { ++ name = key_protector; ++ common = disk/key_protector.c; ++}; ++ + module = { + name = scsi; + common = disk/scsi.c; +diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c +new file mode 100644 +index 000000000..b84afe1c7 --- /dev/null -+++ b/grub-core/kern/protectors.c -@@ -0,0 +1,75 @@ ++++ b/grub-core/disk/key_protector.c +@@ -0,0 +1,78 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -67,17 +80,20 @@ Signed-off-by: Gary Lin + * along with GRUB. If not, see . + */ + ++#include +#include +#include +#include -+#include ++#include ++ ++GRUB_MOD_LICENSE ("GPLv3+"); + +struct grub_key_protector *grub_key_protectors = NULL; + +grub_err_t +grub_key_protector_register (struct grub_key_protector *protector) +{ -+ if (protector == NULL || protector->name == NULL || grub_strlen(protector->name) == 0) ++ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0) + return GRUB_ERR_BAD_ARGUMENT; + + if (grub_key_protectors && @@ -124,9 +140,12 @@ Signed-off-by: Gary Lin + + return kp->recover_key (key, key_size); +} +diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h +new file mode 100644 +index 000000000..6e6a6fb24 --- /dev/null -+++ b/include/grub/protector.h -@@ -0,0 +1,48 @@ ++++ b/include/grub/key_protector.h +@@ -0,0 +1,46 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -161,17 +180,18 @@ Signed-off-by: Gary Lin + grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size); +}; + -+extern struct grub_key_protector *EXPORT_VAR (grub_key_protectors); ++grub_err_t ++grub_key_protector_register (struct grub_key_protector *protector); + +grub_err_t -+EXPORT_FUNC (grub_key_protector_register) (struct grub_key_protector *protector); ++grub_key_protector_unregister (struct grub_key_protector *protector); + +grub_err_t -+EXPORT_FUNC (grub_key_protector_unregister) (struct grub_key_protector *protector); -+ -+grub_err_t -+EXPORT_FUNC (grub_key_protector_recover_key) (const char *protector, -+ grub_uint8_t **key, -+ grub_size_t *key_size); ++grub_key_protector_recover_key (const char *protector, ++ grub_uint8_t **key, ++ grub_size_t *key_size); + +#endif /* ! GRUB_PROTECTOR_HEADER */ +-- +2.35.3 + diff --git a/0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch b/0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch new file mode 100644 index 0000000..2b72d15 --- /dev/null +++ b/0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch @@ -0,0 +1,60 @@ +From d35ff22516b161f6d472f7f5371a89597b072d04 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 6 May 2024 10:34:22 +0800 +Subject: [PATCH] net/drivers/ieee1275/ofnet: Remove 200 ms timeout in + get_card_packet() to reduce input latency + +When GRUB image is netbooted on ppc64le, the keyboard input exhibits +significant latency, reports even say that characters are processed +about once per second. This issue makes interactively trying to debug +a ppc64le config very difficult. + +It seems that the latency is largely caused by a 200 ms timeout in the +idle event loop, during which the network card interface is consistently +polled for incoming packets. Often, no packets arrive during this +period, so the timeout nearly always expires, which blocks the response +to key inputs. + +Furthermore, this 200 ms timeout might not need to be enforced at this +basic layer, considering that GRUB performs synchronous reads and its +timeout management is actually handled by higher layers, not directly in +the card instance. Additionally, the idle polling, which reacts to +unsolicited packets like ICMP and SLAAC, would be fine at a less frequent +polling interval, rather than needing a timeout for receiving a response. + +For these reasons, we believe the timeout in get_card_packet() should be +effectively removed. According to test results, the delay has disappeared, +and it is now much easier to use interactively. + +Signed-Off-by: Michael Chang +Tested-by: Tony Jones +Reviewed-by: Daniel Kiper +--- + grub-core/net/drivers/ieee1275/ofnet.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/grub-core/net/drivers/ieee1275/ofnet.c b/grub-core/net/drivers/ieee1275/ofnet.c +index 78f03df8e..3bf48b3f0 100644 +--- a/grub-core/net/drivers/ieee1275/ofnet.c ++++ b/grub-core/net/drivers/ieee1275/ofnet.c +@@ -82,15 +82,11 @@ get_card_packet (struct grub_net_card *dev) + grub_ssize_t actual; + int rc; + struct grub_ofnetcard_data *data = dev->data; +- grub_uint64_t start_time; + struct grub_net_buff *nb; + +- start_time = grub_get_time_ms (); +- do +- rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual); +- while ((actual <= 0 || rc < 0) && (grub_get_time_ms () - start_time < 200)); ++ rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual); + +- if (actual <= 0) ++ if (actual <= 0 || rc < 0) + return NULL; + + nb = grub_netbuff_alloc (actual + 2); +-- +2.45.2 + diff --git a/0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch b/0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch new file mode 100644 index 0000000..7bb12bf --- /dev/null +++ b/0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch @@ -0,0 +1,170 @@ +From 84b95a121a4401be854614419ded3d383e14ac1f Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 22 Mar 2024 17:38:45 +0800 +Subject: [PATCH] ofdisk: Enhance canonical path handling for bootpath + +This commit addresses an issue where redundant canonical path +translation is performed on the bootpath, potentially leading to +incorrect results and subsequent boot failures, particularly in cases +where firmware translations are inconsistent. + +To mitigate this, the commit introduces a check to determine if the +bootpath is already in canonical form, avoiding unnecessary translation. +Additionally, improvements have been made to enhance the resilience of +device iteration, enhancing compatibility with cross-device booting +scenarios and addressing potential issues related to firmware-based +canonical path retrieval. + +These changes aim to improve the reliability and stability of the boot +process. + +Signed-off-by: Michael Chang +--- + grub-core/disk/ieee1275/ofdisk.c | 75 +++++++++++++++++++++++--------- + 1 file changed, 55 insertions(+), 20 deletions(-) + +diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c +index c5c20a5ec..36ee5314d 100644 +--- a/grub-core/disk/ieee1275/ofdisk.c ++++ b/grub-core/disk/ieee1275/ofdisk.c +@@ -35,8 +35,13 @@ static grub_ieee1275_ihandle_t last_ihandle; + #define IEEE1275_DISK_ALIAS "/disk@" + #define IEEE1275_NVMEOF_DISK_ALIAS "/nvme-of/controller@" + ++/* Used to check boot_type, print debug message if doesn't match, this can be ++ * useful to measure boot delays */ + static char *boot_type; ++/* Used to restrict fcp to a physical boot path */ + static char *boot_parent; ++/* Knowing the nvmeof in advance to avoid blind open test during iteration to ++ * validate a path */ + static int is_boot_nvmeof; + + struct ofdisk_hash_ent +@@ -540,20 +545,30 @@ dev_iterate (const struct grub_ieee1275_devalias *alias) + { + if (grub_strcmp (alias->type, "fcp") == 0) + { +- if (boot_type && +- grub_strcmp (boot_type, alias->type) != 0) ++ if (boot_parent && ++ grub_strcmp (boot_parent, alias->path) != 0) + { +- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n", +- alias->path, alias->type, boot_type); ++ grub_dprintf ("ofdisk", "Skipped device: %s, doesn't match boot_parent %s\n", ++ alias->path, boot_parent); + goto iter_children; + } + +- if (grub_strcmp (boot_parent, alias->path) == 0) ++ /* Allow set boot_parent and boot_type to NULL to force iteration */ ++ if (!boot_parent) + { +- if (is_boot_nvmeof) +- dev_iterate_fcp_nvmeof(alias); +- else +- dev_iterate_fcp_disks(alias); ++ grub_dprintf ("ofdisk", "iterate %s\n", alias->path); ++ dev_iterate_fcp_nvmeof(alias); ++ dev_iterate_fcp_disks(alias); ++ } ++ else if (is_boot_nvmeof) ++ { ++ grub_dprintf ("ofdisk", "iterate nvmeof: %s\n", alias->path); ++ dev_iterate_fcp_nvmeof(alias); ++ } ++ else ++ { ++ grub_dprintf ("ofdisk", "iterate fcp: %s\n", alias->path); ++ dev_iterate_fcp_disks(alias); + } + } + else if (grub_strcmp (alias->type, "vscsi") == 0) +@@ -575,9 +590,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias) + if (boot_type && + grub_strcmp (boot_type, alias->type) != 0) + { +- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n", ++ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n", + alias->path, alias->type, boot_type); +- return; + } + + if (grub_ieee1275_open (alias->path, &ihandle)) +@@ -646,9 +660,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias) + if (boot_type && + grub_strcmp (boot_type, alias->type) != 0) + { +- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n", ++ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n", + alias->path, alias->type, boot_type); +- goto iter_children; + } + + buf = grub_malloc (grub_strlen (alias->path) + +@@ -1116,13 +1129,37 @@ get_parent_devname (const char *devname, int *is_nvmeof) + return parent; + } + ++ ++static int ++is_canonical (const char *path) ++{ ++ if (grub_strstr (path, IEEE1275_DISK_ALIAS) || ++ grub_strstr (path, IEEE1275_NVMEOF_DISK_ALIAS)) ++ return 1; ++ else ++ return 0; ++} ++ + static char * + get_boot_device_parent (const char *bootpath, int *is_nvmeof) + { +- char *dev, *canon, *parent; ++ char *canon, *parent; ++ ++ if (is_canonical (bootpath)) ++ { ++ early_log ("Use %s as canonical\n", bootpath); ++ canon = grub_strdup (bootpath); ++ } ++ else ++ { ++ char *dev; + +- dev = grub_ieee1275_get_aliasdevname (bootpath); +- canon = grub_ieee1275_canonicalise_devname (dev); ++ dev = grub_ieee1275_get_aliasdevname (bootpath); ++ canon = grub_ieee1275_canonicalise_devname (dev); ++ early_log ("bootpath: %s \n", bootpath); ++ early_log ("alias: %s\n", dev); ++ early_log ("canonical: %s\n", canon); ++ } + + if (!canon) + { +@@ -1131,8 +1168,6 @@ get_boot_device_parent (const char *bootpath, int *is_nvmeof) + grub_print_error (); + return NULL; + } +- else +- early_log ("%s is canonical %s\n", bootpath, canon); + + parent = get_parent_devname (canon, is_nvmeof); + early_log ("%s is parent of %s\n", parent, canon); +@@ -1179,9 +1214,9 @@ insert_bootpath (void) + boot_parent = get_boot_device_parent (bootpath, &is_boot_nvmeof); + boot_type = grub_ieee1275_get_device_type (boot_parent); + if (boot_type) +- early_log ("the boot device type %s is used for root device discovery, others excluded\n", boot_type); ++ early_log ("the boot device type: %s\n", boot_type); + else +- early_log ("unknown boot device type, will use all devices to discover root and may be slow\n"); ++ early_log ("the boot device type is unknown\n"); + } + grub_free (type); + grub_free (bootpath); +-- +2.44.0 + diff --git a/0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch b/0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch deleted file mode 100644 index dca72f6..0000000 --- a/0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 5a417f32f1afe0ffca7f5cbff67145a157b1589b Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 7 Feb 2023 18:31:12 +0800 -Subject: [PATCH 1/4] tpm2: Add TPM2 types, structures, and command constants - -Add new TPM2 types and structures as the preparation to support -authorized policy. - -* New types: - TPM_ALG_ECDAA, TPM_ALG_ECDSA, TPM_ALG_ECSCHNORR, TPM_ALG_RSASSA, - TPM_ALG_RSAPSS, TPM_ALG_SM2, and TPMI_ALG_SIG_SCHEME - -* New structures: - TPMS_EMPTY, TPMS_SIGNATURE_RSA, TPMS_SIGNATURE_ECC, - TPMS_SIGNATURE_ECDSA, TPMS_SIGNATURE_ECDAA, TPMS_SIGNATURE_SM2, - TPMS_SIGNATURE_ECSCHNORR, TPMU_SIGNATURE, and TPMT_TK_VERIFIED - -* New command constants: - TPM_CC_LoadExternal, TPM_CC_HashSequenceStart, TPM_CC_SequenceUpdate, - TPM_CC_SequenceComplete, TPM_CC_Hash, TPM_CC_VerifySignature, - TPM_CC_PolicyAuthorize - -Signed-off-by: Gary Lin ---- - include/grub/tpm2/internal/structs.h | 86 ++++++++++++++++++++++++++++ - include/grub/tpm2/internal/types.h | 42 +++++++++----- - 2 files changed, 114 insertions(+), 14 deletions(-) - -diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h -index 72d71eb70..db9eb6cf6 100644 ---- a/include/grub/tpm2/internal/structs.h -+++ b/include/grub/tpm2/internal/structs.h -@@ -672,4 +672,90 @@ struct TPMT_TK_CREATION - }; - typedef struct TPMT_TK_CREATION TPMT_TK_CREATION; - -+/* TPMS_EMPTY Structure */ -+struct TPMS_EMPTY { -+ grub_uint8_t empty[1]; /* a structure with no member */ -+}; -+typedef struct TPMS_EMPTY TPMS_EMPTY; -+ -+/* TPMS_SIGNATURE_RSA Structure */ -+struct TPMS_SIGNATURE_RSA { -+ TPMI_ALG_HASH hash; -+ TPM2B_PUBLIC_KEY_RSA sig; -+}; -+typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA; -+ -+/* Definition of Types for RSA Signature */ -+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA; -+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS; -+ -+/* TPMS_SIGNATURE_ECC Structure */ -+struct TPMS_SIGNATURE_ECC { -+ TPMI_ALG_HASH hash; -+ TPM2B_ECC_PARAMETER signatureR; -+ TPM2B_ECC_PARAMETER signatureS; -+}; -+typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC; -+ -+/* Definition of Types for ECC TPMS_SIGNATURE_ECC */ -+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA; -+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA; -+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2; -+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR; -+ -+/* TPMU_SIGNATURE Structure */ -+union TPMU_SIGNATURE { -+ TPMS_SIGNATURE_RSASSA rsassa; -+ TPMS_SIGNATURE_RSAPSS rsapss; -+ TPMS_SIGNATURE_ECDSA ecdsa; -+ TPMS_SIGNATURE_ECDAA ecdaa; -+ TPMS_SIGNATURE_SM2 sm2; -+ TPMS_SIGNATURE_ECSCHNORR ecschnorr; -+ TPMT_HA hmac; -+ TPMS_SCHEME_HASH any; -+ TPMS_EMPTY null; -+}; -+typedef union TPMU_SIGNATURE TPMU_SIGNATURE; -+ -+/* TPMT_SIGNATURE Structure */ -+struct TPMT_SIGNATURE { -+ TPMI_ALG_SIG_SCHEME sigAlg; -+ TPMU_SIGNATURE signature; -+}; -+typedef struct TPMT_SIGNATURE TPMT_SIGNATURE; -+ -+static inline TPMI_ALG_HASH -+TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig) -+{ -+ switch (sig->sigAlg) -+ { -+ case TPM_ALG_RSASSA: -+ return sig->signature.rsassa.hash; -+ case TPM_ALG_RSAPSS: -+ return sig->signature.rsapss.hash; -+ case TPM_ALG_ECDSA: -+ return sig->signature.ecdsa.hash; -+ case TPM_ALG_ECDAA: -+ return sig->signature.ecdaa.hash; -+ case TPM_ALG_SM2: -+ return sig->signature.sm2.hash; -+ case TPM_ALG_ECSCHNORR: -+ return sig->signature.ecschnorr.hash; -+ case TPM_ALG_HMAC: -+ return sig->signature.hmac.hashAlg; -+ default: -+ break; -+ } -+ -+ return TPM_ALG_NULL; -+} -+ -+/* TPMT_TK_VERIFIED Structure */ -+struct TPMT_TK_VERIFIED { -+ TPM_ST tag; -+ TPMI_RH_HIERARCHY hierarchy; -+ TPM2B_DIGEST digest; -+}; -+typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED; -+ - #endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */ -diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h -index 9714f75d4..a1902ef0c 100644 ---- a/include/grub/tpm2/internal/types.h -+++ b/include/grub/tpm2/internal/types.h -@@ -181,6 +181,9 @@ typedef grub_uint16_t TPM_ALG_ID; - #define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043) - #define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044) - #define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023) -+#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A) -+#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018) -+#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C) - #define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005) - #define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022) - #define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020) -@@ -189,10 +192,13 @@ typedef grub_uint16_t TPM_ALG_ID; - #define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007) - #define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010) - #define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001) -+#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014) -+#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016) - #define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004) - #define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B) - #define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C) - #define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D) -+#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B) - #define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012) - #define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013) - #define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025) -@@ -299,20 +305,27 @@ typedef grub_uint16_t TPM2_ECC_CURVE; - /* TPM_CC Constants */ - typedef grub_uint32_t TPM_CC; - --#define TPM_CC_EvictControl ((TPM_CC) 0x00000120) --#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131) --#define TPM_CC_Create ((TPM_CC) 0x00000153) --#define TPM_CC_FlushContext ((TPM_CC) 0x00000165) --#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173) --#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176) --#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f) --#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e) --#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169) --#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a) --#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e) --#define TPM_CC_Load ((TPM_CC) 0x00000157) --#define TPM_CC_Unseal ((TPM_CC) 0x0000015e) --#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189) -+#define TPM_CC_EvictControl ((TPM_CC) 0x00000120) -+#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131) -+#define TPM_CC_Create ((TPM_CC) 0x00000153) -+#define TPM_CC_FlushContext ((TPM_CC) 0x00000165) -+#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173) -+#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176) -+#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f) -+#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e) -+#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169) -+#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a) -+#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e) -+#define TPM_CC_Load ((TPM_CC) 0x00000157) -+#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167) -+#define TPM_CC_Unseal ((TPM_CC) 0x0000015e) -+#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189) -+#define TPM_CC_HashSequenceStart ((TPM_CC) 0x00000186) -+#define TPM_CC_SequenceUpdate ((TPM_CC) 0x0000015c) -+#define TPM_CC_SequenceComplete ((TPM_CC) 0x0000013e) -+#define TPM_CC_Hash ((TPM_CC) 0x0000017d) -+#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177) -+#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a) - - /* Hash algorithm sizes */ - #define TPM_SHA1_DIGEST_SIZE 20 -@@ -354,6 +367,7 @@ typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME; - typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME; - typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME; - typedef TPM_ALG_ID TPMI_ALG_SYM; -+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME; - - /* TPM_KEY_BITS Type */ - typedef grub_uint16_t TPM_KEY_BITS; --- -2.35.3 - diff --git a/0001-tpm2-Add-extra-RSA-SRK-types.patch b/0001-tpm2-Add-extra-RSA-SRK-types.patch new file mode 100644 index 0000000..b324309 --- /dev/null +++ b/0001-tpm2-Add-extra-RSA-SRK-types.patch @@ -0,0 +1,97 @@ +From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 25 Apr 2024 16:21:45 +0800 +Subject: [PATCH] tpm2: Add extra RSA SRK types + +Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has +to support those parameters. + +Signed-off-by: Gary Lin +--- + grub-core/tpm2/args.c | 12 ++++++++++++ + grub-core/tpm2/module.c | 16 ++++++++++++++-- + util/grub-protect.c | 4 ++-- + 3 files changed, 28 insertions(+), 4 deletions(-) + +diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c +index c11280ab9..d140364d2 100644 +--- a/grub-core/tpm2/args.c ++++ b/grub-core/tpm2/args.c +@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value, + srk_type->type = TPM_ALG_RSA; + srk_type->detail.rsa_bits = 2048; + } ++ else if (grub_strcasecmp (value, "RSA") == 0 || ++ grub_strcasecmp (value, "RSA3072") == 0) ++ { ++ srk_type->type = TPM_ALG_RSA; ++ srk_type->detail.rsa_bits = 3072; ++ } ++ else if (grub_strcasecmp (value, "RSA") == 0 || ++ grub_strcasecmp (value, "RSA4096") == 0) ++ { ++ srk_type->type = TPM_ALG_RSA; ++ srk_type->detail.rsa_bits = 4096; ++ } + else + return grub_error (GRUB_ERR_OUT_OF_RANGE, + N_("Value '%s' is not a valid asymmetric key type"), +diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c +index b754b38df..8b72ed6fa 100644 +--- a/grub-core/tpm2/module.c ++++ b/grub-core/tpm2/module.c +@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] = + .arg = NULL, + .type = ARG_TYPE_STRING, + .doc = +- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)" +- "(default: ECC)"), ++ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, " ++ "and ECC (ECC_NIST_P256). (default: ECC)"), + }, + /* NV Index-mode options */ + { +@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type) + { + case 2048: + return "RSA2048"; ++ case 3072: ++ return "RSA3072"; ++ case 4096: ++ return "RSA4096"; + } + } + +@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx, + .type = TPM_ALG_ECC, + .detail.ecc_curve = TPM_ECC_NIST_P256, + }, ++ { ++ .type = TPM_ALG_RSA, ++ .detail.rsa_bits = 4096, ++ }, ++ { ++ .type = TPM_ALG_RSA, ++ .detail.rsa_bits = 3072, ++ }, + { + .type = TPM_ALG_RSA, + .detail.rsa_bits = 2048, +diff --git a/util/grub-protect.c b/util/grub-protect.c +index 869f45861..00be03ca0 100644 +--- a/util/grub-protect.c ++++ b/util/grub-protect.c +@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] = + .arg = "TYPE", + .flags = 0, + .doc = +- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)." +- "(default: ECC)"), ++ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, " ++ "and ECC (ECC_NIST_P256). (default: ECC)"), + .group = 0 + }, + { +-- +2.35.3 + diff --git a/0001-protectors-Implement-NV-index.patch b/0001-tpm2-Implement-NV-index.patch similarity index 87% rename from 0001-protectors-Implement-NV-index.patch rename to 0001-tpm2-Implement-NV-index.patch index e183767..baf150a 100644 --- a/0001-protectors-Implement-NV-index.patch +++ b/0001-tpm2-Implement-NV-index.patch @@ -1,7 +1,7 @@ -From c3efb4ecbe91b63c127b92122dad3fa53d4efc69 Mon Sep 17 00:00:00 2001 +From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001 From: Patrick Colp Date: Mon, 31 Jul 2023 07:01:45 -0700 -Subject: [PATCH 1/4] protectors: Implement NV index +Subject: [PATCH 1/4] tpm2: Implement NV index Currently with the TPM2 protector, only SRK mode is supported and NV index support is just a stub. Implement the NV index option. @@ -16,7 +16,7 @@ An example of inserting a key using tpm2-tools: tpm2_getrandom 32 > key.dat # Create primary object. - tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx + tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx # Create policy object. `pcrs.dat` contains the PCR values to seal against. tpm2_startauthsession -S session.dat @@ -34,15 +34,17 @@ Then to unseal the key in grub, add this to grub.cfg: cryptomount -u --protector tpm2 Signed-off-by: Patrick Colp +Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- grub-core/tpm2/module.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c -index 5274296b7..d3a64187a 100644 +index e83b02865..b754b38df 100644 --- a/grub-core/tpm2/module.c +++ b/grub-core/tpm2/module.c -@@ -757,12 +757,27 @@ static grub_err_t +@@ -1035,12 +1035,27 @@ static grub_err_t grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx, grub_uint8_t **key, grub_size_t *key_size) { diff --git a/0004-tpm2-Support-authorized-policy.patch b/0001-tpm2-Support-authorized-policy.patch similarity index 92% rename from 0004-tpm2-Support-authorized-policy.patch rename to 0001-tpm2-Support-authorized-policy.patch index 39c1391..7bfbe25 100644 --- a/0004-tpm2-Support-authorized-policy.patch +++ b/0001-tpm2-Support-authorized-policy.patch @@ -1,7 +1,7 @@ -From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001 +From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 6 Apr 2023 16:00:25 +0800 -Subject: [PATCH v7 16/20] tpm2: Support authorized policy +Subject: [PATCH] tpm2: Support authorized policy This commit handles the TPM2_PolicyAuthorize command from the key file in TPM 2.0 Key File format. @@ -43,12 +43,12 @@ commands: --after \ --input sealed.key \ --output sealed.tpm \ - sign 0,2,4,7.9 + sign 0,2,4,7,9 Then specify the key file and the key protector to grub.cfg in the EFI system partition: -tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm +tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm cryptomount -u -P tpm2 For any change in the boot components, just run the 'sign' command again @@ -59,15 +59,16 @@ with the updated PCR policy. (*2) https://github.com/okirch/pcr-oracle Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c -index df0727215..0cbfd06e8 100644 +index 3db25ceca..e83b02865 100644 --- a/grub-core/tpm2/module.c +++ b/grub-core/tpm2/module.c -@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session, +@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session, return GRUB_ERR_NONE; } @@ -155,7 +156,7 @@ index df0727215..0cbfd06e8 100644 static grub_err_t grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session) { -@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO +@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO case TPM_CC_PolicyPCR: err = grub_tpm2_protector_policypcr (session, &buf); break; diff --git a/0001-util-bash-completion-Fix-for-bash-completion-2.12.patch b/0001-util-bash-completion-Fix-for-bash-completion-2.12.patch new file mode 100644 index 0000000..cde1a89 --- /dev/null +++ b/0001-util-bash-completion-Fix-for-bash-completion-2.12.patch @@ -0,0 +1,188 @@ +From 200dc727d1fdf3bac7aa725569b60a54b3841867 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 22 Mar 2024 16:23:38 +0800 +Subject: [PATCH] util/bash-completion: Fix for bash-completion 2.12 + +_split_longopt() was the bash-completion private API and removed since +bash-completion 2.12. This commit initializes the bash-completion +general variables with _init_completion() to avoid the potential +'command not found' error. + +Although bash-completion 2.12 introduces _comp_initialize() to deprecate +_init_completion(), _init_completion() is still chosen for the better +backward compatibility. + +Signed-off-by: Gary Lin +--- + .../bash-completion.d/grub-completion.bash.in | 61 +++++++------------ + 1 file changed, 22 insertions(+), 39 deletions(-) + +diff --git a/util/bash-completion.d/grub-completion.bash.in b/util/bash-completion.d/grub-completion.bash.in +index 4c88ee901..749a5d3cf 100644 +--- a/util/bash-completion.d/grub-completion.bash.in ++++ b/util/bash-completion.d/grub-completion.bash.in +@@ -151,13 +151,10 @@ __grub_list_modules () { + # grub-set-default & grub-reboot + # + __grub_set_entry () { +- local cur prev split=false ++ local cur prev words cword split ++ _init_completion -s || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} +- +- _split_longopt && split=true + + case "$prev" in + --boot-directory) +@@ -180,11 +177,10 @@ __grub_set_entry () { + # grub-editenv + # + __grub_editenv () { +- local cur prev ++ local cur prev words cword ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} + + case "$prev" in + create|list|set|unset) +@@ -201,10 +197,10 @@ __grub_editenv () { + # grub-mkconfig + # + __grub_mkconfig () { +- local cur prev ++ local cur prev words cword ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` + + if [[ "$cur" == -* ]]; then + __grubcomp "$(__grub_get_options_from_help)" +@@ -217,13 +213,10 @@ __grub_mkconfig () { + # grub-setup + # + __grub_setup () { +- local cur prev split=false ++ local cur prev words cword split ++ _init_completion -s || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} +- +- _split_longopt && split=true + + case "$prev" in + -d|--directory) +@@ -246,15 +239,12 @@ __grub_setup () { + # grub-install + # + __grub_install () { +- local cur prev last split=false ++ local cur prev words cword split last ++ _init_completion -s || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} + last=$(__grub_get_last_option) + +- _split_longopt && split=true +- + case "$prev" in + --boot-directory) + _filedir -d +@@ -287,10 +277,10 @@ __grub_install () { + # grub-mkfont + # + __grub_mkfont () { +- local cur ++ local cur prev words cword ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` + + if [[ "$cur" == -* ]]; then + __grubcomp "$(__grub_get_options_from_help)" +@@ -304,11 +294,10 @@ __grub_mkfont () { + # grub-mkrescue + # + __grub_mkrescue () { +- local cur prev last ++ local cur prev words cword last ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} + last=$(__grub_get_last_option) + + if [[ "$cur" == -* ]]; then +@@ -330,13 +319,10 @@ __grub_mkrescue () { + # grub-mkimage + # + __grub_mkimage () { +- local cur prev split=false ++ local cur prev words cword split ++ _init_completion -s || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} +- +- _split_longopt && split=true + + case "$prev" in + -d|--directory|-p|--prefix) +@@ -367,10 +353,10 @@ __grub_mkimage () { + # grub-mkpasswd-pbkdf2 + # + __grub_mkpasswd_pbkdf2 () { +- local cur ++ local cur prev words cword ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` + + if [[ "$cur" == -* ]]; then + __grubcomp "$(__grub_get_options_from_help)" +@@ -384,13 +370,10 @@ __grub_mkpasswd_pbkdf2 () { + # grub-probe + # + __grub_probe () { +- local cur prev split=false ++ local cur prev words cword split ++ _init_completion -s || return + + COMPREPLY=() +- cur=`_get_cword` +- prev=${COMP_WORDS[COMP_CWORD-1]} +- +- _split_longopt && split=true + + case "$prev" in + -t|--target) +@@ -417,10 +400,10 @@ __grub_probe () { + # grub-script-check + # + __grub_script_check () { +- local cur ++ local cur prev words cword ++ _init_completion || return + + COMPREPLY=() +- cur=`_get_cword` + + if [[ "$cur" == -* ]]; then + __grubcomp "$(__grub_get_options_from_help)" +-- +2.35.3 + diff --git a/0001-util-enable-grub-protect-only-for-EFI-systems.patch b/0001-util-enable-grub-protect-only-for-EFI-systems.patch new file mode 100644 index 0000000..5ac1b7a --- /dev/null +++ b/0001-util-enable-grub-protect-only-for-EFI-systems.patch @@ -0,0 +1,33 @@ +From 6ce53d4db8430de5526ea4c48beac8139ba60925 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Mon, 20 May 2024 14:19:58 +0800 +Subject: [PATCH] util: enable grub-protect only for EFI systems + +Add 'enable = efi;' back to the grub-protect section to enable the +utility only for EFI systems. + +The restriction was relaxed in the upstreaming patch to enable the +grub-emu TPM2 testcases. Since we already build the utility natively for +the architectures with EFI support, there is no need to build the +program again for grub-emu. + +Signed-off-by: Gary Lin +--- + Makefile.util.def | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile.util.def b/Makefile.util.def +index 90850125d..5085152b0 100644 +--- a/Makefile.util.def ++++ b/Makefile.util.def +@@ -210,6 +210,7 @@ program = { + program = { + name = grub-protect; + mansection = 1; ++ enable = efi; + + common = grub-core/kern/emu/argp_common.c; + common = grub-core/osdep/init.c; +-- +2.35.3 + diff --git a/0002-cryptodisk-Fallback-to-passphrase.patch b/0002-cryptodisk-Fallback-to-passphrase.patch index 3b0c921..27daab9 100644 --- a/0002-cryptodisk-Fallback-to-passphrase.patch +++ b/0002-cryptodisk-Fallback-to-passphrase.patch @@ -1,4 +1,4 @@ -From 7cc578baf26986c2badce998125b429a2aeb4d33 Mon Sep 17 00:00:00 2001 +From e62b26f9765e309691e014f322d4b02b220956a1 Mon Sep 17 00:00:00 2001 From: Patrick Colp Date: Sun, 30 Jul 2023 12:58:18 -0700 Subject: [PATCH 2/4] cryptodisk: Fallback to passphrase @@ -10,15 +10,17 @@ the protector(s) failed. Later code (e.g., LUKS code) fails as proceeding with the passphrase. Signed-off-by: Patrick Colp +Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- grub-core/disk/cryptodisk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index 6620fca00..cf37a0934 100644 +index af4104178..f9842f776 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c -@@ -1191,11 +1191,16 @@ grub_cryptodisk_scan_device_real (const char *name, +@@ -1193,11 +1193,16 @@ grub_cryptodisk_scan_device_real (const char *name, source->name, source->partition != NULL ? "," : "", part != NULL ? part : N_("UNKNOWN"), dev->uuid); grub_free (part); diff --git a/0002-tpm2-Add-TPM-Software-Stack-TSS.patch b/0002-tpm2-Add-TPM-Software-Stack-TSS.patch index 81765e3..8363a4b 100644 --- a/0002-tpm2-Add-TPM-Software-Stack-TSS.patch +++ b/0002-tpm2-Add-TPM-Software-Stack-TSS.patch @@ -1,10 +1,10 @@ -From c5a42cf3340aa740132bcdb8e8cee22c23306ef5 Mon Sep 17 00:00:00 2001 +From b24f2484393d468ee0286550c3275c2b090e3994 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:54 -0800 -Subject: [PATCH v6 09/20] tpm2: Add TPM Software Stack (TSS) +Subject: [PATCH 2/5] tpm2: Add TPM Software Stack (TSS) A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to -compose, submit, and parse TPM commands and responses. +compose and submit TPM commands and parse reponses. A limited number of TPM commands may be accessed via the EFI TCG2 protocol. This protocol exposes functionality that is primarily geared @@ -26,23 +26,26 @@ and response buffers, respectively, using the TPM wire protocol. Functions: TPM2_Create, TPM2_CreatePrimary, TPM2_EvictControl, TPM2_FlushContext, TPM2_Load, TPM2_PCR_Read, TPM2_PolicyGetDigest, -TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal. +TPM2_PolicyPCR, TPM2_ReadPublic, TPM2_StartAuthSession, TPM2_Unseal, +TPM2_LoadExternal, TPM2_Hash, TPM2_VerifySignature, +TPM2_PolicyAuthorize, TPM2_TestParms Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- - grub-core/tpm2/buffer.c | 145 +++++ - grub-core/tpm2/mu.c | 807 +++++++++++++++++++++++++ - grub-core/tpm2/tcg2.c | 143 +++++ - grub-core/tpm2/tpm2.c | 761 +++++++++++++++++++++++ - include/grub/tpm2/buffer.h | 65 ++ - include/grub/tpm2/internal/functions.h | 117 ++++ - include/grub/tpm2/internal/structs.h | 675 +++++++++++++++++++++ - include/grub/tpm2/internal/types.h | 370 ++++++++++++ - include/grub/tpm2/mu.h | 292 +++++++++ - include/grub/tpm2/tcg2.h | 34 ++ - include/grub/tpm2/tpm2.h | 34 ++ - 11 files changed, 3443 insertions(+) + grub-core/tpm2/buffer.c | 145 +++ + grub-core/tpm2/mu.c | 1168 ++++++++++++++++++++++++ + grub-core/tpm2/tcg2.c | 143 +++ + grub-core/tpm2/tpm2.c | 1048 +++++++++++++++++++++ + include/grub/tpm2/buffer.h | 65 ++ + include/grub/tpm2/internal/functions.h | 156 ++++ + include/grub/tpm2/internal/structs.h | 768 ++++++++++++++++ + include/grub/tpm2/internal/types.h | 403 ++++++++ + include/grub/tpm2/mu.h | 396 ++++++++ + include/grub/tpm2/tcg2.h | 34 + + include/grub/tpm2/tpm2.h | 34 + + 11 files changed, 4360 insertions(+) create mode 100644 grub-core/tpm2/buffer.c create mode 100644 grub-core/tpm2/mu.c create mode 100644 grub-core/tpm2/tcg2.c @@ -208,10 +211,10 @@ index 000000000..cb9f29497 +} diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c new file mode 100644 -index 000000000..1617f37cd +index 000000000..10ed71c04 --- /dev/null +++ b/grub-core/tpm2/mu.c -@@ -0,0 +1,807 @@ +@@ -0,0 +1,1168 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -287,6 +290,9 @@ index 000000000..1617f37cd + break; + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ -305,6 +311,9 @@ index 000000000..1617f37cd + case TPM_ALG_XOR: + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ -553,10 +562,21 @@ index 000000000..1617f37cd + case TPM_ALG_ECC: + grub_tpm2_mu_TPMS_ECC_POINT_Marshal (buffer, &p->ecc); + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + +void ++grub_tpm2_mu_TPMT_PUBLIC_PARMS_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_PUBLIC_PARMS *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->type); ++ grub_tpm2_mu_TPMU_PUBLIC_PARMS_Marshal (buffer, p->type, &p->parameters); ++} ++ ++void +grub_tpm2_mu_TPMT_PUBLIC_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_PUBLIC *p) +{ @@ -598,6 +618,49 @@ index 000000000..1617f37cd +} + +void ++grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_PUBLIC type, ++ const TPMU_SENSITIVE_COMPOSITE *p) ++{ ++ switch(type) ++ { ++ case TPM_ALG_RSA: ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer); ++ break; ++ case TPM_ALG_ECC: ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer); ++ break; ++ case TPM_ALG_KEYEDHASH: ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer); ++ break; ++ case TPM_ALG_SYMCIPHER: ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer); ++ break; ++ default: ++ buffer->error = 1; ++ } ++} ++ ++void ++grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_SENSITIVE *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer); ++ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType, ++ &p->sensitive); ++} ++ ++void ++grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPM2B_SENSITIVE *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->size); ++ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea); ++} ++ ++void +grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, + const TPM2B_SENSITIVE_CREATE *sensitiveCreate) +{ @@ -620,15 +683,130 @@ index 000000000..1617f37cd +} + +void -+grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPM2B* p) ++grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMS_SIGNATURE_RSA *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->hash); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer); ++} ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMS_SIGNATURE_ECC *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->hash); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer); ++} ++ ++void ++grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_HASH hashAlg, ++ const TPMU_HA *p) ++{ ++ switch (hashAlg) ++ { ++ case TPM_ALG_SHA1: ++ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++) ++ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]); ++ break; ++ case TPM_ALG_SHA256: ++ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++) ++ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]); ++ break; ++ case TPM_ALG_SHA384: ++ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++) ++ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]); ++ break; ++ case TPM_ALG_SHA512: ++ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++) ++ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]); ++ break; ++ default: ++ buffer->error = 1; ++ break; ++ } ++} ++ ++void ++grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_HA *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg); ++ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest); ++} ++ ++void ++grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_SIG_SCHEME sigAlg, ++ const TPMU_SIGNATURE *p) ++{ ++ switch (sigAlg) ++ { ++ case TPM_ALG_RSASSA: ++ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa); ++ break; ++ case TPM_ALG_RSAPSS: ++ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss); ++ break; ++ case TPM_ALG_ECDSA: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa); ++ break; ++ case TPM_ALG_ECDAA: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa); ++ break; ++ case TPM_ALG_SM2: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2); ++ break; ++ case TPM_ALG_ECSCHNORR: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr); ++ break; ++ case TPM_ALG_HMAC: ++ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac); ++ break; ++ case TPM_ALG_NULL: ++ break; ++ default: ++ buffer->error = 1; ++ break; ++ } ++} ++ ++void ++grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_SIGNATURE *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg); ++ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature); ++} ++ ++void ++grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_TK_VERIFIED *p) ++{ ++ grub_tpm2_buffer_pack_u16 (buffer, p->tag); ++ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy); ++ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer); ++} ++ ++static void ++__tpm2_mu_TPM2B_BUFFER_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B* p, grub_uint16_t bound) +{ + grub_tpm2_buffer_unpack_u16 (buffer, &p->size); + -+ for (grub_uint16_t i = 0; i < p->size; i++) -+ grub_tpm2_buffer_unpack_u8 (buffer, &p->buffer[i]); ++ if (p->size > bound) ++ { ++ buffer->error = 1; ++ return; ++ } ++ ++ grub_tpm2_buffer_unpack (buffer, &p->buffer, p->size); +} + ++#define TPM2B_BUFFER_UNMARSHAL(buffer, type, data) \ ++ __tpm2_mu_TPM2B_BUFFER_Unmarshal(buffer, (TPM2B *)data, sizeof(type) - sizeof(grub_uint16_t)) ++ +void +grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_AUTH_RESPONSE* p) @@ -655,7 +833,70 @@ index 000000000..1617f37cd +grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_DIGEST* digest) +{ -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)digest); ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_DIGEST, digest); ++} ++ ++void ++grub_tpm2_mu_TPM2B_NONCE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_NONCE* nonce) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_NONCE, nonce); ++} ++ ++void ++grub_tpm2_mu_TPM2B_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_DATA* data) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_DATA, data); ++} ++ ++void ++grub_tpm2_mu_TPMS_CREATION_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_CREATION_DATA *data) ++{ ++ grub_tpm2_mu_TPML_PCR_SELECTION_Unmarshal (buffer, &data->pcrSelect); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &data->pcrDigest); ++ grub_tpm2_buffer_unpack_u8 (buffer, (grub_uint8_t *)&data->locality); ++ grub_tpm2_buffer_unpack_u16 (buffer, &data->parentNameAlg); ++ grub_tpm2_mu_TPM2B_NAME_Unmarshal (buffer, &data->parentName); ++ grub_tpm2_mu_TPM2B_NAME_Unmarshal (buffer, &data->parentQualifiedName); ++ grub_tpm2_mu_TPM2B_DATA_Unmarshal (buffer, &data->outsideInfo); ++} ++ ++void ++grub_tpm2_mu_TPM2B_CREATION_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_CREATION_DATA *data) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &data->size); ++ grub_tpm2_mu_TPMS_CREATION_DATA_Unmarshal (buffer, &data->creationData); ++} ++ ++void ++grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_PRIVATE *private) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_PRIVATE, private); ++} ++ ++void ++grub_tpm2_mu_TPM2B_SENSITIVE_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_SENSITIVE_DATA *data) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_SENSITIVE_DATA, data); ++} ++ ++void ++grub_tpm2_mu_TPM2B_PUBLIC_KEY_RSA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_PUBLIC_KEY_RSA *rsa) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_PUBLIC_KEY_RSA, rsa); ++} ++ ++void ++grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_ECC_PARAMETER *param) ++{ ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_ECC_PARAMETER, param); +} + +void @@ -731,6 +972,9 @@ index 000000000..1617f37cd + break; + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ -749,6 +993,9 @@ index 000000000..1617f37cd + case TPM_ALG_XOR: + case TPM_ALG_NULL: + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ -884,8 +1131,8 @@ index 000000000..1617f37cd +grub_tpm2_mu_TPMS_ECC_POINT_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_ECC_POINT *p) +{ -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->x); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->y); ++ grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (buffer, &p->x); ++ grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (buffer, &p->y); +} + +void @@ -896,17 +1143,20 @@ index 000000000..1617f37cd + switch(type) + { + case TPM_ALG_KEYEDHASH: -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->keyedHash); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->keyedHash); + break; + case TPM_ALG_SYMCIPHER: -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->sym); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->sym); + break; + case TPM_ALG_RSA: -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->rsa); ++ grub_tpm2_mu_TPM2B_PUBLIC_KEY_RSA_Unmarshal (buffer, &p->rsa); + break; + case TPM_ALG_ECC: + grub_tpm2_mu_TPMS_ECC_POINT_Unmarshal (buffer, &p->ecc); + break; ++ default: ++ buffer->error = 1; ++ break; + } +} + @@ -917,7 +1167,7 @@ index 000000000..1617f37cd + grub_tpm2_buffer_unpack_u16 (buffer, &p->type); + grub_tpm2_buffer_unpack_u16 (buffer, &p->nameAlg); + grub_tpm2_mu_TPMA_OBJECT_Unmarshal (buffer, &p->objectAttributes); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->authPolicy); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->authPolicy); + grub_tpm2_mu_TPMU_PUBLIC_PARMS_Unmarshal (buffer, p->type, &p->parameters); + grub_tpm2_mu_TPMU_PUBLIC_ID_Unmarshal (buffer, p->type, &p->unique); +} @@ -953,8 +1203,7 @@ index 000000000..1617f37cd +grub_tpm2_mu_TPM2B_NAME_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_NAME *n) +{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &n->size); -+ grub_tpm2_buffer_unpack (buffer, n->name, n->size); ++ TPM2B_BUFFER_UNMARSHAL (buffer, TPM2B_NAME, n); +} + +void @@ -966,58 +1215,173 @@ index 000000000..1617f37cd +} + +void -+grub_tpm2_mu_TPMS_CAPABILITY_DATA_tpmProperties_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMS_CAPABILITY_DATA* capabilityData) -+{ -+ grub_tpm2_buffer_unpack_u32 (buffer, -+ &capabilityData->data.tpmProperties.count); -+ -+ if (buffer->error) -+ return; -+ -+ for (grub_uint32_t i = 0; i < capabilityData->data.tpmProperties.count; i++) -+ grub_tpm2_mu_TPMS_TAGGED_PROPERTY_Unmarshal (buffer, -+ &capabilityData->data.tpmProperties.tpmProperty[i]); -+} -+ -+void +grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_TK_CREATION *p) +{ + grub_tpm2_buffer_unpack_u16 (buffer, &p->tag); + grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->digest); +} + +void -+grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_TK_HASHCHECK *p) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag); ++ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->digest); ++} ++ ++void ++grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_TK_VERIFIED *p) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag); ++ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &p->digest); ++} ++ ++void ++grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_PCR_SELECTION* pcrSelection) +{ -+ grub_tpm2_buffer_unpack_u16 (buf, &pcrSelection->hash); -+ grub_tpm2_buffer_unpack_u8 (buf, &pcrSelection->sizeOfSelect); ++ grub_tpm2_buffer_unpack_u16 (buffer, &pcrSelection->hash); ++ grub_tpm2_buffer_unpack_u8 (buffer, &pcrSelection->sizeOfSelect); ++ ++ if (pcrSelection->sizeOfSelect > TPM_PCR_SELECT_MAX) ++ { ++ buffer->error = 1; ++ return; ++ } + + for (grub_uint32_t i = 0; i < pcrSelection->sizeOfSelect; i++) -+ grub_tpm2_buffer_unpack_u8 (buf, &pcrSelection->pcrSelect[i]); ++ grub_tpm2_buffer_unpack_u8 (buffer, &pcrSelection->pcrSelect[i]); +} + +void -+grub_tpm2_mu_TPML_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPML_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buffer, + TPML_PCR_SELECTION* pcrSelection) +{ -+ grub_tpm2_buffer_unpack_u32 (buf, &pcrSelection->count); ++ grub_tpm2_buffer_unpack_u32 (buffer, &pcrSelection->count); ++ ++ if (pcrSelection->count > TPM_NUM_PCR_BANKS) ++ { ++ buffer->error = 1; ++ return; ++ } + + for (grub_uint32_t i = 0; i < pcrSelection->count; i++) -+ grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (buf, &pcrSelection->pcrSelections[i]); ++ grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (buffer, &pcrSelection->pcrSelections[i]); +} + +void -+grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer, + TPML_DIGEST* digest) +{ -+ grub_tpm2_buffer_unpack_u32 (buf, &digest->count); ++ grub_tpm2_buffer_unpack_u32 (buffer, &digest->count); ++ ++ if (digest->count > 8) ++ { ++ buffer->error = 1; ++ return; ++ } + + for (grub_uint32_t i = 0; i < digest->count; i++) -+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buffer, &digest->digests[i]); ++} ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_SIGNATURE_RSA *rsa) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash); ++ grub_tpm2_mu_TPM2B_PUBLIC_KEY_RSA_Unmarshal (buffer, &rsa->sig); ++} ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_SIGNATURE_ECC *ecc) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash); ++ grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (buffer, &ecc->signatureR); ++ grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (buffer, &ecc->signatureS); ++} ++ ++void ++grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMI_ALG_HASH hashAlg, ++ TPMU_HA *p) ++{ ++ switch (hashAlg) ++ { ++ case TPM_ALG_SHA1: ++ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE); ++ break; ++ case TPM_ALG_SHA256: ++ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE); ++ break; ++ case TPM_ALG_SHA384: ++ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE); ++ break; ++ case TPM_ALG_SHA512: ++ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE); ++ break; ++ default: ++ buffer->error = 1; ++ break; ++ } ++} ++ ++void ++grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_HA *p) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg); ++ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest); ++} ++ ++void ++grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMI_ALG_SIG_SCHEME sigAlg, ++ TPMU_SIGNATURE *p) ++{ ++ switch (sigAlg) ++ { ++ case TPM_ALG_RSASSA: ++ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa); ++ break; ++ case TPM_ALG_RSAPSS: ++ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss); ++ break; ++ case TPM_ALG_ECDSA: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa); ++ break; ++ case TPM_ALG_ECDAA: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa); ++ break; ++ case TPM_ALG_SM2: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2); ++ break; ++ case TPM_ALG_ECSCHNORR: ++ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr); ++ break; ++ case TPM_ALG_HMAC: ++ grub_tpm2_mu_TPMT_HA_Unmarshal (buffer, &p->hmac); ++ break; ++ case TPM_ALG_NULL: ++ break; ++ default: ++ buffer->error = 1; ++ break; ++ } ++} ++ ++void ++grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_SIGNATURE *p) ++{ ++ grub_tpm2_buffer_unpack_u16 (buffer, &p->sigAlg); ++ grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (buffer, p->sigAlg, &p->signature); +} diff --git a/grub-core/tpm2/tcg2.c b/grub-core/tpm2/tcg2.c new file mode 100644 @@ -1170,10 +1534,10 @@ index 000000000..9e4b7f565 +} diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c new file mode 100644 -index 000000000..d67699a24 +index 000000000..06621c28d --- /dev/null +++ b/grub-core/tpm2/tpm2.c -@@ -0,0 +1,761 @@ +@@ -0,0 +1,1048 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -1238,7 +1602,7 @@ index 000000000..d67699a24 + if (err) + return TPM_RC_FAILURE; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + out->size = sizeof (grub_uint16_t) + sizeof (grub_uint32_t) + + sizeof (grub_uint32_t); + grub_tpm2_buffer_unpack_u16 (out, &tag_out); @@ -1349,15 +1713,15 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + grub_tpm2_buffer_unpack_u32 (&out, objectHandle); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&out, outPublic); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)creationData); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)creationHash); ++ grub_tpm2_mu_TPM2B_CREATION_DATA_Unmarshal (&out, creationData); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, creationHash); + grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (&out, creationTicket); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name); ++ grub_tpm2_mu_TPM2B_NAME_Unmarshal (&out, name); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); + if (out.error) @@ -1433,11 +1797,11 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + grub_tpm2_buffer_unpack_u32 (&out, sessionHandle); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)nonceTpm); ++ grub_tpm2_mu_TPM2B_NONCE_Unmarshal (&out, nonceTpm); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); + if (out.error) @@ -1529,7 +1893,7 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&out, outPublic); @@ -1590,11 +1954,78 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + grub_tpm2_buffer_unpack_u32 (&out, objectHandle); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name); ++ grub_tpm2_mu_TPM2B_NAME_Unmarshal (&out, name); ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); ++ if (out.error) ++ return TPM_RC_FAILURE; ++ ++ return TPM_RC_SUCCESS; ++} ++ ++TPM_RC ++TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_SENSITIVE *inPrivate, ++ const TPM2B_PUBLIC *inPublic, ++ const TPMI_RH_HIERARCHY hierarchy, ++ TPM_HANDLE *objectHandle, ++ TPM2B_NAME *name, ++ TPMS_AUTH_RESPONSE *authResponse) ++{ ++ TPM_RC rc; ++ struct grub_tpm2_buffer in; ++ struct grub_tpm2_buffer out; ++ TPM_HANDLE objectHandleTmp; ++ TPM2B_NAME nameTmp; ++ TPMS_AUTH_RESPONSE authResponseTmp; ++ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; ++ TPM_RC responseCode; ++ grub_uint32_t param_size; ++ ++ if (!inPublic) ++ return TPM_RC_VALUE; ++ ++ if (!objectHandle) ++ objectHandle = &objectHandleTmp; ++ if (!name) ++ name = &nameTmp; ++ if (!authResponse) ++ authResponse = &authResponseTmp; ++ ++ grub_memset (objectHandle, 0, sizeof (*objectHandle)); ++ grub_memset (name, 0, sizeof (*name)); ++ grub_memset (authResponse, 0, sizeof (*authResponse)); ++ ++ /* Marshal */ ++ grub_tpm2_buffer_init (&in); ++ if (authCommand) ++ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); ++ if (inPrivate) ++ grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (&in, inPrivate); ++ else ++ grub_tpm2_buffer_pack_u16 (&in, 0); ++ grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&in, inPublic); ++ grub_tpm2_buffer_pack_u32 (&in, hierarchy); ++ if (in.error) ++ return TPM_RC_FAILURE; ++ ++ /* Submit */ ++ grub_tpm2_buffer_init (&out); ++ rc = grub_tpm2_submit_command (tag, TPM_CC_LoadExternal, &responseCode, &in, &out); ++ if (rc != TPM_RC_SUCCESS) ++ return rc; ++ if (responseCode != TPM_RC_SUCCESS) ++ return responseCode; ++ ++ /* Unmarshal */ ++ grub_tpm2_buffer_unpack_u32 (&out, objectHandle); ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); ++ grub_tpm2_mu_TPM2B_NAME_Unmarshal (&out, name); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); + if (out.error) @@ -1642,10 +2073,10 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ // Unmarhsal ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)outData); ++ grub_tpm2_mu_TPM2B_SENSITIVE_DATA_Unmarshal (&out, outData); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); + if (out.error) @@ -1677,7 +2108,7 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (out.error) + return TPM_RC_FAILURE; + @@ -1732,7 +2163,7 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); + grub_tpm2_buffer_unpack_u32 (&out, pcrUpdateCounter); @@ -1786,10 +2217,10 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)policyDigest); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, policyDigest); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); + if (out.error) @@ -1869,13 +2300,13 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)outPrivate); ++ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&out, outPrivate); + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&out, outPublic); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)creationData); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)creationHash); ++ grub_tpm2_mu_TPM2B_CREATION_DATA_Unmarshal (&out, creationData); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, creationHash); + grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (&out, creationTicket); + if (tag == TPM_ST_SESSIONS) + grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse); @@ -1924,7 +2355,7 @@ index 000000000..d67699a24 + if (responseCode != TPM_RC_SUCCESS) + return responseCode; + -+ /* Unmarshal*/ ++ /* Unmarshal */ + if (tag == TPM_ST_SESSIONS) + { + grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); @@ -1935,6 +2366,226 @@ index 000000000..d67699a24 + + return TPM_RC_SUCCESS; +} ++ ++TPM_RC ++TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_MAX_BUFFER *data, ++ const TPMI_ALG_HASH hashAlg, ++ const TPMI_RH_HIERARCHY hierarchy, ++ TPM2B_DIGEST *outHash, ++ TPMT_TK_HASHCHECK *validation, ++ TPMS_AUTH_RESPONSE *authResponse) ++{ ++ TPM_RC rc; ++ struct grub_tpm2_buffer in; ++ struct grub_tpm2_buffer out; ++ TPMS_AUTH_RESPONSE authResponseTmp; ++ TPM2B_DIGEST outHashTmp; ++ TPMT_TK_HASHCHECK validationTmp; ++ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; ++ TPM_RC responseCode; ++ grub_uint32_t param_size; ++ ++ if (hashAlg == TPM_ALG_NULL) ++ return TPM_RC_VALUE; ++ ++ if (!outHash) ++ outHash = &outHashTmp; ++ if (!validation) ++ validation = &validationTmp; ++ if (!authResponse) ++ authResponse = &authResponseTmp; ++ ++ grub_memset (outHash, 0, sizeof (*outHash)); ++ grub_memset (validation, 0, sizeof (*validation)); ++ grub_memset (authResponse, 0, sizeof (*authResponse)); ++ ++ /* Marshal */ ++ grub_tpm2_buffer_init (&in); ++ if (authCommand) ++ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); ++ if (data) ++ grub_tpm2_mu_TPM2B_Marshal (&in, data->size, data->buffer); ++ else ++ grub_tpm2_buffer_pack_u16 (&in, 0); ++ grub_tpm2_buffer_pack_u16 (&in, hashAlg); ++ grub_tpm2_buffer_pack_u32 (&in, hierarchy); ++ if (in.error) ++ return TPM_RC_FAILURE; ++ ++ /* Submit */ ++ grub_tpm2_buffer_init (&out); ++ rc = grub_tpm2_submit_command (tag, TPM_CC_Hash, &responseCode, &in, &out); ++ if (rc != TPM_RC_SUCCESS) ++ return rc; ++ if (responseCode != TPM_RC_SUCCESS) ++ return responseCode; ++ ++ /* Unmarshal */ ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); ++ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, outHash); ++ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation); ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); ++ if (out.error) ++ return TPM_RC_FAILURE; ++ ++ return TPM_RC_SUCCESS; ++} ++ ++TPM_RC ++TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle, ++ const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_DIGEST *digest, ++ const TPMT_SIGNATURE *signature, ++ TPMT_TK_VERIFIED *validation, ++ TPMS_AUTH_RESPONSE *authResponse) ++{ ++ TPM_RC rc; ++ struct grub_tpm2_buffer in; ++ struct grub_tpm2_buffer out; ++ TPMS_AUTH_RESPONSE authResponseTmp; ++ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; ++ TPMT_TK_VERIFIED validationTmp; ++ TPM_RC responseCode; ++ grub_uint32_t param_size; ++ ++ if (!digest || !signature) ++ return TPM_RC_VALUE; ++ ++ if (!validation) ++ validation = &validationTmp; ++ if (!authResponse) ++ authResponse = &authResponseTmp; ++ ++ grub_memset (validation, 0, sizeof (*validation)); ++ grub_memset (authResponse, 0, sizeof (*authResponse)); ++ ++ /* Marshal */ ++ grub_tpm2_buffer_init (&in); ++ if (authCommand) ++ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); ++ grub_tpm2_buffer_pack_u32 (&in, keyHandle); ++ grub_tpm2_mu_TPM2B_Marshal (&in, digest->size, digest->buffer); ++ grub_tpm2_mu_TPMT_SIGNATURE_Marshal (&in, signature); ++ if (in.error) ++ return TPM_RC_FAILURE; ++ ++ /* Submit */ ++ grub_tpm2_buffer_init (&out); ++ rc = grub_tpm2_submit_command (tag, TPM_CC_VerifySignature, &responseCode, &in, &out); ++ if (rc != TPM_RC_SUCCESS) ++ return rc; ++ if (responseCode != TPM_RC_SUCCESS) ++ return responseCode; ++ ++ /* Unmarshal */ ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); ++ grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (&out, validation); ++ if (tag == TPM_ST_SESSIONS) ++ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); ++ if (out.error) ++ return TPM_RC_FAILURE; ++ ++ return TPM_RC_SUCCESS; ++} ++ ++TPM_RC ++TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession, ++ const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_DIGEST *approvedPolicy, ++ const TPM2B_NONCE *policyRef, ++ const TPM2B_NAME *keySign, ++ const TPMT_TK_VERIFIED *checkTicket, ++ TPMS_AUTH_RESPONSE *authResponse) ++{ ++ TPM_RC rc; ++ struct grub_tpm2_buffer in; ++ struct grub_tpm2_buffer out; ++ TPMS_AUTH_RESPONSE authResponseTmp; ++ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; ++ TPM_RC responseCode; ++ grub_uint32_t param_size; ++ ++ if (!approvedPolicy || !keySign || !checkTicket) ++ return TPM_RC_VALUE; ++ ++ if (!authResponse) ++ authResponse = &authResponseTmp; ++ ++ grub_memset (authResponse, 0, sizeof (*authResponse)); ++ ++ /* Marshal */ ++ grub_tpm2_buffer_init (&in); ++ grub_tpm2_buffer_pack_u32 (&in, policySession); ++ if (authCommand) ++ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); ++ grub_tpm2_mu_TPM2B_Marshal (&in, approvedPolicy->size, approvedPolicy->buffer); ++ if (policyRef) ++ grub_tpm2_mu_TPM2B_Marshal (&in, policyRef->size, policyRef->buffer); ++ else ++ grub_tpm2_buffer_pack_u16 (&in, 0); ++ grub_tpm2_mu_TPM2B_Marshal (&in, keySign->size, keySign->name); ++ grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (&in, checkTicket); ++ if (in.error) ++ return TPM_RC_FAILURE; ++ ++ /* Submit */ ++ grub_tpm2_buffer_init (&out); ++ rc = grub_tpm2_submit_command (tag, TPM_CC_PolicyAuthorize, &responseCode, &in, &out); ++ if (rc != TPM_RC_SUCCESS) ++ return rc; ++ if (responseCode != TPM_RC_SUCCESS) ++ return responseCode; ++ ++ /* Unmarshal */ ++ if (tag == TPM_ST_SESSIONS) ++ { ++ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); ++ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); ++ } ++ if (out.error) ++ return TPM_RC_FAILURE; ++ ++ return TPM_RC_SUCCESS; ++} ++ ++TPM_RC ++TPM2_TestParms (const TPMT_PUBLIC_PARMS *parms, ++ const TPMS_AUTH_COMMAND* authCommand) ++{ ++ TPM_RC rc; ++ struct grub_tpm2_buffer in; ++ struct grub_tpm2_buffer out; ++ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; ++ TPM_RC responseCode; ++ ++ if (!parms) ++ return TPM_RC_VALUE; ++ ++ /* Marshal */ ++ grub_tpm2_buffer_init (&in); ++ grub_tpm2_mu_TPMT_PUBLIC_PARMS_Marshal (&in, parms); ++ if (in.error) ++ return TPM_RC_FAILURE; ++ ++ /* Submit */ ++ grub_tpm2_buffer_init (&out); ++ rc = grub_tpm2_submit_command (tag, TPM_CC_TestParms, &responseCode, &in, ++ &out); ++ if (rc != TPM_RC_SUCCESS) ++ return rc; ++ if (responseCode != TPM_RC_SUCCESS) ++ return responseCode; ++ ++ /* Unmarshal */ ++ if (out.error) ++ return TPM_RC_FAILURE; ++ ++ return TPM_RC_SUCCESS; ++} diff --git a/include/grub/tpm2/buffer.h b/include/grub/tpm2/buffer.h new file mode 100644 index 000000000..87dcd8d6c @@ -2008,10 +2659,10 @@ index 000000000..87dcd8d6c +#endif /* ! GRUB_TPM2_BUFFER_HEADER */ diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h new file mode 100644 -index 000000000..9380f26a2 +index 000000000..ac3154ef5 --- /dev/null +++ b/include/grub/tpm2/internal/functions.h -@@ -0,0 +1,117 @@ +@@ -0,0 +1,156 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -2085,6 +2736,15 @@ index 000000000..9380f26a2 + TPMS_AUTH_RESPONSE *authResponse); + +TPM_RC ++TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_SENSITIVE *inPrivate, ++ const TPM2B_PUBLIC *inPublic, ++ const TPMI_RH_HIERARCHY hierarchy, ++ TPM_HANDLE *objectHandle, ++ TPM2B_NAME *name, ++ TPMS_AUTH_RESPONSE *authResponse); ++ ++TPM_RC +TPM2_Unseal (const TPMI_DH_OBJECT item_handle, + const TPMS_AUTH_COMMAND *authCommand, + TPM2B_SENSITIVE_DATA *outData, @@ -2128,13 +2788,43 @@ index 000000000..9380f26a2 + const TPMI_DH_PERSISTENT persistentHandle, + TPMS_AUTH_RESPONSE *authResponse); + ++TPM_RC ++TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_MAX_BUFFER *data, ++ const TPMI_ALG_HASH hashAlg, ++ const TPMI_RH_HIERARCHY hierarchy, ++ TPM2B_DIGEST *outHash, ++ TPMT_TK_HASHCHECK *validation, ++ TPMS_AUTH_RESPONSE *authResponse); ++ ++TPM_RC ++TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle, ++ const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_DIGEST *digest, ++ const TPMT_SIGNATURE *signature, ++ TPMT_TK_VERIFIED *validation, ++ TPMS_AUTH_RESPONSE *authResponse); ++ ++TPM_RC ++TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession, ++ const TPMS_AUTH_COMMAND *authCommand, ++ const TPM2B_DIGEST *approvedPolicy, ++ const TPM2B_NONCE *policyRef, ++ const TPM2B_NAME *keySign, ++ const TPMT_TK_VERIFIED *checkTicket, ++ TPMS_AUTH_RESPONSE *authResponse); ++ ++TPM_RC ++TPM2_TestParms (const TPMT_PUBLIC_PARMS *parms, ++ const TPMS_AUTH_COMMAND* authCommand); ++ +#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */ diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h new file mode 100644 -index 000000000..72d71eb70 +index 000000000..c615d71e9 --- /dev/null +++ b/include/grub/tpm2/internal/structs.h -@@ -0,0 +1,675 @@ +@@ -0,0 +1,768 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -2532,6 +3222,13 @@ index 000000000..72d71eb70 +}; +typedef union TPMU_PUBLIC_PARMS TPMU_PUBLIC_PARMS; + ++/* TPMT_PUBLIC_PARMS Structure */ ++struct TPMT_PUBLIC_PARMS { ++ TPMI_ALG_PUBLIC type; ++ TPMU_PUBLIC_PARMS parameters; ++}; ++typedef struct TPMT_PUBLIC_PARMS TPMT_PUBLIC_PARMS; ++ +/* TPM2B_PUBLIC_KEY_RSA Structure */ +struct TPM2B_PUBLIC_KEY_RSA +{ @@ -2809,13 +3506,99 @@ index 000000000..72d71eb70 +}; +typedef struct TPMT_TK_CREATION TPMT_TK_CREATION; + ++/* TPMS_EMPTY Structure */ ++struct TPMS_EMPTY { ++ grub_uint8_t empty[1]; /* a structure with no member */ ++}; ++typedef struct TPMS_EMPTY TPMS_EMPTY; ++ ++/* TPMS_SIGNATURE_RSA Structure */ ++struct TPMS_SIGNATURE_RSA { ++ TPMI_ALG_HASH hash; ++ TPM2B_PUBLIC_KEY_RSA sig; ++}; ++typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA; ++ ++/* Definition of Types for RSA Signature */ ++typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA; ++typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS; ++ ++/* TPMS_SIGNATURE_ECC Structure */ ++struct TPMS_SIGNATURE_ECC { ++ TPMI_ALG_HASH hash; ++ TPM2B_ECC_PARAMETER signatureR; ++ TPM2B_ECC_PARAMETER signatureS; ++}; ++typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC; ++ ++/* Definition of Types for ECC TPMS_SIGNATURE_ECC */ ++typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA; ++typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA; ++typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2; ++typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR; ++ ++/* TPMU_SIGNATURE Structure */ ++union TPMU_SIGNATURE { ++ TPMS_SIGNATURE_RSASSA rsassa; ++ TPMS_SIGNATURE_RSAPSS rsapss; ++ TPMS_SIGNATURE_ECDSA ecdsa; ++ TPMS_SIGNATURE_ECDAA ecdaa; ++ TPMS_SIGNATURE_SM2 sm2; ++ TPMS_SIGNATURE_ECSCHNORR ecschnorr; ++ TPMT_HA hmac; ++ TPMS_SCHEME_HASH any; ++ TPMS_EMPTY null; ++}; ++typedef union TPMU_SIGNATURE TPMU_SIGNATURE; ++ ++/* TPMT_SIGNATURE Structure */ ++struct TPMT_SIGNATURE { ++ TPMI_ALG_SIG_SCHEME sigAlg; ++ TPMU_SIGNATURE signature; ++}; ++typedef struct TPMT_SIGNATURE TPMT_SIGNATURE; ++ ++static inline TPMI_ALG_HASH ++TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig) ++{ ++ switch (sig->sigAlg) ++ { ++ case TPM_ALG_RSASSA: ++ return sig->signature.rsassa.hash; ++ case TPM_ALG_RSAPSS: ++ return sig->signature.rsapss.hash; ++ case TPM_ALG_ECDSA: ++ return sig->signature.ecdsa.hash; ++ case TPM_ALG_ECDAA: ++ return sig->signature.ecdaa.hash; ++ case TPM_ALG_SM2: ++ return sig->signature.sm2.hash; ++ case TPM_ALG_ECSCHNORR: ++ return sig->signature.ecschnorr.hash; ++ case TPM_ALG_HMAC: ++ return sig->signature.hmac.hashAlg; ++ default: ++ break; ++ } ++ ++ return TPM_ALG_NULL; ++} ++ ++/* TPMT_TK_VERIFIED Structure */ ++struct TPMT_TK_VERIFIED { ++ TPM_ST tag; ++ TPMI_RH_HIERARCHY hierarchy; ++ TPM2B_DIGEST digest; ++}; ++typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED; ++ +#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */ diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h new file mode 100644 -index 000000000..9118cad5d +index 000000000..7d754394d --- /dev/null +++ b/include/grub/tpm2/internal/types.h -@@ -0,0 +1,370 @@ +@@ -0,0 +1,403 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -2999,6 +3782,9 @@ index 000000000..9118cad5d +#define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043) +#define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044) +#define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023) ++#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A) ++#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018) ++#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C) +#define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005) +#define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022) +#define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020) @@ -3007,10 +3793,13 @@ index 000000000..9118cad5d +#define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007) +#define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010) +#define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001) ++#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014) ++#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016) +#define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004) +#define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B) +#define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C) +#define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D) ++#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B) +#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012) +#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013) +#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025) @@ -3079,6 +3868,11 @@ index 000000000..9118cad5d +typedef TPM_HANDLE TPMI_RH_NV_AUTH; +typedef TPM_HANDLE TPMI_RH_NV_INDEX; + ++/* TPM_HT Constants */ ++typedef grub_uint8_t TPM_HT; ++#define TPM_HT_PERMANENT ((TPM_HT) 0x40) ++#define TPM_HT_PERSISTENT ((TPM_HT) 0x81) ++ +/* TPM_RH Constants */ +typedef TPM_HANDLE TPM_RH; + @@ -3101,6 +3895,22 @@ index 000000000..9118cad5d +#define TPM_RH_AUTH_FF ((TPM_RH) 0x4000010F) +#define TPM_RH_LAST ((TPM_RH) 0x4000010F) + ++/* TPM_HC Constants */ ++typedef TPM_HANDLE TPM_HC; ++#define TPM_HR_HANDLE_MASK ((TPM_HC) 0x00FFFFFF) ++#define TPM_HR_RANGE_MASK ((TPM_HC) 0xFF000000) ++#define TPM_HR_SHIFT ((TPM_HC) 24) ++#define TPM_HR_PERSISTENT ((TPM_HC) (TPM_HT_PERSISTENT << TPM_HR_SHIFT)) ++#define TPM_HR_PERMANENT ((TPM_HC) (TPM_HT_PERMANENT << TPM_HR_SHIFT)) ++#define TPM_PERSISTENT_FIRST ((TPM_HC) (TPM_HR_PERSISTENT + 0)) ++#define TPM_PERSISTENT_LAST ((TPM_HC) (TPM_PERSISTENT_FIRST + 0x00FFFFFF)) ++#define TPM_PERMANENT_FIRST ((TPM_HC) TPM_RH_FIRST) ++#define TPM_PERMANENT_LAST ((TPM_HC) TPM_RH_LAST) ++ ++/* TPM Handle Type Checks */ ++#define TPM_HT_IS_PERMANENT(HANDLE) (((HANDLE) >> TPM_HR_SHIFT) == TPM_HT_PERMANENT) ++#define TPM_HT_IS_PERSISTENT(HANDLE) (((HANDLE) >> TPM_HR_SHIFT) == TPM_HT_PERSISTENT) ++ +/* TPM_ECC_CURVE Constants */ +typedef grub_uint16_t TPM_ECC_CURVE; + @@ -3129,8 +3939,13 @@ index 000000000..9118cad5d +#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a) +#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e) +#define TPM_CC_Load ((TPM_CC) 0x00000157) ++#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167) +#define TPM_CC_Unseal ((TPM_CC) 0x0000015e) +#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189) ++#define TPM_CC_Hash ((TPM_CC) 0x0000017d) ++#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177) ++#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a) ++#define TPM_CC_TestParms ((TPM_CC) 0x0000018a) + +/* Hash algorithm sizes */ +#define TPM_SHA1_DIGEST_SIZE 20 @@ -3172,6 +3987,7 @@ index 000000000..9118cad5d +typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME; +typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME; +typedef TPM_ALG_ID TPMI_ALG_SYM; ++typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME; + +/* TPM_KEY_BITS Type */ +typedef grub_uint16_t TPM_KEY_BITS; @@ -3188,10 +4004,10 @@ index 000000000..9118cad5d +#endif /* ! GRUB_TPM2_INTERNAL_TYPES_HEADER */ diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h new file mode 100644 -index 000000000..c545976db +index 000000000..0970b5c70 --- /dev/null +++ b/include/grub/tpm2/mu.h -@@ -0,0 +1,292 @@ +@@ -0,0 +1,396 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -3217,272 +4033,376 @@ index 000000000..c545976db +#include + +void -+grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_AUTH_COMMAND* authCommand); + +void -+grub_tpm2_mu_TPM2B_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_Marshal (grub_tpm2_buffer_t buffer, + const grub_uint16_t size, -+ const grub_uint8_t* buffer); ++ const grub_uint8_t* b); + +void -+grub_tpm2_mu_TPMU_SYM_KEY_BITS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SYM_KEY_BITS_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_SYM_OBJECT algorithm, + const TPMU_SYM_KEY_BITS *p); + +void -+grub_tpm2_mu_TPMU_SYM_MODE_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SYM_MODE_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_SYM_OBJECT algorithm, + const TPMU_SYM_MODE *p); + +void -+grub_tpm2_mu_TPMT_SYM_DEF_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_SYM_DEF_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_SYM_DEF *p); + +void -+grub_tpm2_mu_TPMS_PCR_SELECTION_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_PCR_SELECTION_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_PCR_SELECTION* pcrSelection); + +void -+grub_tpm2_mu_TPML_PCR_SELECTION_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPML_PCR_SELECTION_Marshal (grub_tpm2_buffer_t buffer, + const TPML_PCR_SELECTION* pcrSelection); + +void -+grub_tpm2_mu_TPMA_OBJECT_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMA_OBJECT_Marshal (grub_tpm2_buffer_t buffer, + const TPMA_OBJECT *p); + +void -+grub_tpm2_mu_TPMS_SCHEME_XOR_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SCHEME_XOR_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_SCHEME_XOR *p); + +void -+grub_tpm2_mu_TPMS_SCHEME_HMAC_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SCHEME_HMAC_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_SCHEME_HMAC *p); + +void -+grub_tpm2_mu_TPMU_SCHEME_KEYEDHASH_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SCHEME_KEYEDHASH_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_KEYEDHASH_SCHEME scheme, + const TPMU_SCHEME_KEYEDHASH *p); + +void -+grub_tpm2_mu_TPMT_KEYEDHASH_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_KEYEDHASH_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_KEYEDHASH_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_KEYEDHASH_PARMS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_KEYEDHASH_PARMS_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_KEYEDHASH_PARMS *p); + +void -+grub_tpm2_mu_TPMT_SYM_DEF_OBJECT_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_SYM_DEF_OBJECT_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_SYM_DEF_OBJECT *p); + +void -+grub_tpm2_mu_TPMU_ASYM_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_ASYM_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_RSA_DECRYPT scheme, + const TPMU_ASYM_SCHEME *p); + +void -+grub_tpm2_mu_TPMT_RSA_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_RSA_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_RSA_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_RSA_PARMS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_RSA_PARMS_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_RSA_PARMS *p); + +void -+grub_tpm2_mu_TPMS_SYMCIPHER_PARMS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SYMCIPHER_PARMS_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_SYMCIPHER_PARMS *p); + +void -+grub_tpm2_mu_TPMT_ECC_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_ECC_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_ECC_SCHEME *p); + +void -+grub_tpm2_mu_TPMU_KDF_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_KDF_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_KDF scheme, + const TPMU_KDF_SCHEME *p); + +void -+grub_tpm2_mu_TPMT_KDF_SCHEME_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_KDF_SCHEME_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_KDF_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_ECC_PARMS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_ECC_PARMS_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_ECC_PARMS *p); + +void -+grub_tpm2_mu_TPMU_PUBLIC_PARMS_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_PUBLIC_PARMS_Marshal (grub_tpm2_buffer_t buffer, + const grub_uint32_t type, + const TPMU_PUBLIC_PARMS *p); + +void -+grub_tpm2_mu_TPMS_ECC_POINT_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_ECC_POINT_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_ECC_POINT *p); + +void -+grub_tpm2_mu_TPMU_PUBLIC_ID_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_PUBLIC_ID_Marshal (grub_tpm2_buffer_t buffer, + const TPMI_ALG_PUBLIC type, + const TPMU_PUBLIC_ID *p); + +void -+grub_tpm2_mu_TPMT_PUBLIC_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_PUBLIC_PARMS_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_PUBLIC_PARMS *p); ++ ++void ++grub_tpm2_mu_TPMT_PUBLIC_Marshal (grub_tpm2_buffer_t buffer, + const TPMT_PUBLIC *p); + +void -+grub_tpm2_mu_TPM2B_PUBLIC_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_PUBLIC_Marshal (grub_tpm2_buffer_t buffer, + const TPM2B_PUBLIC *p); + +void -+grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, + const TPMS_SENSITIVE_CREATE *p); + +void -+grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, + const TPM2B_SENSITIVE_CREATE *sensitiveCreate); + +void -+grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buf, -+ TPM2B* p); ++grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_PUBLIC type, ++ const TPMU_SENSITIVE_COMPOSITE *p); ++void ++grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_SENSITIVE *p); + +void -+grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPM2B_SENSITIVE *p); ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMS_SIGNATURE_RSA *p); ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMS_SIGNATURE_ECC *p); ++ ++void ++grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_HASH hashAlg, ++ const TPMU_HA *p); ++ ++void ++grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_HA *p); ++ ++void ++grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMI_ALG_SIG_SCHEME sigAlg, ++ const TPMU_SIGNATURE *p); ++ ++void ++grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_SIGNATURE *p); ++ ++void ++grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer, ++ const TPMT_TK_VERIFIED *p); ++ ++void ++grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_AUTH_RESPONSE* p); + +void -+grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_DIGEST* digest); + +void -+grub_tpm2_mu_TPMA_OBJECT_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_NONCE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_NONCE* nonce); ++ ++void ++grub_tpm2_mu_TPM2B_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_DATA* data); ++ ++void ++grub_tpm2_mu_TPMS_CREATION_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_CREATION_DATA *data); ++ ++void ++grub_tpm2_mu_TPM2B_CREATION_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_CREATION_DATA *data); ++ ++void ++grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_PRIVATE* private); ++ ++void ++grub_tpm2_mu_TPM2B_SENSITIVE_DATA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_SENSITIVE_DATA *data); ++ ++void ++grub_tpm2_mu_TPM2B_PUBLIC_KEY_RSA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_PUBLIC_KEY_RSA *rsa); ++ ++void ++grub_tpm2_mu_TPM2B_ECC_PARAMETER_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPM2B_ECC_PARAMETER *param); ++ ++void ++grub_tpm2_mu_TPMA_OBJECT_Unmarshal (grub_tpm2_buffer_t buffer, + TPMA_OBJECT *p); + +void -+grub_tpm2_mu_TPMS_SCHEME_HMAC_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SCHEME_HMAC_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_SCHEME_HMAC *p); + +void -+grub_tpm2_mu_TPMS_SCHEME_XOR_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SCHEME_XOR_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_SCHEME_XOR *p); + +void -+grub_tpm2_mu_TPMU_SCHEME_KEYEDHASH_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SCHEME_KEYEDHASH_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_KEYEDHASH_SCHEME scheme, + TPMU_SCHEME_KEYEDHASH *p); + +void -+grub_tpm2_mu_TPMT_KEYEDHASH_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_KEYEDHASH_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_KEYEDHASH_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_KEYEDHASH_PARMS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_KEYEDHASH_PARMS_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_KEYEDHASH_PARMS *p); + +void -+grub_tpm2_mu_TPMU_SYM_KEY_BITS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SYM_KEY_BITS_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_SYM_OBJECT algorithm, + TPMU_SYM_KEY_BITS *p); + +void -+grub_tpm2_mu_TPMU_SYM_MODE_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_SYM_MODE_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_SYM_OBJECT algorithm, + TPMU_SYM_MODE *p); + +void -+grub_tpm2_mu_TPMT_SYM_DEF_OBJECT_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_SYM_DEF_OBJECT_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_SYM_DEF_OBJECT *p); + +void -+grub_tpm2_mu_TPMS_SYMCIPHER_PARMS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_SYMCIPHER_PARMS_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_SYMCIPHER_PARMS *p); + +void -+grub_tpm2_mu_TPMU_ASYM_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_ASYM_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_RSA_DECRYPT scheme, + TPMU_ASYM_SCHEME *p); + +void -+grub_tpm2_mu_TPMT_RSA_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_RSA_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_RSA_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_RSA_PARMS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_RSA_PARMS_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_RSA_PARMS *p); + +void -+grub_tpm2_mu_TPMT_ECC_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_ECC_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_ECC_SCHEME *p); + +void -+grub_tpm2_mu_TPMU_KDF_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_KDF_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_KDF scheme, + TPMU_KDF_SCHEME *p); + +void -+grub_tpm2_mu_TPMT_KDF_SCHEME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_KDF_SCHEME_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_KDF_SCHEME *p); + +void -+grub_tpm2_mu_TPMS_ECC_PARMS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_ECC_PARMS_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_ECC_PARMS *p); + +void -+grub_tpm2_mu_TPMU_PUBLIC_PARMS_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_PUBLIC_PARMS_Unmarshal (grub_tpm2_buffer_t buffer, + grub_uint32_t type, + TPMU_PUBLIC_PARMS *p); + +void -+grub_tpm2_mu_TPMS_ECC_POINT_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_ECC_POINT_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_ECC_POINT *p); + +void -+grub_tpm2_mu_TPMU_PUBLIC_ID_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMU_PUBLIC_ID_Unmarshal (grub_tpm2_buffer_t buffer, + TPMI_ALG_PUBLIC type, + TPMU_PUBLIC_ID *p); + +void -+grub_tpm2_mu_TPMT_PUBLIC_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_PUBLIC_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_PUBLIC *p); + +void -+grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_PUBLIC *p); + +void -+grub_tpm2_mu_TPMS_NV_PUBLIC_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_NV_PUBLIC_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_NV_PUBLIC *p); + +void -+grub_tpm2_mu_TPM2B_NV_PUBLIC_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_NV_PUBLIC_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_NV_PUBLIC *p); + +void -+grub_tpm2_mu_TPM2B_NAME_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPM2B_NAME_Unmarshal (grub_tpm2_buffer_t buffer, + TPM2B_NAME *n); + +void -+grub_tpm2_mu_TPMS_TAGGED_PROPERTY_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMS_TAGGED_PROPERTY_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_TAGGED_PROPERTY* property); + +void -+grub_tpm2_mu_TPMS_CAPABILITY_DATA_tpmProperties_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMS_CAPABILITY_DATA* capabilityData); -+ -+void -+grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer, + TPMT_TK_CREATION *p); + +void -+grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_TK_HASHCHECK *p); ++ ++void ++grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_TK_VERIFIED *p); ++ ++void ++grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buffer, + TPMS_PCR_SELECTION* pcrSelection); + +void -+grub_tpm2_mu_TPML_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPML_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buffer, + TPML_PCR_SELECTION* pcrSelection); + +void -+grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf, ++grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buffer, + TPML_DIGEST* digest); + ++void ++grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_SIGNATURE_RSA *p); ++ ++void ++grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMS_SIGNATURE_ECC *p); ++ ++void ++grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMI_ALG_HASH hashAlg, ++ TPMU_HA *p); ++ ++void ++grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_HA *p); ++ ++void ++grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMI_ALG_SIG_SCHEME sigAlg, ++ TPMU_SIGNATURE *p); ++ ++void ++grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, ++ TPMT_SIGNATURE *p); ++ +#endif /* ! GRUB_TPM2_MU_HEADER */ diff --git a/include/grub/tpm2/tcg2.h b/include/grub/tpm2/tcg2.h new file mode 100644 diff --git a/0002-tpm2-Add-more-marshal-unmarshal-functions.patch b/0002-tpm2-Add-more-marshal-unmarshal-functions.patch deleted file mode 100644 index ba87585..0000000 --- a/0002-tpm2-Add-more-marshal-unmarshal-functions.patch +++ /dev/null @@ -1,427 +0,0 @@ -From 1d34522075949581ccb34a08dd73607566517824 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 7 Feb 2023 18:33:42 +0800 -Subject: [PATCH 2/4] tpm2: Add more marshal/unmarshal functions - -Add a few more marshal/unmarshal functions to support authorized policy. - -* Marshal: - grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal() - grub_tpm2_mu_TPMT_SENSITIVE_Marshal() - grub_tpm2_mu_TPM2B_SENSITIVE_Marshal() - grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal() - grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal() - grub_tpm2_mu_TPMU_HA_Marshal() - grub_tpm2_mu_TPMT_HA_Marshal() - grub_tpm2_mu_TPMU_SIGNATURE_Marshal() - grub_tpm2_mu_TPMT_SIGNATURE_Marshal() - grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal() - -* Unmarshal: - grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal() - grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal() - grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal() - grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal() - grub_tpm2_mu_TPMU_HA_Unmarshal() - grub_tpm2_mu_TPMT_HA_Unmarshal() - grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal() - grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal() - -Signed-off-by: Gary Lin ---- - grub-core/tpm2/mu.c | 262 +++++++++++++++++++++++++++++++++++++++++ - include/grub/tpm2/mu.h | 75 ++++++++++++ - 2 files changed, 337 insertions(+) - -diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c -index 1617f37cd..3a9a3c1be 100644 ---- a/grub-core/tpm2/mu.c -+++ b/grub-core/tpm2/mu.c -@@ -383,6 +383,49 @@ grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, - grub_tpm2_mu_TPM2B_Marshal (buffer, p->data.size, p->data.buffer); - } - -+void -+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMI_ALG_PUBLIC type, -+ const TPMU_SENSITIVE_COMPOSITE *p) -+{ -+ switch(type) -+ { -+ case TPM_ALG_RSA: -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer); -+ break; -+ case TPM_ALG_ECC: -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer); -+ break; -+ case TPM_ALG_KEYEDHASH: -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer); -+ break; -+ case TPM_ALG_SYMCIPHER: -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer); -+ break; -+ default: -+ buffer->error = 1; -+ } -+} -+ -+void -+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMT_SENSITIVE *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer); -+ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType, -+ &p->sensitive); -+} -+ -+void -+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer, -+ const TPM2B_SENSITIVE *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->size); -+ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea); -+} -+ - void - grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, - const TPM2B_SENSITIVE_CREATE *sensitiveCreate) -@@ -405,6 +448,113 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer, - grub_tpm2_buffer_pack_u16 (buffer, 0); - } - -+void -+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMS_SIGNATURE_RSA *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->hash); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer); -+} -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMS_SIGNATURE_ECC *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->hash); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer); -+} -+ -+void -+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMI_ALG_HASH hashAlg, -+ const TPMU_HA *p) -+{ -+ switch (hashAlg) -+ { -+ case TPM_ALG_SHA1: -+ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++) -+ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]); -+ break; -+ case TPM_ALG_SHA256: -+ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++) -+ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]); -+ break; -+ case TPM_ALG_SHA384: -+ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++) -+ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]); -+ break; -+ case TPM_ALG_SHA512: -+ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++) -+ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]); -+ break; -+ default: -+ buffer->error = 1; -+ break; -+ } -+} -+ -+void -+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMT_HA *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg); -+ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest); -+} -+ -+void -+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMI_ALG_SIG_SCHEME sigAlg, -+ const TPMU_SIGNATURE *p) -+{ -+ switch (sigAlg) -+ { -+ case TPM_ALG_RSASSA: -+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa); -+ break; -+ case TPM_ALG_RSAPSS: -+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss); -+ break; -+ case TPM_ALG_ECDSA: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa); -+ break; -+ case TPM_ALG_ECDAA: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa); -+ break; -+ case TPM_ALG_SM2: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2); -+ break; -+ case TPM_ALG_ECSCHNORR: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr); -+ break; -+ case TPM_ALG_HMAC: -+ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac); -+ break; -+ case TPM_ALG_NULL: -+ break; -+ default: -+ buffer->error = 1; -+ break; -+ } -+} -+ -+void -+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMT_SIGNATURE *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg); -+ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature); -+} -+ -+void -+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer, -+ const TPMT_TK_VERIFIED *p) -+{ -+ grub_tpm2_buffer_pack_u16 (buffer, p->tag); -+ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy); -+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer); -+} -+ - void - grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer, - TPM2B* p) -@@ -775,6 +925,24 @@ grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer, - grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest); - } - -+void -+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMT_TK_HASHCHECK *p) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag); -+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest); -+} -+ -+void -+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMT_TK_VERIFIED *p) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag); -+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest); -+} -+ - void - grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, - TPMS_PCR_SELECTION* pcrSelection) -@@ -805,3 +973,97 @@ grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf, - for (grub_uint32_t i = 0; i < digest->count; i++) - grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]); - } -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMS_SIGNATURE_RSA *rsa) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&rsa->sig); -+} -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMS_SIGNATURE_ECC *ecc) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureR); -+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureS); -+} -+ -+void -+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMI_ALG_HASH hashAlg, -+ TPMU_HA *p) -+{ -+ switch (hashAlg) -+ { -+ case TPM_ALG_SHA1: -+ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE); -+ break; -+ case TPM_ALG_SHA256: -+ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE); -+ break; -+ case TPM_ALG_SHA384: -+ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE); -+ break; -+ case TPM_ALG_SHA512: -+ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE); -+ break; -+ default: -+ buffer->error = 1; -+ break; -+ } -+} -+ -+void -+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMT_HA *p) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg); -+ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest); -+} -+ -+void -+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMI_ALG_SIG_SCHEME sigAlg, -+ TPMU_SIGNATURE *p) -+{ -+ switch (sigAlg) -+ { -+ case TPM_ALG_RSASSA: -+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa); -+ break; -+ case TPM_ALG_RSAPSS: -+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss); -+ break; -+ case TPM_ALG_ECDSA: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa); -+ break; -+ case TPM_ALG_ECDAA: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa); -+ break; -+ case TPM_ALG_SM2: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2); -+ break; -+ case TPM_ALG_ECSCHNORR: -+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr); -+ break; -+ case TPM_ALG_HMAC: -+ grub_tpm2_mu_TPMT_HA_Unmarshal (buffer, &p->hmac); -+ break; -+ case TPM_ALG_NULL: -+ break; -+ default: -+ buffer->error = 1; -+ break; -+ } -+} -+ -+void -+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer, -+ TPMT_SIGNATURE *p) -+{ -+ grub_tpm2_buffer_unpack_u16 (buffer, &p->sigAlg); -+ grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (buffer, p->sigAlg, &p->signature); -+} -diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h -index c545976db..afb842ab5 100644 ---- a/include/grub/tpm2/mu.h -+++ b/include/grub/tpm2/mu.h -@@ -147,6 +147,47 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf, - const TPM2B_SENSITIVE_CREATE *sensitiveCreate); - - void -+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buf, -+ const TPMI_ALG_PUBLIC type, -+ const TPMU_SENSITIVE_COMPOSITE *p); -+void -+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buf, -+ const TPMT_SENSITIVE *p); -+ -+void -+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buf, -+ const TPM2B_SENSITIVE *p); -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buf, -+ const TPMS_SIGNATURE_RSA *p); -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buf, -+ const TPMS_SIGNATURE_ECC *p); -+ -+void -+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buf, -+ const TPMI_ALG_HASH hashAlg, -+ const TPMU_HA *p); -+ -+void -+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buf, -+ const TPMT_HA *p); -+ -+void -+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buf, -+ const TPMI_ALG_SIG_SCHEME sigAlg, -+ const TPMU_SIGNATURE *p); -+ -+void -+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buf, -+ const TPMT_SIGNATURE *p); -+ -+void -+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buf, -+ const TPMT_TK_VERIFIED *p); -+void - grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buf, - TPM2B* p); - -@@ -277,6 +318,14 @@ void - grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buf, - TPMT_TK_CREATION *p); - -+void -+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMT_TK_HASHCHECK *p); -+ -+void -+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMT_TK_VERIFIED *p); -+ - void - grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf, - TPMS_PCR_SELECTION* pcrSelection); -@@ -289,4 +338,30 @@ void - grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf, - TPML_DIGEST* digest); - -+void -+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMS_SIGNATURE_RSA *p); -+ -+void -+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMS_SIGNATURE_ECC *p); -+ -+void -+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMI_ALG_HASH hashAlg, -+ TPMU_HA *p); -+ -+void -+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMT_HA *p); -+ -+void -+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMI_ALG_SIG_SCHEME sigAlg, -+ TPMU_SIGNATURE *p); -+ -+void -+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf, -+ TPMT_SIGNATURE *p); -+ - #endif /* ! GRUB_TPM2_MU_HEADER */ --- -2.35.3 - diff --git a/0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch b/0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch index bec13f3..b8cc621 100644 --- a/0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch +++ b/0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch @@ -1,4 +1,4 @@ -From 64494ffc442a5de05b237ad48d27c70d22849a44 Mon Sep 17 00:00:00 2001 +From 370e435b6ada53314888f04dcd8f096fc11cfadb Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 3 Aug 2023 15:52:52 +0800 Subject: [PATCH 3/4] cryptodisk: wipe out the cached keys from protectors @@ -9,16 +9,18 @@ protector fails to unlock the fake root, it's not wiped out cleanly so the attacker could dump the memory to retrieve the secret key. To defend such attack, wipe out the cached key when we don't need it. +Cc: Fabian Vogt Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- grub-core/disk/cryptodisk.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c -index cf37a0934..f42437f4e 100644 +index f9842f776..aa0d43562 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c -@@ -1348,7 +1348,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs) +@@ -1355,7 +1355,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs) return; for (i = 0; cargs->protectors[i]; i++) diff --git a/0003-protectors-Add-TPM2-Key-Protector.patch b/0003-key_protector-Add-TPM2-Key-Protector.patch similarity index 82% rename from 0003-protectors-Add-TPM2-Key-Protector.patch rename to 0003-key_protector-Add-TPM2-Key-Protector.patch index e5e4015..e3ae0d6 100644 --- a/0003-protectors-Add-TPM2-Key-Protector.patch +++ b/0003-key_protector-Add-TPM2-Key-Protector.patch @@ -1,7 +1,7 @@ -From 2a63876ca714d177f919b2392d8efa0e3bd3ebe2 Mon Sep 17 00:00:00 2001 +From 2cb2b00028ca7f43fc069472fbad7b9f129ec24b Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:55 -0800 -Subject: [PATCH v7 10/20] protectors: Add TPM2 Key Protector +Subject: [PATCH 3/5] key_protector: Add TPM2 Key Protector The TPM2 key protector is a module that enables the automatic retrieval of a fully-encrypted disk's unlocking key from a TPM 2.0. @@ -36,6 +36,8 @@ is mandatory. There are two supported key formats: policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL secret [2] EXPLICIT OCTET STRING OPTIONAL authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL + description [4] EXPLICIT UTF8String OPTIONAL, + rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, parent INTEGER pubkey OCTET STRING privkey OCTET STRING @@ -109,22 +111,24 @@ TPM 2.0 Key file without 'authPolicy' and 'policy', so the "TPMPolicy" sequence is always based on the PCR selection from the command parameters. -Currently, there is only one supported policy command: TPM2_PolicyPCR. -The command set can be extended to support advanced features, such as -authorized policy, in the future. +This commit only supports one policy command: TPM2_PolicyPCR. The +command set will be extended to support advanced features, such as +authorized policy, in the later commits. +Cc: Stefan Berger +Cc: James Bottomley Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin --- grub-core/Makefile.core.def | 13 + - grub-core/tpm2/args.c | 177 +++++ - grub-core/tpm2/module.c | 1028 +++++++++++++++++++++++++++++ - grub-core/tpm2/tpm2key.asn | 31 + - grub-core/tpm2/tpm2key.c | 447 +++++++++++++ - grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++ - include/grub/tpm2/internal/args.h | 41 ++ - include/grub/tpm2/tpm2key.h | 83 +++ - 8 files changed, 1861 insertions(+) + grub-core/tpm2/args.c | 140 ++++ + grub-core/tpm2/module.c | 1226 +++++++++++++++++++++++++++++ + grub-core/tpm2/tpm2key.asn | 33 + + grub-core/tpm2/tpm2key.c | 476 +++++++++++ + grub-core/tpm2/tpm2key_asn1_tab.c | 45 ++ + include/grub/tpm2/internal/args.h | 49 ++ + include/grub/tpm2/tpm2key.h | 86 ++ + 8 files changed, 2068 insertions(+) create mode 100644 grub-core/tpm2/args.c create mode 100644 grub-core/tpm2/module.c create mode 100644 grub-core/tpm2/tpm2key.asn @@ -134,10 +138,10 @@ Signed-off-by: Gary Lin create mode 100644 include/grub/tpm2/tpm2key.h diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def -index 5831d4265..38571119e 100644 +index 4307b8e2d..a3c728442 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def -@@ -2553,6 +2553,19 @@ module = { +@@ -2612,6 +2612,19 @@ module = { enable = efi; }; @@ -159,10 +163,10 @@ index 5831d4265..38571119e 100644 common = commands/tr.c; diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c new file mode 100644 -index 000000000..274f4fef0 +index 000000000..c11280ab9 --- /dev/null +++ b/grub-core/tpm2/args.c -@@ -0,0 +1,177 @@ +@@ -0,0 +1,140 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -243,56 +247,19 @@ index 000000000..274f4fef0 + +grub_err_t +grub_tpm2_protector_parse_asymmetric (const char *value, -+ TPM_ALG_ID *asymmetric, -+ TPM_KEY_BITS *rsa_bits, -+ TPM_ECC_CURVE *ecc_curve) ++ grub_srk_type_t *srk_type) +{ + if (grub_strcasecmp (value, "ECC") == 0 || + grub_strcasecmp (value, "ECC_NIST_P256") == 0) + { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_NIST_P256; ++ srk_type->type = TPM_ALG_ECC; ++ srk_type->detail.ecc_curve = TPM_ECC_NIST_P256; + } + else if (grub_strcasecmp (value, "RSA") == 0 || + grub_strcasecmp (value, "RSA2048") == 0) + { -+ *asymmetric = TPM_ALG_RSA; -+ *rsa_bits = 2048; -+ } -+ else if (grub_strcasecmp (value, "RSA3072") == 0) -+ { -+ *asymmetric = TPM_ALG_RSA; -+ *rsa_bits = 3072; -+ } -+ else if (grub_strcasecmp (value, "RSA4096") == 0) -+ { -+ *asymmetric = TPM_ALG_RSA; -+ *rsa_bits = 4096; -+ } -+ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0) -+ { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_NIST_P384; -+ } -+ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0) -+ { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_NIST_P521; -+ } -+ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0) -+ { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_BN_P256; -+ } -+ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0) -+ { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_BN_P638; -+ } -+ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0) -+ { -+ *asymmetric = TPM_ALG_ECC; -+ *ecc_curve = TPM_ECC_SM2_P256; ++ srk_type->type = TPM_ALG_RSA; ++ srk_type->detail.rsa_bits = 2048; + } + else + return grub_error (GRUB_ERR_OUT_OF_RANGE, @@ -342,10 +309,10 @@ index 000000000..274f4fef0 +} diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c new file mode 100644 -index 000000000..df0727215 +index 000000000..3db25ceca --- /dev/null +++ b/grub-core/tpm2/module.c -@@ -0,0 +1,1028 @@ +@@ -0,0 +1,1226 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -371,7 +338,7 @@ index 000000000..df0727215 +#include +#include +#include -+#include ++#include +#include +#include +#include @@ -405,9 +372,7 @@ index 000000000..df0727215 + grub_tpm2_protector_mode_t mode; + grub_uint8_t pcrs[TPM_MAX_PCRS]; + grub_uint8_t pcr_count; -+ TPM_ALG_ID asymmetric; -+ TPM_KEY_BITS rsa_bits; -+ TPM_ECC_CURVE ecc_curve; ++ grub_srk_type_t srk_type; + TPM_ALG_ID bank; + const char *tpm2key; + const char *keyfile; @@ -436,7 +401,7 @@ index 000000000..df0727215 + .type = ARG_TYPE_STRING, + .doc = + N_("Comma-separated list of PCRs used to authorize key release " -+ "(e.g., '7,11', default is 7."), ++ "e.g., '7,11'. (default: 7)"), + }, + { + .longarg = "bank", @@ -446,7 +411,7 @@ index 000000000..df0727215 + .type = ARG_TYPE_STRING, + .doc = + N_("Bank of PCRs used to authorize key release: " -+ "SHA1, SHA256 (default), SHA384 or SHA512."), ++ "SHA1, SHA256, SHA384 or SHA512. (default: SHA256)"), + }, + /* SRK-mode options */ + { @@ -456,8 +421,8 @@ index 000000000..df0727215 + .arg = NULL, + .type = ARG_TYPE_STRING, + .doc = -+ N_("Required in SRK mode, path to the key file in TPM 2.0 Key File Format " -+ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/secret.tpm)."), ++ N_("In SRK mode, path to the key file in the TPM 2.0 Key File format " ++ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.tpm)."), + }, + { + .longarg = "keyfile", @@ -466,9 +431,9 @@ index 000000000..df0727215 + .arg = NULL, + .type = ARG_TYPE_STRING, + .doc = -+ N_("Required in SRK mode, path to the sealed key file to unseal using " -+ "the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed_key). " -+ "Use '-tpm2key' instead"), ++ N_("In SRK mode, path to the key file in the raw format to unseal " ++ "using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.key). " ++ "(Mainly for backward compatibility. Please use '--tpm2key'.)"), + }, + { + .longarg = "srk", @@ -486,10 +451,8 @@ index 000000000..df0727215 + .arg = NULL, + .type = ARG_TYPE_STRING, + .doc = -+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, " -+ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, " -+ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " -+ "(default is RSA2048)"), ++ N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)" ++ "(default: ECC)"), + }, + /* NV Index-mode options */ + { @@ -567,7 +530,8 @@ index 000000000..df0727215 + err = GRUB_ERR_NONE; + +error: -+ grub_file_close (file); ++ if (file != NULL) ++ grub_file_close (file); + + return err; +} @@ -589,7 +553,7 @@ index 000000000..df0727215 + buf.size = sealed_key_size; + + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public); -+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private); ++ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private); + + if (buf.error) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key file")); @@ -602,10 +566,12 @@ index 000000000..df0727215 + grub_size_t sealed_key_size, + tpm2key_policy_t *policy_seq, + tpm2key_authpolicy_t *authpol_seq, ++ grub_uint8_t *rsaparent, + grub_uint32_t *parent, + TPM2_SEALED_KEY *sk) +{ + asn1_node tpm2key = NULL; ++ grub_uint8_t rsaparent_tmp; + grub_uint32_t parent_tmp; + void *sealed_pub = NULL; + grub_size_t sealed_pub_size; @@ -622,6 +588,8 @@ index 000000000..df0727215 + * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL, + * secret [2] EXPLICIT OCTET STRING OPTIONAL, + * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, ++ * description [4] EXPLICIT UTF8String OPTIONAL, ++ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, + * parent INTEGER, + * pubkey OCTET STRING, + * privkey OCTET STRING @@ -647,10 +615,25 @@ index 000000000..df0727215 + if (err != GRUB_ERR_NONE) + goto error; + ++ /* Retrieve rsaParent */ ++ err = grub_tpm2key_get_rsaparent (tpm2key, &rsaparent_tmp); ++ if (err != GRUB_ERR_NONE) ++ goto error; ++ ++ *rsaparent = rsaparent_tmp; ++ + /* Retrieve the parent handle */ + err = grub_tpm2key_get_parent (tpm2key, &parent_tmp); + if (err != GRUB_ERR_NONE) + goto error; ++ ++ /* The parent handle should be either PERMANENT or PERSISTENT. */ ++ if (!TPM_HT_IS_PERMANENT (parent_tmp) && !TPM_HT_IS_PERSISTENT (parent_tmp)) ++ { ++ err = GRUB_ERR_OUT_OF_RANGE; ++ goto error; ++ } ++ + *parent = parent_tmp; + + /* Retrieve the public part of the sealed key */ @@ -679,7 +662,7 @@ index 000000000..df0727215 + buf.offset = 0; + + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public); -+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private); ++ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private); + + if (buf.error) + { @@ -698,12 +681,31 @@ index 000000000..df0727215 + return err; +} + ++/* Check if the SRK exists in the specified handle */ +static grub_err_t -+grub_tpm2_protector_srk_get (const struct grub_tpm2_protector_context *ctx, -+ TPM_HANDLE parent, TPM_HANDLE *srk) ++grub_tpm2_protector_srk_check (const TPM_HANDLE srk_handle) +{ + TPM_RC rc; + TPM2B_PUBLIC public; ++ ++ /* Find SRK */ ++ rc = TPM2_ReadPublic (srk_handle, NULL, &public); ++ if (rc == TPM_RC_SUCCESS) ++ return GRUB_ERR_NONE; ++ ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic: 0x%x)"), ++ srk_handle, rc); ++} ++ ++/* Get the SRK with the template */ ++static grub_err_t ++grub_tpm2_protector_srk_get (const grub_srk_type_t srk_type, ++ const TPM_HANDLE parent, ++ TPM_HANDLE *srk_handle) ++{ ++ TPM_RC rc; ++ TPMT_PUBLIC_PARMS parms = { 0 }; + TPMS_AUTH_COMMAND authCommand = { 0 }; + TPM2B_SENSITIVE_CREATE inSensitive = { 0 }; + TPM2B_PUBLIC inPublic = { 0 }; @@ -714,27 +716,10 @@ index 000000000..df0727215 + TPM2B_DIGEST creationHash = { 0 }; + TPMT_TK_CREATION creationTicket = { 0 }; + TPM2B_NAME srkName = { 0 }; -+ TPM_HANDLE srkHandle; ++ TPM_HANDLE tmp_handle = 0; + -+ if (ctx->srk != 0) -+ { -+ /* Find SRK */ -+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public); -+ if (rc == TPM_RC_SUCCESS) -+ { -+ *srk = ctx->srk; -+ return GRUB_ERR_NONE; -+ } -+ -+ return grub_error (GRUB_ERR_BAD_DEVICE, -+ N_("Failed to retrieve SRK (TPM2_ReadPublic: 0x%x)"), -+ rc); -+ } -+ -+ /* Create SRK */ -+ authCommand.sessionHandle = TPM_RS_PW; -+ inPublic.publicArea.type = ctx->asymmetric; -+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256; ++ inPublic.publicArea.type = srk_type.type; ++ inPublic.publicArea.nameAlg = TPM_ALG_SHA256; + inPublic.publicArea.objectAttributes.restricted = 1; + inPublic.publicArea.objectAttributes.userWithAuth = 1; + inPublic.publicArea.objectAttributes.decrypt = 1; @@ -743,29 +728,42 @@ index 000000000..df0727215 + inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1; + inPublic.publicArea.objectAttributes.noDA = 1; + -+ if (ctx->asymmetric == TPM_ALG_RSA) ++ if (srk_type.type == TPM_ALG_RSA) + { + inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; + inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits; ++ inPublic.publicArea.parameters.rsaDetail.keyBits = srk_type.detail.rsa_bits; + inPublic.publicArea.parameters.rsaDetail.exponent = 0; + } -+ else if (ctx->asymmetric == TPM_ALG_ECC) ++ else if (srk_type.type == TPM_ALG_ECC) + { + inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES; + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve; ++ inPublic.publicArea.parameters.eccDetail.curveID = srk_type.detail.ecc_curve; + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; + } + else + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm")); + ++ /* Test the parameters before SRK generation */ ++ parms.type = srk_type.type; ++ grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters, ++ sizeof (TPMU_PUBLIC_PARMS)); ++ ++ rc = TPM2_TestParms (&parms, NULL); ++ if (rc != TPM_RC_SUCCESS) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("Unsupported SRK template (TPM2_TestParms: 0x%x)"), ++ rc); ++ ++ /* Create SRK */ ++ authCommand.sessionHandle = TPM_RS_PW; + rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic, -+ &outsideInfo, &creationPcr, &srkHandle, &outPublic, ++ &outsideInfo, &creationPcr, &tmp_handle, &outPublic, + &creationData, &creationHash, &creationTicket, + &srkName, NULL); + if (rc != TPM_RC_SUCCESS) @@ -773,11 +771,177 @@ index 000000000..df0727215 + N_("Could not create SRK (TPM2_CreatePrimary: 0x%x)"), + rc); + -+ *srk = srkHandle; ++ *srk_handle = tmp_handle; + + return GRUB_ERR_NONE; +} + ++/* Load the SRK from the persistent handle or create one with a given type of ++ template, and then associate the sealed key with the SRK ++ Return values: ++ * GRUB_ERR_NONE: Everything is fine. ++ * GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one. ++ * Other: Something went wrong. ++*/ ++static grub_err_t ++grub_tpm2_protector_srk_load (const grub_srk_type_t srk_type, ++ const TPM2_SEALED_KEY *sealed_key, ++ const TPM_HANDLE parent, ++ TPM_HANDLE *sealed_handle, ++ TPM_HANDLE *srk_handle) ++{ ++ TPMS_AUTH_COMMAND authCmd = { 0 }; ++ TPM2B_NAME name = { 0 }; ++ TPM_RC rc; ++ grub_err_t err; ++ ++ if (srk_handle == NULL) ++ return GRUB_ERR_BUG; ++ ++ if (*srk_handle != 0) ++ { ++ err = grub_tpm2_protector_srk_check (*srk_handle); ++ if (err != GRUB_ERR_NONE) ++ return err; ++ } ++ else ++ { ++ err = grub_tpm2_protector_srk_get (srk_type, parent, srk_handle); ++ if (err != GRUB_ERR_NONE) ++ return err; ++ } ++ ++ /* Load the sealed key and associate it with the SRK */ ++ authCmd.sessionHandle = TPM_RS_PW; ++ rc = TPM2_Load (*srk_handle, &authCmd, &sealed_key->private, &sealed_key->public, ++ sealed_handle, &name, NULL); ++ /* If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it ++ implies the wrong SRK is used. */ ++ if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1)) ++ { ++ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("SRK not matched")); ++ goto error; ++ } ++ else if (rc != TPM_RC_SUCCESS) ++ { ++ err = grub_error (GRUB_ERR_BAD_DEVICE, ++ N_("Failed to load sealed key (TPM2_Load: 0x%x)"), ++ rc); ++ goto error; ++ } ++ ++ return GRUB_ERR_NONE; ++ ++error: ++ if (!TPM_HT_IS_PERSISTENT (*srk_handle)) ++ TPM2_FlushContext (*srk_handle); ++ ++ return err; ++} ++ ++static const char * ++srk_type_to_name (grub_srk_type_t srk_type) ++{ ++ if (srk_type.type == TPM_ALG_ECC) ++ { ++ switch (srk_type.detail.ecc_curve) ++ { ++ case TPM_ECC_NIST_P256: ++ return "ECC_NIST_P256"; ++ } ++ } ++ else if (srk_type.type == TPM_ALG_RSA) ++ { ++ switch (srk_type.detail.rsa_bits) ++ { ++ case 2048: ++ return "RSA2048"; ++ } ++ } ++ ++ return "Unknown"; ++} ++ ++static grub_err_t ++grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx, ++ const TPM2_SEALED_KEY *sealed_key, ++ const TPM_HANDLE parent_handle, ++ TPM_HANDLE *sealed_handle, ++ TPM_HANDLE *srk_handle) ++{ ++ grub_err_t err; ++ int i; ++ grub_srk_type_t fallback_srks[] = { ++ { ++ .type = TPM_ALG_ECC, ++ .detail.ecc_curve = TPM_ECC_NIST_P256, ++ }, ++ { ++ .type = TPM_ALG_RSA, ++ .detail.rsa_bits = 2048, ++ }, ++ { ++ .type = TPM_ALG_ERROR, ++ } ++ }; ++ ++ /* Try the given persistent SRK if exists */ ++ if (*srk_handle != 0) ++ { ++ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key, ++ parent_handle, sealed_handle, ++ srk_handle); ++ if (err != GRUB_ERR_BAD_ARGUMENT) ++ return err; ++ ++ grub_print_error (); ++ grub_printf_ (N_("Trying the specified SRK algorithm: %s\n"), ++ srk_type_to_name (ctx->srk_type)); ++ grub_errno = GRUB_ERR_NONE; ++ *srk_handle = 0; ++ } ++ ++ /* Try the specified algorithm for the SRK template */ ++ if (*srk_handle == 0) ++ { ++ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key, ++ parent_handle, sealed_handle, ++ srk_handle); ++ if (err != GRUB_ERR_BAD_ARGUMENT) ++ return err; ++ ++ grub_print_error (); ++ grub_errno = GRUB_ERR_NONE; ++ *srk_handle = 0; ++ } ++ ++ /* Try all the fallback SRK templates */ ++ for (i = 0; fallback_srks[i].type != TPM_ALG_ERROR; i++) ++ { ++ /* Skip the specified algorithm */ ++ if (fallback_srks[i].type == ctx->srk_type.type && ++ (fallback_srks[i].detail.rsa_bits == ctx->srk_type.detail.rsa_bits || ++ fallback_srks[i].detail.ecc_curve == ctx->srk_type.detail.ecc_curve)) ++ continue; ++ ++ grub_printf_ (N_("Trying fallback %s template\n"), ++ srk_type_to_name (fallback_srks[i])); ++ ++ *srk_handle = 0; ++ ++ err = grub_tpm2_protector_srk_load (fallback_srks[i], sealed_key, ++ parent_handle, sealed_handle, ++ srk_handle); ++ if (err != GRUB_ERR_BAD_ARGUMENT) ++ return err; ++ ++ grub_print_error (); ++ grub_errno = GRUB_ERR_NONE; ++ } ++ ++ return err; ++} ++ +static grub_err_t +grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session, + struct grub_tpm2_buffer *cmd_buf) @@ -970,18 +1134,16 @@ index 000000000..df0727215 +grub_tpm2_protector_srk_recover (const struct grub_tpm2_protector_context *ctx, + grub_uint8_t **key, grub_size_t *key_size) +{ -+ TPMS_AUTH_COMMAND authCmd = { 0 }; + TPM2_SEALED_KEY sealed_key = { 0 }; -+ TPM2B_NAME name = { 0 }; + void *file_bytes = NULL; + grub_size_t file_size = 0; ++ grub_uint8_t rsaparent = 0; + TPM_HANDLE parent_handle = 0; + TPM_HANDLE srk_handle = 0; + TPM_HANDLE sealed_handle = 0; + tpm2key_policy_t policy_seq = NULL; + tpm2key_authpolicy_t authpol = NULL; + tpm2key_authpolicy_t authpol_seq = NULL; -+ TPM_RC rc; + grub_err_t err; + + /* @@ -999,10 +1161,21 @@ index 000000000..df0727215 + file_size, + &policy_seq, + &authpol_seq, ++ &rsaparent, + &parent_handle, + &sealed_key); + if (err != GRUB_ERR_NONE) + goto exit1; ++ ++ if (rsaparent == 1) ++ { ++ struct grub_tpm2_protector_context *ctx_w; ++ ++ /* Overwrite the SRK type as noted in the key */ ++ ctx_w = (struct grub_tpm2_protector_context *)ctx; ++ ctx_w->srk_type.type = TPM_ALG_RSA; ++ ctx_w->srk_type.detail.rsa_bits = 2048; ++ } + } + else + { @@ -1019,23 +1192,18 @@ index 000000000..df0727215 + goto exit1; + } + -+ /* Get the SRK to unseal the sealed key */ -+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle); ++ /* Set the SRK handle if it is specified with '--srk' or inside the key file */ ++ if (ctx->srk != 0) ++ srk_handle = ctx->srk; ++ else if (TPM_HT_IS_PERSISTENT (parent_handle)) ++ srk_handle = parent_handle; ++ ++ /* Load the sealed key into TPM and associate it with the SRK */ ++ err = grub_tpm2_protector_load_key (ctx, &sealed_key, parent_handle, ++ &sealed_handle, &srk_handle); + if (err != GRUB_ERR_NONE) + goto exit1; + -+ /* Load the sealed key and associate it with the SRK */ -+ authCmd.sessionHandle = TPM_RS_PW; -+ rc = TPM2_Load (srk_handle, &authCmd, &sealed_key.private, &sealed_key.public, -+ &sealed_handle, &name, NULL); -+ if (rc != TPM_RC_SUCCESS) -+ { -+ err = grub_error (GRUB_ERR_BAD_DEVICE, -+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"), -+ rc); -+ goto exit2; -+ } -+ + /* + * Set err to an error code to trigger the standalone policy sequence + * if there is no authpolicy sequence @@ -1071,7 +1239,7 @@ index 000000000..df0727215 + { + err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq); + if (err != GRUB_ERR_NONE) -+ goto exit3; ++ goto exit2; + } + + err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size); @@ -1081,11 +1249,11 @@ index 000000000..df0727215 + if (err == GRUB_ERR_NONE) + while (grub_error_pop ()); + -+exit3: ++exit2: + TPM2_FlushContext (sealed_handle); + -+exit2: -+ TPM2_FlushContext (srk_handle); ++ if (!TPM_HT_IS_PERSISTENT (srk_handle)) ++ TPM2_FlushContext (srk_handle); + +exit1: + grub_tpm2key_free_policy_seq (policy_seq); @@ -1143,19 +1311,19 @@ index 000000000..df0727215 + ctx->mode = GRUB_TPM2_PROTECTOR_MODE_SRK; + + /* Checks for SRK mode */ -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile == NULL -+ && ctx->tpm2key == NULL) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ++ (ctx->keyfile == NULL && ctx->tpm2key == NULL)) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In SRK mode, a key file must be specified: " + "--tpm2key/-T or --keyfile/-k")); + -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile -+ && ctx->tpm2key) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ++ (ctx->keyfile != NULL && ctx->tpm2key != NULL)) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In SRK mode, please specify a key file with " + "only --tpm2key/-T or --keyfile/-k")); + -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv != 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In SRK mode, an NV Index cannot be specified")); + @@ -1166,15 +1334,16 @@ index 000000000..df0727215 + "--nvindex or -n")); + + if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && -+ (ctx->tpm2key || ctx->keyfile)) ++ (ctx->tpm2key != NULL || ctx->keyfile != NULL)) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In NV Index mode, a keyfile cannot be specified")); + -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk != 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In NV Index mode, an SRK cannot be specified")); + -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->asymmetric) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ++ ctx->srk_type.type != TPM_ALG_ERROR) + return grub_error (GRUB_ERR_BAD_ARGUMENT, + N_("In NV Index mode, an asymmetric key type cannot be " + "specified")); @@ -1189,13 +1358,11 @@ index 000000000..df0727215 + ctx->pcr_count = 1; + } + -+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK) ++ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ++ ctx->srk_type.type == TPM_ALG_ERROR) + { -+ if (!ctx->asymmetric) -+ { -+ ctx->asymmetric = TPM_ALG_RSA; -+ ctx->rsa_bits = 2048; -+ } ++ ctx->srk_type.type = TPM_ALG_ECC; ++ ctx->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256; + } + + return GRUB_ERR_NONE; @@ -1299,9 +1466,7 @@ index 000000000..df0727215 + if (state[OPTION_ASYMMETRIC].set) /* asymmetric */ + { + err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg, -+ &grub_tpm2_protector_ctx.asymmetric, -+ &grub_tpm2_protector_ctx.rsa_bits, -+ &grub_tpm2_protector_ctx.ecc_curve); ++ &grub_tpm2_protector_ctx.srk_type); + if (err != GRUB_ERR_NONE) + return err; + } @@ -1376,10 +1541,10 @@ index 000000000..df0727215 +} diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn new file mode 100644 -index 000000000..e3b6a03e0 +index 000000000..7ad4b6a2a --- /dev/null +++ b/grub-core/tpm2/tpm2key.asn -@@ -0,0 +1,31 @@ +@@ -0,0 +1,33 @@ +-- +-- TPM 2.0 key file format +-- To generate tpm2key_asn1_tab.c: asn1Parser tpm2key.asn @@ -1405,6 +1570,8 @@ index 000000000..e3b6a03e0 + policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL, + secret [2] EXPLICIT OCTET STRING OPTIONAL, + authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, ++ description [4] EXPLICIT UTF8String OPTIONAL, ++ rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, + parent INTEGER, + pubkey OCTET STRING, + privkey OCTET STRING @@ -1413,10 +1580,10 @@ index 000000000..e3b6a03e0 +END diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c new file mode 100644 -index 000000000..a26c287c9 +index 000000000..7a55644e5 --- /dev/null +++ b/grub-core/tpm2/tpm2key.c -@@ -0,0 +1,447 @@ +@@ -0,0 +1,476 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2023 SUSE LLC @@ -1518,17 +1685,19 @@ index 000000000..a26c287c9 + grub_err_t err; + + /* -+ TPMKey ::= SEQUENCE { -+ type OBJECT IDENTIFIER, -+ emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL, -+ policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL, -+ secret [2] EXPLICIT OCTET STRING OPTIONAL, -+ authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, -+ parent INTEGER, -+ pubkey OCTET STRING, -+ privkey OCTET STRING -+ } -+ */ ++ * TPMKey ::= SEQUENCE { ++ * type OBJECT IDENTIFIER, ++ * emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL, ++ * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL, ++ * secret [2] EXPLICIT OCTET STRING OPTIONAL, ++ * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL, ++ * description [4] EXPLICIT UTF8String OPTIONAL, ++ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL, ++ * parent INTEGER, ++ * pubkey OCTET STRING, ++ * privkey OCTET STRING ++ * } ++ */ + ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL); + if (ret != ASN1_SUCCESS) + return grub_error (GRUB_ERR_BAD_ARGUMENT, @@ -1579,11 +1748,8 @@ index 000000000..a26c287c9 + err = GRUB_ERR_NONE; + +error: -+ if (type_oid) -+ grub_free (type_oid); -+ -+ if (empty_auth) -+ grub_free (empty_auth); ++ grub_free (type_oid); ++ grub_free (empty_auth); + + return err; +} @@ -1591,12 +1757,42 @@ index 000000000..a26c287c9 +void +grub_tpm2key_end_parsing (asn1_node tpm2key) +{ -+ if (tpm2key) -+ asn1_delete_structure (&tpm2key); ++ asn1_delete_structure (&tpm2key); + tpm2key = NULL; +} + +grub_err_t ++grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent) ++{ ++ void *bool_str = NULL; ++ grub_size_t bool_str_size = 0; ++ int ret; ++ ++ if (rsaparent == NULL) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("NULL pointer detected")); ++ ++ if (tpm2key == NULL) ++ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid parent node")); ++ ++ ret = asn1_allocate_and_read (tpm2key, "rsaParent", &bool_str, &bool_str_size); ++ if (ret == ASN1_SUCCESS) ++ { ++ if (grub_strncmp ("TRUE", bool_str, bool_str_size) == 0) ++ *rsaparent = 1; ++ else ++ *rsaparent = 0; ++ } ++ else if (ret == ASN1_ELEMENT_NOT_FOUND) ++ *rsaparent = 0; ++ else ++ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve rsaParent")); ++ ++ grub_free (bool_str); ++ ++ return GRUB_ERR_NONE; ++} ++ ++grub_err_t +grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent) +{ + int ret; @@ -1805,7 +2001,7 @@ index 000000000..a26c287c9 + /* Limit the number of authPolicy elements to two digits (99) */ + if (authpol_n > 100 || authpol_n < 1) + return grub_error (GRUB_ERR_OUT_OF_RANGE, -+ N_("Invalid number of autoPolicy elements")); ++ N_("Invalid number of authPolicy elements")); + + /* + * Iterate the authPolicy elements backwards since grub_list_push() prepends @@ -1866,10 +2062,10 @@ index 000000000..a26c287c9 +} diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c new file mode 100644 -index 000000000..551fc46ec +index 000000000..6868924f9 --- /dev/null +++ b/grub-core/tpm2/tpm2key_asn1_tab.c -@@ -0,0 +1,41 @@ +@@ -0,0 +1,45 @@ +/* + * This file is generated by 'asn1Parser tpm2key.asn' and the '#include' + * headers are replaced with the ones in grub2. @@ -1906,6 +2102,10 @@ index 000000000..551fc46ec + { "authPolicy", 1610637323, NULL }, + { NULL, 1073743880, "3"}, + { NULL, 2, "TPMAuthPolicy"}, ++ { "description", 1610637346, NULL }, ++ { NULL, 2056, "4"}, ++ { "rsaParent", 1610637316, NULL }, ++ { NULL, 2056, "5"}, + { "parent", 1073741827, NULL }, + { "pubkey", 1073741831, NULL }, + { "privkey", 7, NULL }, @@ -1913,10 +2113,10 @@ index 000000000..551fc46ec +}; diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h new file mode 100644 -index 000000000..58d13e031 +index 000000000..9f4c0eb9f --- /dev/null +++ b/include/grub/tpm2/internal/args.h -@@ -0,0 +1,41 @@ +@@ -0,0 +1,49 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -1941,15 +2141,23 @@ index 000000000..58d13e031 +#include +#include + ++struct grub_srk_type ++{ ++ TPMI_ALG_PUBLIC type; ++ union { ++ TPM_KEY_BITS rsa_bits; ++ TPM_ECC_CURVE ecc_curve; ++ } detail; ++}; ++typedef struct grub_srk_type grub_srk_type_t; ++ +grub_err_t +grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs, + grub_uint8_t *pcr_count); + +grub_err_t +grub_tpm2_protector_parse_asymmetric (const char *value, -+ TPM_ALG_ID *asymmetric, -+ TPM_KEY_BITS *rsa_bits, -+ TPM_ECC_CURVE *ecc_curve); ++ grub_srk_type_t *srk_type); + +grub_err_t +grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank); @@ -1960,10 +2168,10 @@ index 000000000..58d13e031 +#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */ diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h new file mode 100644 -index 000000000..df46203e3 +index 000000000..c27b5305e --- /dev/null +++ b/include/grub/tpm2/tpm2key.h -@@ -0,0 +1,83 @@ +@@ -0,0 +1,86 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2023 SUSE LLC @@ -2026,6 +2234,9 @@ index 000000000..df46203e3 +grub_tpm2key_end_parsing (asn1_node tpm2key); + +grub_err_t ++grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent); ++ ++grub_err_t +grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent); + +grub_err_t diff --git a/0003-tpm2-Implement-more-TPM2-commands.patch b/0003-tpm2-Implement-more-TPM2-commands.patch deleted file mode 100644 index b240980..0000000 --- a/0003-tpm2-Implement-more-TPM2-commands.patch +++ /dev/null @@ -1,543 +0,0 @@ -From a49c4dcbcb04078434f461ed3356c04042be461a Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 8 Feb 2023 10:30:55 +0800 -Subject: [PATCH 3/4] tpm2: Implement more TPM2 commands - -This commit implements a few more TPM2 commands as the preparation for -the authorized policy support. - -* TPM2_LoadExternal - This command is added to load the external public key to verify the - signed policy digest -* TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_SequenceComplete, - and TPM2_Hash - With those commands, we can use the TPM as a coprocessor to calculate - the hash of a given binary blob. -* TPM2_VerifySignature - This command verifies the given signature with the given public key - and returns the validation ticket to authorize the policy. -* TPM2_PolicyAuthorize - This command approves the given policy digest so that we can unseal - the key with the newly authorized policy. - -Signed-off-by: Gary Lin ---- - grub-core/tpm2/tpm2.c | 424 +++++++++++++++++++++++++ - include/grub/tpm2/internal/functions.h | 57 ++++ - 2 files changed, 481 insertions(+) - -diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c -index d67699a24..159353b08 100644 ---- a/grub-core/tpm2/tpm2.c -+++ b/grub-core/tpm2/tpm2.c -@@ -427,6 +427,73 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle, - return TPM_RC_SUCCESS; - } - -+TPM_RC -+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_SENSITIVE *inPrivate, -+ const TPM2B_PUBLIC *inPublic, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM_HANDLE *objectHandle, -+ TPM2B_NAME *name, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ TPM_RC rc; -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPM_HANDLE objectHandleTmp; -+ TPM2B_NAME nameTmp; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; -+ TPM_RC responseCode; -+ grub_uint32_t param_size; -+ -+ if (!inPublic) -+ return TPM_RC_VALUE; -+ -+ if (!objectHandle) -+ objectHandle = &objectHandleTmp; -+ if (!name) -+ name = &nameTmp; -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (objectHandle, 0, sizeof (*objectHandle)); -+ grub_memset (name, 0, sizeof (*name)); -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ if (authCommand) -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ if (inPrivate) -+ grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (&in, inPrivate); -+ else -+ grub_tpm2_buffer_pack_u16 (&in, 0); -+ grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&in, inPublic); -+ grub_tpm2_buffer_pack_u32 (&in, hierarchy); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (tag, TPM_CC_LoadExternal, &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal*/ -+ grub_tpm2_buffer_unpack_u32 (&out, objectHandle); -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name); -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ - TPM_RC - TPM2_Unseal (const TPMI_DH_OBJECT itemHandle, - const TPMS_AUTH_COMMAND *authCommand, -@@ -759,3 +826,360 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth, - - return TPM_RC_SUCCESS; - } -+ -+TPM_RC -+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_AUTH *auth, -+ const TPMI_ALG_HASH hashAlg, -+ TPMI_DH_OBJECT *sequenceHandle, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPMI_DH_OBJECT sequenceHandleTmp; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; -+ TPM_RC responseCode; -+ TPM_RC rc; -+ grub_uint32_t parameterSize; -+ -+ if (!auth) -+ return TPM_RC_VALUE; -+ -+ if (!sequenceHandle) -+ sequenceHandle = &sequenceHandleTmp; -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (sequenceHandle, 0, sizeof (*sequenceHandle)); -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ if (authCommand) -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ grub_tpm2_mu_TPM2B_Marshal (&in, auth->size, auth->buffer); -+ grub_tpm2_buffer_pack_u16 (&in, hashAlg); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (tag, TPM_CC_HashSequenceStart, &responseCode, &in, -+ &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal */ -+ grub_tpm2_buffer_unpack_u32 (&out, sequenceHandle); -+ if (tag == TPM_ST_SESSIONS) -+ { -+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse); -+ } -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ -+TPM_RC -+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *buffer, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPM_RC responseCode; -+ TPM_RC rc; -+ grub_uint32_t parameterSize; -+ -+ if (!authCommand) -+ return TPM_RC_VALUE; -+ -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle); -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ if (buffer) -+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer); -+ else -+ grub_tpm2_buffer_pack_u16 (&in, 0); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceUpdate, -+ &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal */ -+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ -+TPM_RC -+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *buffer, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM2B_DIGEST *result, -+ TPMT_TK_HASHCHECK *validation, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPM2B_DIGEST resultTmp; -+ TPMT_TK_HASHCHECK validationTmp; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPM_RC responseCode; -+ TPM_RC rc; -+ grub_uint32_t parameterSize; -+ -+ if (!authCommand) -+ return TPM_RC_VALUE; -+ -+ if (!result) -+ result = &resultTmp; -+ if (!validation) -+ validation = &validationTmp; -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (result, 0, sizeof (*result)); -+ grub_memset (validation, 0, sizeof (*validation)); -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle); -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ if (buffer) -+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer); -+ else -+ grub_tpm2_buffer_pack_u16 (&in, 0); -+ grub_tpm2_buffer_pack_u32 (&in, hierarchy); -+ -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceComplete, -+ &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal */ -+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize); -+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, result); -+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation); -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ -+TPM_RC -+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *data, -+ const TPMI_ALG_HASH hashAlg, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM2B_DIGEST *outHash, -+ TPMT_TK_HASHCHECK *validation, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ TPM_RC rc; -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPM2B_DIGEST outHashTmp; -+ TPMT_TK_HASHCHECK validationTmp; -+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; -+ TPM_RC responseCode; -+ grub_uint32_t param_size; -+ -+ if (hashAlg == TPM_ALG_NULL) -+ return TPM_RC_VALUE; -+ -+ if (!outHash) -+ outHash = &outHashTmp; -+ if (!validation) -+ validation = &validationTmp; -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (outHash, 0, sizeof (*outHash)); -+ grub_memset (validation, 0, sizeof (*validation)); -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ if (authCommand) -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ if (data) -+ grub_tpm2_mu_TPM2B_Marshal (&in, data->size, data->buffer); -+ else -+ grub_tpm2_buffer_pack_u16 (&in, 0); -+ grub_tpm2_buffer_pack_u16 (&in, hashAlg); -+ grub_tpm2_buffer_pack_u32 (&in, hierarchy); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (tag, TPM_CC_Hash, &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal*/ -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, outHash); -+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation); -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ -+TPM_RC -+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_DIGEST *digest, -+ const TPMT_SIGNATURE *signature, -+ TPMT_TK_VERIFIED *validation, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ TPM_RC rc; -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; -+ TPMT_TK_VERIFIED validationTmp; -+ TPM_RC responseCode; -+ grub_uint32_t param_size; -+ -+ if (!digest || !signature) -+ return TPM_RC_VALUE; -+ -+ if (!validation) -+ validation = &validationTmp; -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (validation, 0, sizeof (*validation)); -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ if (authCommand) -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ grub_tpm2_buffer_pack_u32 (&in, keyHandle); -+ grub_tpm2_mu_TPM2B_Marshal (&in, digest->size, digest->buffer); -+ grub_tpm2_mu_TPMT_SIGNATURE_Marshal (&in, signature); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (tag, TPM_CC_VerifySignature, &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal*/ -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (&out, validation); -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -+ -+TPM_RC -+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_DIGEST *approvedPolicy, -+ const TPM2B_NONCE *policyRef, -+ const TPM2B_NAME *keySign, -+ const TPMT_TK_VERIFIED *checkTicket, -+ TPMS_AUTH_RESPONSE *authResponse) -+{ -+ TPM_RC rc; -+ struct grub_tpm2_buffer in; -+ struct grub_tpm2_buffer out; -+ TPMS_AUTH_RESPONSE authResponseTmp; -+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS; -+ TPM_RC responseCode; -+ grub_uint32_t param_size; -+ -+ if (!approvedPolicy || !keySign || !checkTicket) -+ return TPM_RC_VALUE; -+ -+ if (!authResponse) -+ authResponse = &authResponseTmp; -+ -+ grub_memset (authResponse, 0, sizeof (*authResponse)); -+ -+ /* Marshal */ -+ grub_tpm2_buffer_init (&in); -+ grub_tpm2_buffer_pack_u32 (&in, policySession); -+ if (authCommand) -+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand); -+ grub_tpm2_mu_TPM2B_Marshal (&in, approvedPolicy->size, approvedPolicy->buffer); -+ if (policyRef) -+ grub_tpm2_mu_TPM2B_Marshal (&in, policyRef->size, policyRef->buffer); -+ else -+ grub_tpm2_buffer_pack_u16 (&in, 0); -+ grub_tpm2_mu_TPM2B_Marshal (&in, keySign->size, keySign->name); -+ grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (&in, checkTicket); -+ if (in.error) -+ return TPM_RC_FAILURE; -+ -+ /* Submit */ -+ grub_tpm2_buffer_init (&out); -+ rc = grub_tpm2_submit_command (tag, TPM_CC_PolicyAuthorize, &responseCode, &in, &out); -+ if (rc != TPM_RC_SUCCESS) -+ return rc; -+ if (responseCode != TPM_RC_SUCCESS) -+ return responseCode; -+ -+ /* Unmarshal*/ -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_buffer_unpack_u32 (&out, ¶m_size); -+ if (tag == TPM_ST_SESSIONS) -+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse); -+ if (out.error) -+ return TPM_RC_FAILURE; -+ -+ return TPM_RC_SUCCESS; -+} -diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h -index 9380f26a2..67b78fab8 100644 ---- a/include/grub/tpm2/internal/functions.h -+++ b/include/grub/tpm2/internal/functions.h -@@ -70,6 +70,15 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle, - TPM2B_NAME *name, - TPMS_AUTH_RESPONSE *authResponse); - -+TPM_RC -+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_SENSITIVE *inPrivate, -+ const TPM2B_PUBLIC *inPublic, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM_HANDLE *objectHandle, -+ TPM2B_NAME *name, -+ TPMS_AUTH_RESPONSE *authResponse); -+ - TPM_RC - TPM2_Unseal (const TPMI_DH_OBJECT item_handle, - const TPMS_AUTH_COMMAND *authCommand, -@@ -114,4 +123,52 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth, - const TPMI_DH_PERSISTENT persistentHandle, - TPMS_AUTH_RESPONSE *authResponse); - -+TPM_RC -+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_AUTH *auth, -+ const TPMI_ALG_HASH hashAlg, -+ TPMI_DH_OBJECT *sequenceHandle, -+ TPMS_AUTH_RESPONSE *authResponse); -+ -+TPM_RC -+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *buffer, -+ TPMS_AUTH_RESPONSE *authResponse); -+ -+TPM_RC -+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *buffer, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM2B_DIGEST *result, -+ TPMT_TK_HASHCHECK *validation, -+ TPMS_AUTH_RESPONSE *authResponse); -+ -+TPM_RC -+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_MAX_BUFFER *data, -+ const TPMI_ALG_HASH hashAlg, -+ const TPMI_RH_HIERARCHY hierarchy, -+ TPM2B_DIGEST *outHash, -+ TPMT_TK_HASHCHECK *validation, -+ TPMS_AUTH_RESPONSE *authResponse); -+ -+TPM_RC -+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_DIGEST *digest, -+ const TPMT_SIGNATURE *signature, -+ TPMT_TK_VERIFIED *validation, -+ TPMS_AUTH_RESPONSE *authResponse); -+ -+TPM_RC -+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession, -+ const TPMS_AUTH_COMMAND *authCommand, -+ const TPM2B_DIGEST *approvedPolicy, -+ const TPM2B_NONCE *policyRef, -+ const TPM2B_NAME *keySign, -+ const TPMT_TK_VERIFIED *checkTicket, -+ TPMS_AUTH_RESPONSE *authResponse); -+ - #endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */ --- -2.35.3 - diff --git a/0004-cryptodisk-Support-key-protectors.patch b/0004-cryptodisk-Support-key-protectors.patch index e5f2b87..aee734b 100644 --- a/0004-cryptodisk-Support-key-protectors.patch +++ b/0004-cryptodisk-Support-key-protectors.patch @@ -1,42 +1,50 @@ -From 9888bf40d960339a59dc18fb6e1df5f65b4668e3 Mon Sep 17 00:00:00 2001 +From 7ce7b7889ce73174a0d8091978254ecf2d2e205f Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:56 -0800 -Subject: [PATCH 13/14] cryptodisk: Support key protectors +Subject: [PATCH 4/5] cryptodisk: Support key protectors -Add a new parameter to cryptomount to support the key protectors framework: -k. +Add a new parameter to cryptomount to support the key protectors framework: -P. The parameter is used to automatically retrieve a key from specified key protectors. The parameter may be repeated to specify any number of key protectors. These are tried in order until one provides a usable key for any given disk. -Signed-off-by: +Signed-off-by: Hernan Gatta +Signed-off-by: Michael Chang +Signed-off-by: Gary Lin +Reviewed-by: Glenn Washburn +Reviewed-by: Stefan Berger --- Makefile.util.def | 1 + - grub-core/disk/cryptodisk.c | 166 +++++++++++++++++++++++++++++------- - include/grub/cryptodisk.h | 14 +++ - 3 files changed, 151 insertions(+), 30 deletions(-) + grub-core/disk/cryptodisk.c | 172 +++++++++++++++++++++++++++++------- + include/grub/cryptodisk.h | 16 ++++ + 3 files changed, 158 insertions(+), 31 deletions(-) +diff --git a/Makefile.util.def b/Makefile.util.def +index 3b9435307..252d70af2 100644 --- a/Makefile.util.def +++ b/Makefile.util.def -@@ -35,6 +35,7 @@ - common = grub-core/kern/list.c; - common = grub-core/kern/misc.c; - common = grub-core/kern/partition.c; -+ common = grub-core/kern/protectors.c; - common = grub-core/lib/crypto.c; - common = grub-core/lib/json/json.c; +@@ -40,6 +40,7 @@ library = { common = grub-core/disk/luks.c; + common = grub-core/disk/luks2.c; + common = grub-core/disk/geli.c; ++ common = grub-core/disk/key_protector.c; + common = grub-core/disk/cryptodisk.c; + common = grub-core/disk/AFSplitter.c; + common = grub-core/lib/pbkdf2.c; +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 2246af51b..b7648ffb7 100644 --- a/grub-core/disk/cryptodisk.c +++ b/grub-core/disk/cryptodisk.c @@ -26,6 +26,7 @@ #include #include #include -+#include ++#include #ifdef GRUB_UTIL #include -@@ -44,7 +45,8 @@ +@@ -44,7 +45,8 @@ enum OPTION_KEYFILE, OPTION_KEYFILE_OFFSET, OPTION_KEYFILE_SIZE, @@ -46,7 +54,7 @@ Signed-off-by: }; static const struct grub_arg_option options[] = -@@ -58,6 +60,8 @@ +@@ -58,6 +60,8 @@ static const struct grub_arg_option options[] = {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING}, @@ -55,7 +63,7 @@ Signed-off-by: {0, 0, 0, 0, 0, 0} }; -@@ -1061,6 +1065,7 @@ +@@ -1061,6 +1065,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_err_t ret = GRUB_ERR_NONE; grub_cryptodisk_t dev; grub_cryptodisk_dev_t cr; @@ -63,7 +71,7 @@ Signed-off-by: struct cryptodisk_read_hook_ctx read_hook_data = {0}; int askpass = 0; char *part = NULL; -@@ -1113,41 +1118,112 @@ +@@ -1113,41 +1118,112 @@ grub_cryptodisk_scan_device_real (const char *name, goto error_no_close; if (!dev) continue; @@ -84,13 +92,7 @@ Signed-off-by: - cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE); - if (cargs->key_data == NULL) - goto error_no_close; -+ if (dev == NULL) -+ { -+ grub_error (GRUB_ERR_BAD_MODULE, -+ "no cryptodisk module can handle this device"); -+ goto error_no_close; -+ } - +- - if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE)) - { - grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied"); @@ -98,16 +100,23 @@ Signed-off-by: - } - cargs->key_len = grub_strlen ((char *) cargs->key_data); - } ++ if (dev == NULL) ++ { ++ grub_error (GRUB_ERR_BAD_MODULE, ++ "no cryptodisk module can handle this device"); ++ goto error_no_close; ++ } + +- ret = cr->recover_key (source, dev, cargs); +- if (ret != GRUB_ERR_NONE) +- goto error; + if (cargs->protectors) + { + for (i = 0; cargs->protectors[i]; i++) + { + if (cargs->key_cache[i].invalid) + continue; - -- ret = cr->recover_key (source, dev, cargs); -- if (ret != GRUB_ERR_NONE) -- goto error; ++ + if (cargs->key_cache[i].key == NULL) + { + ret = grub_key_protector_recover_key (cargs->protectors[i], @@ -146,16 +155,16 @@ Signed-off-by: + cargs->protectors[i], source->name, + source->partition != NULL ? "," : "", + part != NULL ? part : N_("UNKNOWN"), dev->uuid); -+ grub_free (part); -+ continue; ++ grub_free (part); ++ continue; ++ } ++ else ++ { ++ ret = grub_cryptodisk_insert (dev, name, source); ++ if (ret != GRUB_ERR_NONE) ++ goto error; ++ goto cleanup; + } -+ else -+ { -+ ret = grub_cryptodisk_insert (dev, name, source); -+ if (ret != GRUB_ERR_NONE) -+ goto error; -+ goto cleanup; -+ } + } - ret = grub_cryptodisk_insert (dev, name, source); @@ -205,7 +214,7 @@ Signed-off-by: goto cleanup; error: -@@ -1258,6 +1334,20 @@ +@@ -1259,6 +1335,20 @@ grub_cryptodisk_scan_device (const char *name, return ret; } @@ -226,7 +235,7 @@ Signed-off-by: static grub_err_t grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) { -@@ -1270,6 +1360,10 @@ +@@ -1271,6 +1361,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) if (grub_cryptodisk_list == NULL) return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded"); @@ -237,7 +246,7 @@ Signed-off-by: if (state[OPTION_PASSWORD].set) /* password */ { cargs.key_data = (grub_uint8_t *) state[OPTION_PASSWORD].arg; -@@ -1362,6 +1456,15 @@ +@@ -1363,6 +1457,15 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) return grub_errno; } @@ -253,7 +262,7 @@ Signed-off-by: if (state[OPTION_UUID].set) /* uuid */ { int found_uuid; -@@ -1370,6 +1473,7 @@ +@@ -1371,6 +1474,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) dev = grub_cryptodisk_get_by_uuid (args[0]); if (dev) { @@ -261,7 +270,7 @@ Signed-off-by: grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id); return GRUB_ERR_NONE; -@@ -1378,6 +1482,7 @@ +@@ -1379,6 +1483,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) cargs.check_boot = state[OPTION_BOOT].set; cargs.search_uuid = args[0]; found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs); @@ -269,7 +278,7 @@ Signed-off-by: if (found_uuid) return GRUB_ERR_NONE; -@@ -1397,6 +1502,7 @@ +@@ -1398,6 +1503,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) { cargs.check_boot = state[OPTION_BOOT].set; grub_device_iterate (&grub_cryptodisk_scan_device, &cargs); @@ -277,7 +286,7 @@ Signed-off-by: return GRUB_ERR_NONE; } else -@@ -1420,6 +1526,7 @@ +@@ -1421,6 +1527,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) disk = grub_disk_open (diskname); if (!disk) { @@ -285,7 +294,7 @@ Signed-off-by: if (disklast) *disklast = ')'; return grub_errno; -@@ -1430,12 +1537,14 @@ +@@ -1431,12 +1538,14 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) { grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id); grub_disk_close (disk); @@ -300,7 +309,7 @@ Signed-off-by: grub_disk_close (disk); if (disklast) -@@ -1576,6 +1685,7 @@ +@@ -1590,6 +1699,7 @@ GRUB_MOD_INIT (cryptodisk) cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, N_("[ [-p password] | [-k keyfile" " [-O keyoffset] [-S keysize] ] ] [-H file]" @@ -308,9 +317,11 @@ Signed-off-by: " "), N_("Mount a crypto device."), options); grub_procfs_register ("luks_script", &luks_script); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index d94df68b6..0b41e249e 100644 --- a/include/grub/cryptodisk.h +++ b/include/grub/cryptodisk.h -@@ -70,6 +70,18 @@ +@@ -70,6 +70,18 @@ typedef gcry_err_code_t (*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev, grub_uint64_t zoneno); @@ -329,7 +340,7 @@ Signed-off-by: struct grub_cryptomount_args { /* scan: Flag to indicate that only bootable volumes should be decrypted */ -@@ -81,6 +93,10 @@ +@@ -81,6 +93,10 @@ struct grub_cryptomount_args /* recover_key: Length of key_data */ grub_size_t key_len; grub_file_t hdr_file; @@ -340,3 +351,6 @@ Signed-off-by: }; typedef struct grub_cryptomount_args *grub_cryptomount_args_t; +-- +2.35.3 + diff --git a/0004-diskfilter-look-up-cryptodisk-devices-first.patch b/0004-diskfilter-look-up-cryptodisk-devices-first.patch index 344023c..92ed5f8 100644 --- a/0004-diskfilter-look-up-cryptodisk-devices-first.patch +++ b/0004-diskfilter-look-up-cryptodisk-devices-first.patch @@ -1,4 +1,4 @@ -From b7e2fb6a680447b7bb7eb18bb7570afa8d2b7f09 Mon Sep 17 00:00:00 2001 +From 91a99dffbe78b91a0c18b32ebecf755ba9d74032 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 10 Aug 2023 10:19:29 +0800 Subject: [PATCH 4/4] diskfilter: look up cryptodisk devices first @@ -12,15 +12,15 @@ look like this: Since the disk search order is based on the order of module loading, the attacker could insert a malicious disk with the same FS-UUID root to -trick grub2 to boot into th malicious root and further dump memory to +trick grub2 to boot into the malicious root and further dump memory to steal the unsealed key. -To defend such attack, we can specify the hint provided by 'grub-probe' -to search the encrypted partition first: +Do defend against such an attack, we can specify the hint provided by +'grub-probe' to search the encrypted partition first: search --fs-uuid --set=root --hint='cryptouuid/' -However, for LVM on a encrypted partition, the search hint provided by +However, for LVM on an encrypted partition, the search hint provided by 'grub-probe' is: --hint='lvmid//' @@ -29,20 +29,22 @@ It doesn't guarantee to look up the logical volume from the encrypted partition, so the attacker may have the chance to fool grub2 to boot into the malicious disk. -To mininize the attack surface, this commit tweaks the disk device search +To minimize the attack surface, this commit tweaks the disk device search in diskfilter to look up cryptodisk devices first and then others, so that the auto-unlocked disk will be found first, not the attacker's disk. +Cc: Fabian Vogt Signed-off-by: Gary Lin +Reviewed-by: Stefan Berger --- grub-core/disk/diskfilter.c | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c -index 61a311efd..94832c8dd 100644 +index 41e177549..c45bef1ca 100644 --- a/grub-core/disk/diskfilter.c +++ b/grub-core/disk/diskfilter.c -@@ -226,15 +226,32 @@ scan_devices (const char *arname) +@@ -322,15 +322,32 @@ scan_devices (const char *arname) int need_rescan; for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++) diff --git a/0005-util-grub-protect-Add-new-tool.patch b/0005-util-grub-protect-Add-new-tool.patch index 5ff71ed..7c8c676 100644 --- a/0005-util-grub-protect-Add-new-tool.patch +++ b/0005-util-grub-protect-Add-new-tool.patch @@ -1,7 +1,7 @@ -From 1116bc4b9a27aceaec53421e89eb887e6ad3aef8 Mon Sep 17 00:00:00 2001 +From c8c567c463cbe6090e086430251efc0dd4f58164 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:57 -0800 -Subject: [PATCH v7 12/20] util/grub-protect: Add new tool +Subject: [PATCH 5/5] util/grub-protect: Add new tool To utilize the key protectors framework, there must be a way to protect full-disk encryption keys in the first place. The grub-protect tool @@ -27,6 +27,7 @@ To seal the key with TPM 2.0 Key File (recommended): $ sudo grub-protect --action=add \ --protector=tpm2 \ + --tpm2-pcrs=0,2,4,7,9 \ --tpm2key \ --tpm2-keyfile=luks-key \ --tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm @@ -35,6 +36,7 @@ Or, to seal the key with the raw sealed key: $ sudo grub-protect --action=add \ --protector=tpm2 \ + --tpm2-pcrs=0,2,4,7,9 \ --tpm2-keyfile=luks-key \ --tpm2-outfile=/boot/efi/boot/grub2/sealed.key @@ -45,29 +47,38 @@ cryptomount -u -P tpm2 Or, for the raw sealed key: -tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key +tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key --pcrs=0,2,4,7,9 cryptomount -u -P tpm2 +The benefit of using TPM 2.0 Key File is that the PCR set is already +written in the key file, so there is no need to specify PCRs when +invoking tpm2_key_protector_init. + +Cc: Stefan Berger Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin --- - Makefile.util.def | 22 + - configure.ac | 9 + - util/grub-protect.c | 1492 +++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 1525 insertions(+) + .gitignore | 2 + + Makefile.util.def | 24 + + configure.ac | 30 + + docs/man/grub-protect.h2m | 4 + + util/grub-protect.c | 1420 +++++++++++++++++++++++++++++++++++++ + 5 files changed, 1480 insertions(+) + create mode 100644 docs/man/grub-protect.h2m create mode 100644 util/grub-protect.c -diff --git a/Makefile.util.def b/Makefile.util.def -index e89abb38f..f43c223b9 100644 ---- a/Makefile.util.def -+++ b/Makefile.util.def -@@ -207,6 +207,28 @@ program = { - ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; +Index: grub-2.12/Makefile.util.def +=================================================================== +--- grub-2.12.orig/Makefile.util.def ++++ grub-2.12/Makefile.util.def +@@ -208,6 +208,30 @@ program = { }; -+program = { + program = { + name = grub-protect; ++ mansection = 1; + ++ common = grub-core/kern/emu/argp_common.c; + common = grub-core/osdep/init.c; + common = grub-core/tpm2/args.c; + common = grub-core/tpm2/buffer.c; @@ -84,16 +95,17 @@ index e89abb38f..f43c223b9 100644 + ldadd = '$(LIBTASN1)'; + ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)'; + -+ enable = efi; ++ condition = COND_GRUB_PROTECT; +}; + - program = { ++program = { name = grub-mkrelpath; mansection = 1; -diff --git a/configure.ac b/configure.ac -index c19779c14..9796e5f9b 100644 ---- a/configure.ac -+++ b/configure.ac + +Index: grub-2.12/configure.ac +=================================================================== +--- grub-2.12.orig/configure.ac ++++ grub-2.12/configure.ac @@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2]) grub_TRANSFORM([grub-mkrelpath]) grub_TRANSFORM([grub-mkrescue]) @@ -102,27 +114,70 @@ index c19779c14..9796e5f9b 100644 grub_TRANSFORM([grub-reboot]) grub_TRANSFORM([grub-script-check]) grub_TRANSFORM([grub-set-default]) -@@ -2018,6 +2019,14 @@ fi +@@ -2057,6 +2058,29 @@ fi AC_SUBST([LIBZFS]) AC_SUBST([LIBNVPAIR]) ++AC_ARG_ENABLE([grub-protect], ++ [AS_HELP_STRING([--enable-grub-protect], ++ [build and install the `grub-protect' utility (default=guessed)])]) ++if test x"$enable_grub_protect" = xno ; then ++ grub_protect_excuse="explicitly disabled" ++fi ++ +LIBTASN1= -+if test x"$platform" = xefi; then -+ AC_CHECK_LIB([tasn1], [asn1_write_value], [], -+ [AC_MSG_ERROR([Your platform requires libtasn1])]) -+ LIBTASN1="-ltasn1" ++if test x"$grub_protect_excuse" = x ; then ++ AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], [grub_protect_excuse="need libtasn1 library"]) +fi +AC_SUBST([LIBTASN1]) ++ ++if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; then ++ AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled ($grub_protect_excuse)]) ++fi ++if test x"$grub_protect_excuse" = x ; then ++enable_grub_protect=yes ++else ++enable_grub_protect=no ++fi ++AC_SUBST([enable_grub_protect]) + LIBS="" AC_SUBST([FONT_SOURCE]) -diff --git a/util/grub-protect.c b/util/grub-protect.c -new file mode 100644 -index 000000000..c6d41ea40 +@@ -2177,6 +2201,7 @@ AM_CONDITIONAL([COND_GRUB_EMU_SDL], [tes + AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes]) + AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes]) + AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes]) ++AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes]) + AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x]) + if test x$FONT_SOURCE != x ; then + HAVE_FONT_SOURCE=1 +@@ -2304,6 +2329,11 @@ echo grub-mount: Yes + else + echo grub-mount: No "($grub_mount_excuse)" + fi ++if [ x"$grub_protect_excuse" = x ]; then ++echo grub-protect: Yes ++else ++echo grub-protect: No "($grub_protect_excuse)" ++fi + if [ x"$starfield_excuse" = x ]; then + echo starfield theme: Yes + echo With DejaVuSans font from $DJVU_FONT_SOURCE +Index: grub-2.12/docs/man/grub-protect.h2m +=================================================================== --- /dev/null -+++ b/util/grub-protect.c -@@ -0,0 +1,1492 @@ ++++ grub-2.12/docs/man/grub-protect.h2m +@@ -0,0 +1,4 @@ ++[NAME] ++grub-protect \- protect a disk key with a key protector ++[DESCRIPTION] ++grub-protect helps to pretect a disk encryption key with a specified key protector. +Index: grub-2.12/util/grub-protect.c +=================================================================== +--- /dev/null ++++ grub-2.12/util/grub-protect.c +@@ -0,0 +1,1420 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -151,8 +206,6 @@ index 000000000..c6d41ea40 +#include +#include + -+#include -+#include +#include +#include +#include @@ -228,9 +281,7 @@ index 000000000..c6d41ea40 + const char *tpm2_device; + grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS]; + grub_uint8_t tpm2_pcr_count; -+ TPM_ALG_ID tpm2_asymmetric; -+ TPM_KEY_BITS rsa_bits; -+ TPM_ECC_CURVE ecc_curve; ++ grub_srk_type_t srk_type; + TPM_ALG_ID tpm2_bank; + TPM_HANDLE tpm2_srk; + const char *tpm2_keyfile; @@ -267,7 +318,7 @@ index 000000000..c6d41ea40 + .arg = "FILE", + .flags = 0, + .doc = -+ N_("Path to the TPM2 device (default is /dev/tpm0)."), ++ N_("Path to the TPM2 device. (default: /dev/tpm0)"), + .group = 0 + }, + { @@ -277,7 +328,11 @@ index 000000000..c6d41ea40 + .flags = 0, + .doc = + N_("Comma-separated list of PCRs used to authorize key release " -+ "(e.g., '7,11', default is 7."), ++ "e.g., '7,11'. Please be aware that PCR 0~7 are used by the " ++ "firmware and the measurement result may change after a " ++ "firmware update (for baremetal systems) or a package " ++ "(OVMF/SeaBIOS/SLOF) update in the VM host. This may lead to" ++ "the failure of key unsealing. (default: 7)"), + .group = 0 + }, + { @@ -287,7 +342,7 @@ index 000000000..c6d41ea40 + .flags = 0, + .doc = + N_("Bank of PCRs used to authorize key release: " -+ "SHA1, SHA256 (default), or SHA512."), ++ "SHA1, SHA256, SHA384, or SHA512. (default: SHA256)"), + .group = 0 + }, + { @@ -324,10 +379,8 @@ index 000000000..c6d41ea40 + .arg = "TYPE", + .flags = 0, + .doc = -+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, " -+ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, " -+ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " -+ "(default is RSA2048)"), ++ N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)." ++ "(default: ECC)"), + .group = 0 + }, + { @@ -374,7 +427,7 @@ index 000000000..c6d41ea40 + } + + len = ftell (f); -+ if (len == 0) ++ if (len <= 0) + { + err = GRUB_ERR_FILE_READ_ERROR; + goto exit1; @@ -434,88 +487,6 @@ index 000000000..c6d41ea40 + return err; +} + -+static grub_err_t -+grub_protect_get_grub_drive_for_file (const char *filepath, char **drive) -+{ -+ grub_err_t err = GRUB_ERR_IO; -+ char *disk; -+ char **devices; -+ char *grub_dev; -+ char *grub_path; -+ char *efi_drive; -+ char *partition; -+ char *grub_drive; -+ grub_device_t dev; -+ grub_size_t grub_drive_len; -+ int n; -+ -+ grub_path = grub_canonicalize_file_name (filepath); -+ if (grub_path == NULL) -+ goto exit1; -+ -+ devices = grub_guess_root_devices (grub_path); -+ if (devices == NULL || devices[0] == NULL) -+ goto exit2; -+ -+ disk = devices[0]; -+ -+ grub_util_pull_device (disk); -+ -+ grub_dev = grub_util_get_grub_dev (disk); -+ if (grub_dev == NULL) -+ goto exit3; -+ -+ dev = grub_device_open (grub_dev); -+ if (dev == NULL) -+ goto exit4; -+ -+ efi_drive = grub_util_guess_efi_drive (disk); -+ if (efi_drive == NULL) -+ goto exit5; -+ -+ partition = grub_partition_get_name (dev->disk->partition); -+ if (partition == NULL) -+ goto exit6; -+ -+ grub_drive_len = grub_strlen (efi_drive) + grub_strlen (partition) + 3; -+ grub_drive = grub_malloc (grub_drive_len + 1); -+ if (grub_drive == NULL) -+ goto exit7; -+ -+ n = grub_snprintf (grub_drive, grub_drive_len + 1, "(%s,%s)", efi_drive, -+ partition); -+ if (n != grub_drive_len) -+ goto exit8; -+ -+ *drive = grub_drive; -+ grub_drive = NULL; -+ err = GRUB_ERR_NONE; -+ -+exit8: -+ grub_free (grub_drive); -+ -+exit7: -+ grub_free (partition); -+ -+exit6: -+ grub_free (efi_drive); -+ -+exit5: -+ grub_device_close (dev); -+ -+exit4: -+ grub_free (grub_dev); -+ -+exit3: -+ grub_free (devices); -+ -+exit2: -+ grub_free (grub_path); -+ -+exit1: -+ return err; -+} -+ +grub_err_t +grub_tcg2_get_max_output_size (grub_size_t *size) +{ @@ -552,7 +523,7 @@ index 000000000..c6d41ea40 + grub_protector_tpm2_fd = open (dev_node, O_RDWR); + if (grub_protector_tpm2_fd == -1) + { -+ fprintf (stderr, _("Could not open TPM device (Error: %u).\n"), errno); ++ fprintf (stderr, _("Could not open TPM device (%s).\n"), strerror (errno)); + return GRUB_ERR_FILE_NOT_FOUND; + } + @@ -595,20 +566,15 @@ index 000000000..c6d41ea40 + }; + TPML_PCR_SELECTION pcr_sel_out = { 0 }; + TPML_DIGEST pcr_values = { 0 }; -+ grub_uint8_t *pcr_digest; ++ TPM2B_DIGEST pcr_digest = { 0 }; + grub_size_t pcr_digest_len; -+ grub_uint8_t *pcr_concat; ++ TPM2B_MAX_BUFFER pcr_concat = { 0 }; + grub_size_t pcr_concat_len; + grub_uint8_t *pcr_cursor; -+ const gcry_md_spec_t *hash_spec; + TPM2B_NONCE nonce = { 0 }; + TPM2B_ENCRYPTED_SECRET salt = { 0 }; + TPMT_SYM_DEF symmetric = { 0 }; + TPMI_SH_AUTH_SESSION session = 0; -+ TPM2B_DIGEST pcr_digest_in = { -+ .size = TPM_SHA256_DIGEST_SIZE, -+ .buffer = { 0 } -+ }; + TPM2B_DIGEST policy_digest = { 0 }; + grub_uint8_t i; + grub_err_t err; @@ -637,40 +603,28 @@ index 000000000..c6d41ea40 + { + case TPM_ALG_SHA1: + pcr_digest_len = TPM_SHA1_DIGEST_SIZE; -+ hash_spec = GRUB_MD_SHA1; + break; + case TPM_ALG_SHA256: + pcr_digest_len = TPM_SHA256_DIGEST_SIZE; -+ hash_spec = GRUB_MD_SHA256; ++ break; ++ case TPM_ALG_SHA384: ++ pcr_digest_len = TPM_SHA384_DIGEST_SIZE; + break; + case TPM_ALG_SHA512: + pcr_digest_len = TPM_SHA512_DIGEST_SIZE; -+ hash_spec = GRUB_MD_SHA512; + break; -+ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(), -+ it's not supported by the built-in libgcrypt, and we won't be able to -+ calculate the PCR digest, so SHA384 is marked as unsupported. */ + default: + return GRUB_ERR_BAD_ARGUMENT; + } + -+ pcr_digest = grub_malloc (pcr_digest_len); -+ if (!pcr_digest) -+ { -+ fprintf (stderr, _("Failed to allocate PCR digest buffer.\n")); -+ return GRUB_ERR_OUT_OF_MEMORY; -+ } -+ + pcr_concat_len = pcr_digest_len * args->tpm2_pcr_count; -+ pcr_concat = grub_malloc (pcr_concat_len); -+ if (pcr_concat == NULL) ++ if (pcr_concat_len > TPM_MAX_DIGEST_BUFFER) + { -+ err = GRUB_ERR_OUT_OF_MEMORY; -+ fprintf (stderr, _("Failed to allocate PCR concatenation buffer.\n")); -+ goto exit1; ++ fprintf (stderr, _("PCR concatenation buffer not enough.\n")); ++ return GRUB_ERR_OUT_OF_RANGE; + } + -+ pcr_cursor = pcr_concat; ++ pcr_cursor = pcr_concat.buffer; + for (i = 0; i < args->tpm2_pcr_count; i++) + { + if (pcr_values.digests[i].size != pcr_digest_len) @@ -678,14 +632,21 @@ index 000000000..c6d41ea40 + fprintf (stderr, + _("Bad PCR value size: expected %" PRIuGRUB_SIZE " bytes but got %u bytes.\n"), + pcr_digest_len, pcr_values.digests[i].size); -+ goto exit2; ++ return GRUB_ERR_BAD_ARGUMENT; + } + + grub_memcpy (pcr_cursor, pcr_values.digests[i].buffer, pcr_digest_len); + pcr_cursor += pcr_digest_len; + } ++ pcr_concat.size = pcr_concat_len; + -+ grub_crypto_hash (hash_spec, pcr_digest, pcr_concat, pcr_concat_len); ++ rc = TPM2_Hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest, ++ NULL, NULL); ++ if (rc != TPM_RC_SUCCESS) ++ { ++ fprintf (stderr, _("Failed to generate PCR digest (TPM2_Hash: 0x%x)\n"), rc); ++ return GRUB_ERR_BAD_DEVICE; ++ } + + /* Start Trial Session */ + nonce.size = TPM_SHA256_DIGEST_SIZE; @@ -699,20 +660,17 @@ index 000000000..c6d41ea40 + fprintf (stderr, + _("Failed to start trial policy session (TPM2_StartAuthSession: 0x%x).\n"), + rc); -+ err = GRUB_ERR_BAD_DEVICE; -+ goto exit2; ++ return GRUB_ERR_BAD_DEVICE; + } + + /* PCR Policy */ -+ memcpy (pcr_digest_in.buffer, pcr_digest, TPM_SHA256_DIGEST_SIZE); -+ -+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL); ++ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest, &pcr_sel, NULL); + if (rc != TPM_RC_SUCCESS) + { + fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR: 0x%x).\n"), + rc); + err = GRUB_ERR_BAD_DEVICE; -+ goto exit3; ++ goto error; + } + + /* Retrieve Policy Digest */ @@ -722,22 +680,16 @@ index 000000000..c6d41ea40 + fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).\n"), + rc); + err = GRUB_ERR_BAD_DEVICE; -+ goto exit3; ++ goto error; + } + + /* Epilogue */ + *digest = policy_digest; + err = GRUB_ERR_NONE; + -+exit3: ++error: + TPM2_FlushContext (session); + -+exit2: -+ grub_free (pcr_concat); -+ -+exit1: -+ grub_free (pcr_digest); -+ + return err; +} + @@ -781,8 +733,8 @@ index 000000000..c6d41ea40 + + /* Create SRK */ + authCommand.sessionHandle = TPM_RS_PW; -+ inPublic.publicArea.type = args->tpm2_asymmetric; -+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256; ++ inPublic.publicArea.type = args->srk_type.type; ++ inPublic.publicArea.nameAlg = TPM_ALG_SHA256; + inPublic.publicArea.objectAttributes.restricted = 1; + inPublic.publicArea.objectAttributes.userWithAuth = 1; + inPublic.publicArea.objectAttributes.decrypt = 1; @@ -791,14 +743,14 @@ index 000000000..c6d41ea40 + inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1; + inPublic.publicArea.objectAttributes.noDA = 1; + -+ switch (args->tpm2_asymmetric) ++ switch (args->srk_type.type) + { + case TPM_ALG_RSA: + inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES; + inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits; ++ inPublic.publicArea.parameters.rsaDetail.keyBits = args->srk_type.detail.rsa_bits; + inPublic.publicArea.parameters.rsaDetail.exponent = 0; + break; + @@ -807,7 +759,7 @@ index 000000000..c6d41ea40 + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve; ++ inPublic.publicArea.parameters.eccDetail.curveID = args->srk_type.detail.ecc_curve; + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; + break; + @@ -948,6 +900,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "type", sealed_key_oid, 1); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'type': 0x%u\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -956,6 +909,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "emptyAuth", "TRUE", 1); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'emptyAuth': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -964,6 +918,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "policy", "NEW", 1); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'policy': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -972,6 +927,7 @@ index 000000000..c6d41ea40 + sizeof (cmd_code)); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'policy CommandCode': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -979,6 +935,7 @@ index 000000000..c6d41ea40 + pol_buf.size); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'policy CommandPolicy': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -987,6 +944,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "secret", NULL, 0); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to remove 'secret': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -995,15 +953,48 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "authPolicy", NULL, 0); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to remove 'authPolicy': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } + -+ /* Use TPM_RH_OWNER as the default parent handle */ -+ parent = grub_cpu_to_be32 (TPM_RH_OWNER); ++ /* Remove 'description' */ ++ ret = asn1_write_value (tpm2key, "description", NULL, 0); ++ if (ret != ASN1_SUCCESS) ++ { ++ fprintf (stderr, _("Failed to remove 'description': 0x%x\n"), ret); ++ err = GRUB_ERR_BAD_ARGUMENT; ++ goto error; ++ } ++ ++ /* ++ * Use the SRK handle as the parent handle if specified ++ * Otherwise, Use TPM_RH_OWNER as the default parent handle ++ */ ++ if (args->tpm2_srk != 0) ++ parent = grub_cpu_to_be32 (args->tpm2_srk); ++ else ++ parent = grub_cpu_to_be32 (TPM_RH_OWNER); + ret = asn1_write_value (tpm2key, "parent", &parent, sizeof (parent)); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'parent': 0x%x\n"), ret); ++ err = GRUB_ERR_BAD_ARGUMENT; ++ goto error; ++ } ++ ++ /* ++ * Set 'rsaParent' to TRUE if the RSA SRK is specified and the SRK ++ * handle is not persistent. Otherwise, remove 'rsaParent'. ++ */ ++ if (args->tpm2_srk == 0 && args->srk_type.type == TPM_ALG_RSA) ++ ret = asn1_write_value (tpm2key, "rsaParent", "TRUE", 1); ++ else ++ ret = asn1_write_value (tpm2key, "rsaParent", NULL, 0); ++ ++ if (ret != ASN1_SUCCESS) ++ { ++ fprintf (stderr, _("Failed to set 'rsaParent': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -1012,6 +1003,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "pubkey", pub_buf.data, pub_buf.size); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'pubkey': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -1020,6 +1012,7 @@ index 000000000..c6d41ea40 + ret = asn1_write_value (tpm2key, "privkey", priv_buf.data, priv_buf.size); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, _("Failed to set 'privkey': 0x%x\n"), ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -1027,10 +1020,17 @@ index 000000000..c6d41ea40 + /* Create the DER binary */ + der_buf_size = 0; + ret = asn1_der_coding (tpm2key, "", NULL, &der_buf_size, NULL); ++ if (ret != ASN1_MEM_ERROR) ++ { ++ fprintf (stderr, _("Failed to get DER size: 0x%x\n"), ret); ++ err = GRUB_ERR_BAD_ARGUMENT; ++ goto error; ++ } + + der_buf = grub_malloc (der_buf_size); + if (der_buf == NULL) + { ++ fprintf (stderr, _("Failed to allocate memory for DER encoding\n")); + err = GRUB_ERR_OUT_OF_MEMORY; + goto error; + } @@ -1038,6 +1038,7 @@ index 000000000..c6d41ea40 + ret = asn1_der_coding (tpm2key, "", der_buf, &der_buf_size, NULL); + if (ret != ASN1_SUCCESS) + { ++ fprintf (stderr, "DER coding error: 0x%x\n", ret); + err = GRUB_ERR_BAD_ARGUMENT; + goto error; + } @@ -1082,14 +1083,11 @@ index 000000000..c6d41ea40 +grub_protect_tpm2_add (struct grub_protect_args *args) +{ + grub_err_t err; -+ grub_uint8_t *key; ++ grub_uint8_t *key = NULL; + grub_size_t key_size; + TPM_HANDLE srk; + TPM2B_DIGEST policy_digest; + TPM2_SEALED_KEY sealed_key; -+ char *grub_drive = NULL; -+ -+ grub_protect_get_grub_drive_for_file (args->tpm2_outfile, &grub_drive); + + err = grub_protect_tpm2_open_device (args->tpm2_device); + if (err != GRUB_ERR_NONE) @@ -1104,7 +1102,8 @@ index 000000000..c6d41ea40 + fprintf (stderr, + _("Input key is too long, maximum allowed size is %u bytes.\n"), + TPM_MAX_SYM_DATA); -+ return GRUB_ERR_OUT_OF_RANGE; ++ err = GRUB_ERR_OUT_OF_RANGE; ++ goto exit2; + } + + err = grub_protect_tpm2_get_srk (args, &srk); @@ -1127,19 +1126,6 @@ index 000000000..c6d41ea40 + if (err != GRUB_ERR_NONE) + goto exit3; + -+ if (grub_drive) -+ { -+ printf (_("GRUB drive for the sealed key file: %s\n"), grub_drive); -+ grub_free (grub_drive); -+ } -+ else -+ { -+ fprintf (stderr, -+ _("Warning: Could not determine GRUB drive for sealed key " -+ "file.\n")); -+ err = GRUB_ERR_NONE; -+ } -+ +exit3: + TPM2_FlushContext (srk); + @@ -1254,10 +1240,10 @@ index 000000000..c6d41ea40 + args->tpm2_pcr_count = 1; + } + -+ if (args->tpm2_asymmetric == TPM_ALG_ERROR) ++ if (args->srk_type.type == TPM_ALG_ERROR) + { -+ args->tpm2_asymmetric = TPM_ALG_RSA; -+ args->rsa_bits = 2048; ++ args->srk_type.type = TPM_ALG_ECC; ++ args->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256; + } + + if (args->tpm2_bank == TPM_ALG_ERROR) @@ -1424,8 +1410,7 @@ index 000000000..c6d41ea40 + return EINVAL; + } + -+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric, -+ &args->rsa_bits, &args->ecc_curve); ++ err = grub_tpm2_protector_parse_asymmetric (arg, &args->srk_type); + if (err != GRUB_ERR_NONE) + { + if (grub_errno != GRUB_ERR_NONE) @@ -1555,7 +1540,6 @@ index 000000000..c6d41ea40 + grub_util_biosdisk_init (NULL); + + grub_init_all (); -+ grub_gcry_init_all (); + + grub_lvm_fini (); + grub_mdraid09_fini (); @@ -1570,7 +1554,6 @@ index 000000000..c6d41ea40 +static void +grub_protect_fini (void) +{ -+ grub_gcry_fini_all (); + grub_fini_all (); + grub_util_biosdisk_fini (); +} @@ -1615,6 +1598,3 @@ index 000000000..c6d41ea40 + + return err; +} --- -2.35.3 - diff --git a/0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch b/0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch index e8b23ab..a2ed343 100644 --- a/0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch +++ b/0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch @@ -1,4 +1,4 @@ -From 855b3e5cd4d672e961a366ff0f53e3a09a1ad0cc Mon Sep 17 00:00:00 2001 +From 96e5a28d120856057fe7fc9b281f11f8933063b7 Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Fri, 30 Jun 2023 14:37:41 +0800 Subject: [PATCH 7/9] grub-switch-to-blscfg: adapt to openSUSE @@ -12,17 +12,26 @@ A few tweaks to make it 'just works' for openSUSE: - remove RHEL specific $GRUB_LINUX_MAKE_DEBUG and all related code - remove ostree specific hack - ignore increment.mod +- fix error in dash shell script +- fix kernel flavor parsing in openSUSE Signed-off-by: Michael Chang --- - util/grub-switch-to-blscfg.in | 144 ++++++++++++++++++++-------------- - 1 file changed, 87 insertions(+), 57 deletions(-) + util/grub-switch-to-blscfg.in | 156 ++++++++++++++++++++-------------- + 1 file changed, 94 insertions(+), 62 deletions(-) diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in -index a851424be..66ecc0cae 100644 +index a851424be..145c22add 100644 --- a/util/grub-switch-to-blscfg.in +++ b/util/grub-switch-to-blscfg.in -@@ -34,21 +34,18 @@ fi +@@ -28,27 +28,24 @@ PACKAGE_NAME=@PACKAGE_NAME@ + PACKAGE_VERSION=@PACKAGE_VERSION@ + datarootdir="@datarootdir@" + datadir="@datadir@" +-if [ ! -v pkgdatadir ]; then ++if [ -z "${pkgdatadir+x}" ]; then + pkgdatadir="${datadir}/@PACKAGE@" + fi self=`basename $0` @@ -162,7 +171,7 @@ index a851424be..66ecc0cae 100644 gettext_printf "Couldn't find config file\n" 1>&2 exit 1 fi -@@ -190,27 +252,22 @@ fi +@@ -190,27 +252,24 @@ fi mkbls() { local kernelver=$1 && shift local datetime=$1 && shift @@ -173,15 +182,21 @@ index a851424be..66ecc0cae 100644 - local debugid="" local flavor="" - if [ "$kernelver" == *\+* ] ; then - local flavor=-"${kernelver##*+}" +- if [ "$kernelver" == *\+* ] ; then +- local flavor=-"${kernelver##*+}" - if [ "${flavor}" == "-debug" ]; then - local debugname=" with debugging" - local debugid="-debug" - fi - fi +- fi ++ case "$kernelver" in ++ *-*-*) ++ flavor=-"${kernelver##*-}" ++ ;; ++ esac ( - source /etc/os-release +- source /etc/os-release ++ . /etc/os-release cat < Date: Wed, 13 Mar 2024 15:26:42 +0800 Subject: [PATCH 9/9] 10_linux: Some refinement for BLS @@ -8,13 +8,16 @@ kernelopts assignment in the grub boot config itself to fully delegate the responsibility of generating kernel options to a functioning BLS generator. +Additionally, removing unused dead code, which is often blamed for +causing errors in the dash shell script. + Signed-off-by: Michael Chang --- - util/grub.d/10_linux.in | 29 ----------------------------- - 1 file changed, 29 deletions(-) + util/grub.d/10_linux.in | 194 ---------------------------------------- + 1 file changed, 194 deletions(-) diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index edf0fca55..7cbff7466 100644 +index edf0fca55..666eae995 100644 --- a/util/grub.d/10_linux.in +++ b/util/grub.d/10_linux.in @@ -93,11 +93,7 @@ fi @@ -29,20 +32,138 @@ index edf0fca55..7cbff7466 100644 cat </dev/null | tac)) || : +- +- echo "${files[@]}" +-} +- +-update_bls_cmdline() +-{ +- local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" +- local -a files=($(get_sorted_bls)) +- +- for bls in "${files[@]}"; do +- local options="${cmdline}" +- if [ -z "${bls##*debug*}" ]; then +- options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}" +- fi +- options="$(echo "${options}" | sed -e 's/\//\\\//g')" +- sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf" +- done +-} +- +-populate_menu() +-{ +- local -a files=($(get_sorted_bls)) +- +- gettext_printf "Generating boot entries from BLS files...\n" >&2 +- +- for bls in "${files[@]}"; do +- read_config "${blsdir}/${bls}.conf" +- +- menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n" +- menu="${menu}\t linux ${linux} ${options}\n" +- if [ -n "${initrd}" ] ; then +- menu="${menu}\t initrd ${boot_prefix}${initrd}\n" +- fi +- menu="${menu}}\n\n" +- done +- # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation +- printf "$menu" +-} +- -# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed. -# FIXME: The test should be aligned to openSUSE, grubby is not our default tool -if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then - GRUB_ENABLE_BLSCFG="true" -fi - +- if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then if [ x$dirname = x/ ]; then -@@ -252,31 +243,11 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then + if [ -z "${prepare_root_cache}" ]; then +@@ -225,111 +125,17 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then + prepare_grub_to_access_device_with_variable boot ${boot_device} + fi +- arch="$(uname -m)" +- if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then +- +- BLS_POPULATE_MENU="true" +- petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot" +- +- if test -e ${petitboot_path}; then +- read -r -d '' petitboot_version < ${petitboot_path} +- petitboot_version="$(echo ${petitboot_version//v})" +- +- if test -n ${petitboot_version}; then +- major_version="$(echo ${petitboot_version} | cut -d . -f1)" +- minor_version="$(echo ${petitboot_version} | cut -d . -f2)" +- +- re='^[0-9]+$' +- if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] && +- ([[ ${major_version} -gt 1 ]] || +- [[ ${major_version} -eq 1 && +- ${minor_version} -ge 8 ]]); then +- BLS_POPULATE_MENU="false" +- fi +- fi +- fi +- fi +- populate_header_warn - cat << EOF @@ -69,10 +190,63 @@ index edf0fca55..7cbff7466 100644 insmod blscfg blscfg EOF +- fi +- +- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then +- blsdir="/boot/loader/entries" +- [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})" +- if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then +- blsdir=$(make_system_path_relative_to_its_root "${blsdir}") +- if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then +- ${grub_editenv} - set blsdir="${blsdir}" +- fi +- fi +- +- if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then +- ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}" +- fi +- +- if [ -n "${GRUB_DEFAULT_DTB}" ]; then +- ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}" +- fi +- +- if [ -n "${GRUB_SAVEDEFAULT}" ]; then +- ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}" +- fi - fi - if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then - blsdir="/boot/loader/entries" + exit 0 + fi + +-mktitle () +-{ +- local title_type +- local version +- local OS_NAME +- local OS_VERS +- +- title_type=$1 && shift +- version=$1 && shift +- +- OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})" +- OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})" +- +- case $title_type in +- recovery) +- title=$(printf '%s (%s) %s (recovery mode)' \ +- "${OS_NAME}" "${version}" "${OS_VERS}") +- ;; +- *) +- title=$(printf '%s (%s) %s' \ +- "${OS_NAME}" "${version}" "${OS_VERS}") +- ;; +- esac +- echo -n ${title} +-} +- + title_correction_code= + + hotkey=1 -- -2.44.0 +2.45.2 diff --git a/20_memtest86+ b/20_memtest86+ deleted file mode 100644 index 8e77599..0000000 --- a/20_memtest86+ +++ /dev/null @@ -1,88 +0,0 @@ -#! /bin/sh -set -e - -# grub-mkconfig helper script. -# Copyright (C) 2011 Michal Ambroz -# Adapted for openSUSE by Andrey Borzenkov -# Adapted for EFI by Hans-Peter Jansen -# -# you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# Distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with the script. If not, see . - -# WARNING WARNING WARNING WARNING WARNING WARNING WARNING -# This file is deprecated, it is going to be removed soon -# and it's functionality has been disabled. -# The package memtest86+ is going to provide a similar file. -# Until that happens, you can reenable this file by -# adding to it the execute permission. -# WARNING WARNING WARNING WARNING WARNING WARNING WARNING - -. "$pkgdatadir/grub-mkconfig_lib" - -export TEXTDOMAIN=grub2 -export TEXTDOMAINDIR=/usr/share/locale - -CLASS="--class memtest86 --class gnu --class tools" - -if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then - OS=Memtest -else - OS="${GRUB_DISTRIBUTOR} Memtest" - CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1) ${CLASS}" -fi - -# memtest86+ comes in two flavours, one EFI and one suitable for x86 real mode. -# The EFI module requires security disabled in BIOS (Boot Mode: Other OS) -if [ -d /sys/firmware/efi ]; then - if [ -f /boot/efi/EFI/memtest86/memtest.efi ]; then - memtest=/boot/efi/EFI/memtest86/memtest.efi - elif [ -f /usr/lib/memtest86+/memtest.efi ]; then - memtest=/usr/lib/memtest86+/memtest.efi - else - #memtest.efi not found - exit 0 - fi - loader='linux ' - message="$(gettext_printf "Loading EFI memtest ...\n" | grub_quote)" -else - if [ -f /boot/memtest.bin ]; then - memtest=/boot/memtest.bin - elif [ -f /usr/lib/memtest86+/memtest.bin ]; then - memtest=/usr/lib/memtest86+/memtest.bin - else - #memtest.bin not found - exit 0 - fi - loader='linux16' - message="$(gettext_printf "Loading x86 memtest ...\n" | grub_quote)" -fi -# locate the real partition -GRUB_DEVICE_BOOT=$(grub2-probe -t device "$memtest") - -if grub_file_is_not_garbage "$memtest" ; then - gettext_printf "Found memtest image: %s\n" "$memtest" >&2 - basename=`basename $memtest` - dirname=`dirname $memtest` - rel_dirname=`make_system_path_relative_to_its_root $dirname` - boot_device_id="$(grub_get_device_id "${GRUB_DEVICE_BOOT}")" - - printf "menuentry '%s' %s \$menuentry_id_option '%s' {\n" "${OS}" "${CLASS}" "memtest-$boot_device_id" - prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | sed -e "s/^/\t/")" - printf '%s\n' "${prepare_boot_cache}" - cat << EOF - echo '$message' - ${loader} ${rel_dirname}/${basename} -} - -EOF -fi diff --git a/grub2-bsc1220338-key_protector-implement-the-blocklist.patch b/grub2-bsc1220338-key_protector-implement-the-blocklist.patch index c754b1e..b7345e9 100644 --- a/grub2-bsc1220338-key_protector-implement-the-blocklist.patch +++ b/grub2-bsc1220338-key_protector-implement-the-blocklist.patch @@ -1,4 +1,4 @@ -From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001 +From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Mon, 18 Mar 2024 14:53:11 +0800 Subject: [PATCH] key_protector: implement the blocklist @@ -11,17 +11,17 @@ action for the key recovery. Signed-off-by: Gary Lin --- - grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++ - include/grub/efi/api.h | 5 +++++ + grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++ + include/grub/efi/api.h | 5 +++++ 2 files changed, 36 insertions(+) -Index: grub-2.12/grub-core/kern/protectors.c -=================================================================== ---- grub-2.12.orig/grub-core/kern/protectors.c -+++ grub-2.12/grub-core/kern/protectors.c -@@ -21,6 +21,10 @@ - #include - #include +diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c +index b84afe1c7..3d630ca4f 100644 +--- a/grub-core/disk/key_protector.c ++++ b/grub-core/disk/key_protector.c +@@ -24,6 +24,10 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); +#ifdef GRUB_MACHINE_EFI +#include @@ -30,7 +30,7 @@ Index: grub-2.12/grub-core/kern/protectors.c struct grub_key_protector *grub_key_protectors = NULL; grub_err_t -@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr +@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector) return GRUB_ERR_NONE; } @@ -65,7 +65,7 @@ Index: grub-2.12/grub-core/kern/protectors.c if (grub_key_protectors == NULL) return GRUB_ERR_OUT_OF_RANGE; -@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch +@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key, "Is the name spelled correctly and is the " "corresponding module loaded?"), protector); @@ -75,10 +75,10 @@ Index: grub-2.12/grub-core/kern/protectors.c + return kp->recover_key (key, key_size); } -Index: grub-2.12/include/grub/efi/api.h -=================================================================== ---- grub-2.12.orig/include/grub/efi/api.h -+++ grub-2.12/include/grub/efi/api.h +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index 7947cf592..975b90b09 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h @@ -389,6 +389,11 @@ { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \ } @@ -91,3 +91,6 @@ Index: grub-2.12/include/grub/efi/api.h struct grub_efi_sal_system_table { grub_uint32_t signature; +-- +2.35.3 + diff --git a/grub2-btrfs-06-subvol-mount.patch b/grub2-btrfs-06-subvol-mount.patch index eabffd3..2be6c80 100644 --- a/grub2-btrfs-06-subvol-mount.patch +++ b/grub2-btrfs-06-subvol-mount.patch @@ -7,6 +7,10 @@ v3: * Fix executable stack on which function trampoline is constructed to support closure (nested function). The closure sematic is replaced. +v4: +* Fix btrfs subvolume for platform modules not mounting at runtime when the + default subvolume is the topmost root tree (bsc#1228124) + --- a/grub-core/fs/btrfs.c +++ b/grub-core/fs/btrfs.c @@ -44,6 +44,7 @@ @@ -57,7 +61,7 @@ v3: if (err) return grub_error(GRUB_ERR_FILE_NOT_FOUND, "couldn't locate %s\n", path); -@@ -2321,11 +2345,20 @@ +@@ -2323,11 +2347,20 @@ grub_uint64_t tree; grub_uint8_t type; grub_size_t est_size = 0; @@ -79,7 +83,7 @@ v3: if (err) { grub_btrfs_unmount (data); -@@ -2452,11 +2485,21 @@ +@@ -2454,11 +2487,21 @@ struct grub_btrfs_inode inode; grub_uint8_t type; struct grub_btrfs_key key_in; @@ -102,7 +106,7 @@ v3: if (err) { grub_btrfs_unmount (data); -@@ -2691,6 +2734,150 @@ +@@ -2693,6 +2736,150 @@ return 0; } @@ -253,7 +257,7 @@ v3: static grub_err_t get_fs_root(struct grub_btrfs_data *data, grub_uint64_t tree, grub_uint64_t objectid, grub_uint64_t offset, -@@ -2903,6 +3090,7 @@ +@@ -2905,6 +3092,7 @@ }; static grub_command_t cmd_info; @@ -261,7 +265,7 @@ v3: static grub_extcmd_t cmd_list_subvols; static char * -@@ -2966,6 +3154,9 @@ +@@ -2968,6 +3156,9 @@ cmd_info = grub_register_command("btrfs-info", grub_cmd_btrfs_info, "DEVICE", "Print BtrFS info about DEVICE."); @@ -288,18 +292,22 @@ v3: struct btrfs_ioctl_search_args { struct btrfs_ioctl_search_key key; grub_uint64_t buf[(4096 - sizeof(struct btrfs_ioctl_search_key)) -@@ -375,6 +383,109 @@ +@@ -375,6 +383,117 @@ int use_relative_path_on_btrfs = 0; +static char * -+get_btrfs_subvol (const char *path) ++get_btrfs_subvol (const char *path, grub_uint64_t *subvolid) +{ + struct btrfs_ioctl_ino_lookup_args args; + grub_uint64_t tree_id; ++ grub_uint64_t ret_id; + int fd = -1; + char *ret = NULL; + ++ if (subvolid) ++ *subvolid = 0; ++ + fd = open (path, O_RDONLY); + + if (fd < 0) @@ -312,6 +320,7 @@ v3: + goto error; + + tree_id = args.treeid; ++ ret_id = args.treeid; + + while (tree_id != GRUB_BTRFS_ROOT_VOL_OBJECTID) + { @@ -380,6 +389,9 @@ v3: + } + } + ++ if (subvolid) ++ *subvolid = ret_id; ++ + close (fd); + return ret; + @@ -398,7 +410,7 @@ v3: char ** grub_find_root_devices_from_mountinfo (const char *dir, char **relroot) { -@@ -516,12 +627,17 @@ +@@ -516,12 +635,17 @@ else if (grub_strcmp (entries[i].fstype, "btrfs") == 0) { ret = grub_find_root_devices_from_btrfs (dir); @@ -419,13 +431,13 @@ v3: } } else if (!retry && grub_strcmp (entries[i].fstype, "autofs") == 0) -@@ -1202,6 +1318,24 @@ +@@ -1202,6 +1326,24 @@ return grub_dev; } + +char * -+grub_util_get_btrfs_subvol (const char *path, char **mount_path) ++grub_util_get_btrfs_subvol (const char *path, char **mount_path, grub_uint64_t *subvolid) +{ + if (mount_path) + *mount_path = NULL; @@ -438,7 +450,7 @@ v3: + if (mount_path) + *mount_path = grub_strdup (grub_btrfs_mount_path); + -+ return get_btrfs_subvol (grub_btrfs_mount_path); ++ return get_btrfs_subvol (grub_btrfs_mount_path, subvolid); +} + char * @@ -446,7 +458,7 @@ v3: { --- a/util/grub-install.c +++ b/util/grub-install.c -@@ -1645,6 +1645,58 @@ +@@ -1646,6 +1646,58 @@ prefix_drive = xasprintf ("(%s)", grub_drives[0]); } @@ -457,6 +469,7 @@ v3: + { + char *subvol = NULL; + char *mount_path = NULL; ++ grub_uint64_t subvolid = 0; + char **rootdir_devices = NULL; + char *t = grub_util_path_concat (2, "/", rootdir); + char *rootdir_path = grub_canonicalize_file_name (t); @@ -466,15 +479,15 @@ v3: + + if (rootdir_devices && rootdir_devices[0]) + if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0) -+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path); ++ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid); + + if (subvol && mount_path) + { -+ char *def_subvol; ++ grub_uint64_t def_subvolid = 0; + -+ def_subvol = grub_util_get_btrfs_subvol (rootdir_path, NULL); ++ grub_free (grub_util_get_btrfs_subvol (rootdir_path, NULL, &def_subvolid)); + -+ if (def_subvol) ++ if (def_subvolid) + { + char *rootdir_mount_path = NULL; + if (!load_cfg_f) @@ -484,10 +497,9 @@ v3: + if (grub_strncmp (rootdir_path, mount_path, grub_strlen (rootdir_path)) == 0) + rootdir_mount_path = grub_util_path_concat (2, "/", mount_path + grub_strlen (rootdir_path)); + -+ if (grub_strcmp (subvol, def_subvol) != 0 && rootdir_mount_path) ++ if (subvolid != def_subvolid && rootdir_mount_path) + fprintf (load_cfg_f, "btrfs-mount-subvol ($root) %s %s\n", rootdir_mount_path, subvol); + free (rootdir_mount_path); -+ free (def_subvol); + } + } + @@ -513,7 +525,7 @@ v3: +#ifdef __linux__ +char * -+grub_util_get_btrfs_subvol (const char *path, char **mount_path); ++grub_util_get_btrfs_subvol (const char *path, char **mount_path, grub_uint64_t *subvolid); +#endif + /* Devmapper functions provided by getroot_devmapper.c. */ diff --git a/grub2-fix-menu-in-xen-host-server.patch b/grub2-fix-menu-in-xen-host-server.patch index 00065e1..a7e719d 100644 --- a/grub2-fix-menu-in-xen-host-server.patch +++ b/grub2-fix-menu-in-xen-host-server.patch @@ -21,6 +21,11 @@ Create only hypervisor pointed by /boot/xen.gz symlink to not clutter the menu with multiple versions and also not include -dbg. Use custom.cfg if you need any other custom entries. +v3: +References: bsc#1224226 +Fix the error in /etc/grub.d/20_linux_xen where file_is_not_sym was not +found, as it has been renamed to file_is_not_xen_garbage. + --- util/grub-mkconfig_lib.in | 5 +++++ util/grub.d/10_linux.in | 12 ++++++++++-- @@ -59,7 +64,7 @@ if you need any other custom entries. + # wildcard expasion with correct suffix (.gz) for not generating many duplicated menu entries + xen_list= + for i in /boot/xen*.gz; do -+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then xen_list="$xen_list $i" ; fi ++ if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then xen_list="$xen_list $i" ; fi + done +fi prepare_boot_cache= diff --git a/grub2-grubenv-in-btrfs-header.patch b/grub2-grubenv-in-btrfs-header.patch index 560dead..09224e6 100644 --- a/grub2-grubenv-in-btrfs-header.patch +++ b/grub2-grubenv-in-btrfs-header.patch @@ -9,6 +9,17 @@ v3: * Use xcalloc for overflow check and return NULL when it would occur. +v4: + * Fix gcc error with CFLAGS=-Og + + ../util/grub-editenv.c: In function ‘read_envblk_fs’: + ../util/grub-editenv.c:172:14: error: ‘sz’ may be used uninitialized [-Werror=maybe-uninitialized] + 172 | sz <<= GRUB_DISK_SECTOR_BITS; + ../util/grub-editenv.c:155:16: note: ‘sz’ was declared here + 155 | int off, sz; + | ^~ + cc1: all warnings being treated as errors + --- --- a/grub-core/kern/fs.c +++ b/grub-core/kern/fs.c @@ -49,7 +60,7 @@ v3: #include #include -@@ -120,6 +123,140 @@ +@@ -120,6 +123,142 @@ NULL, help_filter, NULL }; @@ -88,6 +99,8 @@ v3: + off = strtol (value, &p, 10); + if (*p == '+') + sz = strtol (p+1, &p, 10); ++ else ++ return 0; + + if (*p == '\0') + { @@ -190,7 +203,7 @@ v3: static grub_envblk_t open_envblk_file (const char *name) { -@@ -182,10 +319,17 @@ +@@ -182,10 +321,17 @@ list_variables (const char *name) { grub_envblk_t envblk; @@ -208,7 +221,7 @@ v3: } static void -@@ -209,6 +353,38 @@ +@@ -209,6 +355,38 @@ } static void @@ -247,7 +260,7 @@ v3: set_variables (const char *name, int argc, char *argv[]) { grub_envblk_t envblk; -@@ -224,8 +400,27 @@ +@@ -224,8 +402,27 @@ *(p++) = 0; @@ -277,7 +290,7 @@ v3: argc--; argv++; -@@ -233,26 +428,158 @@ +@@ -233,26 +430,158 @@ write_envblk (name, envblk); grub_envblk_close (envblk); @@ -315,8 +328,8 @@ v3: + write_envblk_fs (envblk_fs); + grub_envblk_close (envblk_fs); + } -+} -+ + } + +int have_abstraction = 0; +static void +probe_abstraction (grub_disk_t disk) @@ -329,8 +342,8 @@ v3: + { + have_abstraction = 1; + } - } - ++} ++ +static fs_envblk_t +probe_fs_envblk (fs_envblk_spec_t spec) +{ @@ -436,7 +449,7 @@ v3: int main (int argc, char *argv[]) { -@@ -284,6 +611,9 @@ +@@ -284,6 +613,9 @@ command = argv[curindex++]; } diff --git a/grub2-pass-corret-root-for-nfsroot.patch b/grub2-pass-corret-root-for-nfsroot.patch index d6cbc07..4fbd050 100644 --- a/grub2-pass-corret-root-for-nfsroot.patch +++ b/grub2-pass-corret-root-for-nfsroot.patch @@ -13,6 +13,7 @@ grub2-probe not work in probing nfs mounted path. The fix is merely on the script level and not use grub2-probe for above reasons. v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094) +v3: Fix the wrong order of GRUB_FS/GRUB_DEVICE (bsc#1221904) --- util/grub-mkconfig.in | 37 ++++++++++++++++++++++++++++++------- @@ -20,7 +21,7 @@ v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094) --- a/util/grub-mkconfig.in +++ b/util/grub-mkconfig.in -@@ -131,26 +131,54 @@ +@@ -131,26 +131,55 @@ exit 1 fi @@ -65,16 +66,17 @@ v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094) + GRUB_DEVICE_PARTUUID="" + GRUB_FS="unknown" +else ++ # Device containing our userland. Typically used for root= parameter. ++ GRUB_DEVICE="`${grub_probe} --target=device /`" + # Filesystem for the device containing our userland. Used for stuff like + # choosing Hurd filesystem module. + GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`" -+ # Device containing our userland. Typically used for root= parameter. -+ GRUB_DEVICE="`${grub_probe} --target=device /`" + GRUB_DEVICE_UUID="`${grub_probe} --device ${GRUB_DEVICE} --target=fs_uuid 2> /dev/null`" || true + GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2> /dev/null`" || true +fi -if [ x"$GRUB_FS" = xunknown ]; then ++# Strive to circumvent grub to enable unsupported filesystem, for eg, nfsroot +if [ x"$GRUB_FS" = x ] || [ x"$GRUB_FS" = xunknown ]; then GRUB_FS="$(stat -f -c %T / || echo unknown)" fi diff --git a/grub2-s390x-set-hostonly.patch b/grub2-s390x-set-hostonly.patch new file mode 100644 index 0000000..63b5679 --- /dev/null +++ b/grub2-s390x-set-hostonly.patch @@ -0,0 +1,52 @@ +diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in +index f4f997100..46b902209 100644 +--- a/util/s390x/zipl2grub.pl.in ++++ b/util/s390x/zipl2grub.pl.in +@@ -15,6 +15,7 @@ my $zipldir = ""; + my $running = ""; + my $refresh = 1; # needs to default to "on" until most bugs are shaken out! + my $force = 0; ++my $hostonly = 1; + my $verbose = 0; + my $debug = 0; + my $miss = 0; +@@ -114,8 +115,13 @@ sub BootCopy($$$$) { + } + sub MkInitrd($$$) { + my( $initrd, $dir, $version) = @_; +- my @C = ( "dracut", "--hostonly", "--force"); ++ my @C = ( "dracut", "--force"); + my $uuid; ++ if ($hostonly) { ++ push @C, "--hostonly"; ++ } else { ++ push @C, "--no-hostonly"; ++ } + push @C, "--quiet" unless ($verbose > 1); + if ( exists( $fsdev{"/boot"}) ) { + chomp( $uuid = qx{grub2-probe --target=fs_uuid /boot}); +@@ -368,6 +374,24 @@ foreach ("GRUB_EMU_CONMODE", "GRUB_CONMODE") { + $C{$_} = "conmode=" . $C{$_}; + } + ++if ( !exists( $C{SUSE_S390_DRACUT_HOSTONLY}) || $C{SUSE_S390_DRACUT_HOSTONLY} eq "auto" ) { ++ # Auto-detection mode ++ # ++ # Check if the root block device of the root partition is a loop device. ++ # If yes, it is the image building system, e.g. kiwi. Then, set 'hostonly' to 0. ++ my ( $dev, $lsblk ); ++ ++ chomp( $dev = qx{grub2-probe -t device /}); ++ if ($dev) { ++ chomp( $lsblk = qx{lsblk -snrp -o NAME $dev}); ++ $hostonly = 0 if ( $lsblk =~ m{\/loop} ); ++ } ++} elsif ( $C{SUSE_S390_DRACUT_HOSTONLY} =~ m{^(no|false|0)$} ) { ++ $hostonly = 0; ++} else { ++ $hostonly = 1; ++} ++ + if ( $debug && $verbose > 2 ) { + foreach ( sort( keys( %C)) ) { + printf( "%s=\"%s\"\n", $_, $C{$_}); diff --git a/grub2-xen-pv-firmware.cfg b/grub2-xen-pv-firmware.cfg index 3041dad..71a3599 100644 --- a/grub2-xen-pv-firmware.cfg +++ b/grub2-xen-pv-firmware.cfg @@ -69,6 +69,9 @@ for c in ${hdcfg_list}; do btrfs_relative_path=1 if search -s hddev -f "${c}"; then btrfs_relative_path=0 + if [ "${hddev}" = "memdisk" ]; then + break + fi menuentry "${hddev} Boot From Hard Disk (${c})" "${hddev}" "${c}" { set root="${2}" set cfg="${3}" @@ -88,6 +91,9 @@ for c in ${hdlst_list}; do btrfs_relative_path=1 if search -s hddev -f "${c}"; then btrfs_relative_path=0 + if [ "${hddev}" = "memdisk" ]; then + break + fi menuentry "${hddev} Boot From Hard Disk (${c})" "${hddev}" "${c}" { set root="${2}" set cfg="${3}" diff --git a/grub2.changes b/grub2.changes index d8bd6cd..97361ea 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,12 +1,38 @@ ------------------------------------------------------------------- -Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin +Fri Aug 2 08:44:40 UTC 2024 - Michael Chang -- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch - to implement a blocklist in the key protector and check the - unwanted UEFI variables (bsc#1220338) +- Fix btrfs subvolume for platform modules not mounting at runtime when the + default subvolume is the topmost root tree (bsc#1228124) + * grub2-btrfs-06-subvol-mount.patch +- Rediff + * 0001-Unify-the-check-to-enable-btrfs-relative-path.patch ------------------------------------------------------------------- -Tue Mar 5 06:53:25 UTC 2024 - Michael Chang +Fri Aug 2 02:22:21 UTC 2024 - Gary Ching-Pang Lin + +- Switch to '--no-hostonly' when creating the ZIPL initrd in the + KIWI build environment to avoid some potential issues due to the + missing modules + * grub2-s390x-set-hostonly.patch + +------------------------------------------------------------------- +Fri Jul 19 09:59:15 UTC 2024 - Michael Chang + +- Fix error in grub-install when root is on tmpfs (bsc#1226100) + * 0001-grub-install-bailout-root-device-probing.patch +- Fix incorrect Platform tag in rpm header (bsc#1217967) + +------------------------------------------------------------------- +Fri Jul 5 12:23:06 UTC 2024 - Michael Chang + +- Fix error if dash shell script is used (bsc#1226453) + * 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch + * 0009-10_linux-Some-refinement-for-BLS.patch +- Fix input handling in ppc64le grub2 has high latency (bsc#1223535) + * 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch + +------------------------------------------------------------------- +Fri Jun 7 02:13:08 UTC 2024 - Michael Chang - Add blscfg support * 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch @@ -19,6 +45,105 @@ Tue Mar 5 06:53:25 UTC 2024 - Michael Chang * 0008-blscfg-reading-bls-fragments-if-boot-present.patch * 0009-10_linux-Some-refinement-for-BLS.patch +------------------------------------------------------------------- +Mon May 20 07:22:09 UTC 2024 - Gary Ching-Pang Lin + +- Only enable grub-protect for EFI systems + * 0001-util-enable-grub-protect-only-for-EFI-systems.patch + +------------------------------------------------------------------- +Wed May 15 06:19:54 UTC 2024 - Gary Ching-Pang Lin + +- Update to the latest upstreaming TPM2 patches + * 0001-key_protector-Add-key-protectors-framework.patch + - Replace 0001-protectors-Add-key-protectors-framework.patch + * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch + - Merge other TSS patches + * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch + * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch + * 0003-tpm2-Implement-more-TPM2-commands.patch + * 0003-key_protector-Add-TPM2-Key-Protector.patch + - Replace 0003-protectors-Add-TPM2-Key-Protector.patch + * 0004-cryptodisk-Support-key-protectors.patch + * 0005-util-grub-protect-Add-new-tool.patch + * 0001-tpm2-Support-authorized-policy.patch + - Replace 0004-tpm2-Support-authorized-policy.patch + * 0001-tpm2-Add-extra-RSA-SRK-types.patch + * 0001-tpm2-Implement-NV-index.patch + - Replace 0001-protectors-Implement-NV-index.patch + * 0002-cryptodisk-Fallback-to-passphrase.patch + * 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch + * 0004-diskfilter-look-up-cryptodisk-devices-first.patch +- Refresh affected patches + * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch + * grub2-bsc1220338-key_protector-implement-the-blocklist.patch +- New manpage for grub2-protect + +------------------------------------------------------------------- +Wed May 15 00:46:14 UTC 2024 - Michael Chang + +- Fix error in /etc/grub.d/20_linux_xen: file_is_not_sym not found, renamed to + file_is_not_xen_garbage (bsc#1224226) + * grub2-fix-menu-in-xen-host-server.patch + +------------------------------------------------------------------- +Thu May 2 07:48:30 UTC 2024 - Michael Chang + +- Fix gcc error with CFLAGS=-Og + * grub2-grubenv-in-btrfs-header.patch + +------------------------------------------------------------------- +Fri Apr 19 21:50:53 UTC 2024 - Giacomo Comes + +- remove deprecated file 20_memtest86+ + * a similar file is provided by the package memtest86+ + +------------------------------------------------------------------- +Thu Apr 11 02:55:05 UTC 2024 - Gary Ching-Pang Lin + +- Fix the compatibility issue with bash-completion 2.12 + (bsc#1221849) + * 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch + +------------------------------------------------------------------- +Fri Mar 29 01:58:00 UTC 2024 - Michael Chang + +- Fix os name is used for root file system mount (bsc#1220949) + * 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch + +------------------------------------------------------------------- +Wed Mar 27 04:51:33 UTC 2024 - Michael Chang + +- Fix LPAR falls into grub shell after installation with lvm (bsc#1221866) + * 0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch + +------------------------------------------------------------------- +Mon Mar 25 02:20:38 UTC 2024 - Michael Chang + +- Correct the erroneous sequence in determining GRUB_FS and GRUB_DEVICE + (bsc#1221904) + * grub2-pass-corret-root-for-nfsroot.patch + +------------------------------------------------------------------- +Fri Mar 22 06:01:13 UTC 2024 - Michael Chang + +- Fix memdisk becomes the default boot entry, resolving no graphic display + device error in guest vnc console (bsc#1221779) + * grub2-xen-pv-firmware.cfg + +------------------------------------------------------------------- +Wed Mar 20 06:16:45 UTC 2024 - Michael Chang + +- Cleanup spec file to adhere to update-bootloader-rpm-macros definition + entirely (bsc#1218241) + +------------------------------------------------------------------- +Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin + +- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch + to implement a blocklist in the key protector and check the + unwanted UEFI variables (bsc#1220338) + ------------------------------------------------------------------- Mon Mar 4 08:57:36 UTC 2024 - Gary Ching-Pang Lin diff --git a/grub2.spec b/grub2.spec index 1cf83c3..2ca9eaf 100644 --- a/grub2.spec +++ b/grub2.spec @@ -177,7 +177,6 @@ Source1: 90_persistent Source2: grub.default Source4: grub2.rpmlintrc Source6: grub2-once -Source7: 20_memtest86+ Source8: README.ibm3215 Source10: openSUSE-UEFI-CA-Certificate.crt Source11: SLES-UEFI-CA-Certificate.crt @@ -339,9 +338,9 @@ Patch146: 0001-install-fix-software-raid1-on-esp.patch Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch -Patch150: 0001-protectors-Add-key-protectors-framework.patch +Patch150: 0001-key_protector-Add-key-protectors-framework.patch Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch -Patch152: 0003-protectors-Add-TPM2-Key-Protector.patch +Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch Patch153: 0004-cryptodisk-Support-key-protectors.patch Patch154: 0005-util-grub-protect-Add-new-tool.patch Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch @@ -359,10 +358,8 @@ Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch Patch167: grub2-increase-crypttab-path-buffer.patch Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch -Patch170: 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch -Patch171: 0002-tpm2-Add-more-marshal-unmarshal-functions.patch -Patch172: 0003-tpm2-Implement-more-TPM2-commands.patch -Patch173: 0004-tpm2-Support-authorized-policy.patch +Patch170: 0001-tpm2-Support-authorized-policy.patch +Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch Patch176: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch @@ -373,7 +370,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch Patch183: grub2-change-bash-completion-dir.patch -Patch184: 0001-protectors-Implement-NV-index.patch +Patch184: 0001-tpm2-Implement-NV-index.patch Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch @@ -393,16 +390,22 @@ Patch199: 0001-squash-ieee1275-ofpath-enable-NVMeoF-logical-device-.patch Patch200: 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch Patch201: 0002-ofdisk-add-early_log-support.patch Patch202: 0001-disk-Optimize-disk-iteration-by-moving-memdisk-to-th.patch -Patch203: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch -Patch204: 0002-Add-BLS-support-to-grub-mkconfig.patch -Patch205: 0003-Add-grub2-switch-to-blscfg.patch -Patch206: 0004-blscfg-Don-t-root-device-in-emu-builds.patch -Patch207: 0005-blscfg-check-for-mounted-boot-in-emu.patch -Patch208: 0006-Follow-the-device-where-blscfg-is-discovered.patch -Patch209: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch -Patch210: 0008-blscfg-reading-bls-fragments-if-boot-present.patch -Patch211: 0009-10_linux-Some-refinement-for-BLS.patch -Patch212: grub2-bsc1220338-key_protector-implement-the-blocklist.patch +Patch203: grub2-bsc1220338-key_protector-implement-the-blocklist.patch +Patch204: 0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch +Patch205: 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch +Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch +Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch +Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch +Patch209: 0002-Add-BLS-support-to-grub-mkconfig.patch +Patch210: 0003-Add-grub2-switch-to-blscfg.patch +Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch +Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch +Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch +Patch214: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch +Patch215: 0008-blscfg-reading-bls-fragments-if-boot-present.patch +Patch216: 0009-10_linux-Some-refinement-for-BLS.patch +Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch +Patch218: grub2-s390x-set-hostonly.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -466,12 +469,7 @@ BuildArch: noarch %endif Requires: %{name} = %{version} Requires(post): %{name} = %{version} -%if 0%{?update_bootloader_requires:1} -%update_bootloader_requires -%else -Requires: perl-Bootloader -Requires(post): perl-Bootloader -%endif +%{?update_bootloader_requires} %description %{grubarch} The GRand Unified Bootloader (GRUB) is a highly configurable and customizable @@ -520,12 +518,7 @@ Requires: efibootmgr Requires(post): efibootmgr Requires: %{name} = %{version} Requires(post): %{name} = %{version} -%if 0%{?update_bootloader_requires:1} -%update_bootloader_requires -%else -Requires: perl-Bootloader >= 0.706 -Requires(post): perl-Bootloader >= 0.706 -%endif +%{?update_bootloader_requires} %{?fde_tpm_update_requires} Provides: %{name}-efi = %{version}-%{release} Obsoletes: %{name}-efi < %{version}-%{release} @@ -793,12 +786,6 @@ cd .. %if ! 0%{?only_efi:1} cd build -# 64-bit x86-64 machines use 32-bit boot loader -# (We cannot just redefine _target_cpu, as we'd get i386.rpm packages then) -%ifarch x86_64 -%define _target_platform i386-%{_vendor}-%{_target_os}%{?_gnu} -%endif - %if "%{platform}" != "emu" %define arch_specific --enable-device-mapper TLFLAGS="-static" @@ -1025,9 +1012,6 @@ find %{buildroot}/%{_datadir}/%{name} \ # Script that makes part of grub.cfg persist across updates install -m 755 %{SOURCE1} %{buildroot}/%{_sysconfdir}/grub.d/ -# Script to generate memtest86+ menu entry -install -m 644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/grub.d/ - # Ghost config file install -d %{buildroot}/boot/%{name} touch %{buildroot}/boot/%{name}/grub.cfg @@ -1053,10 +1037,6 @@ install -m 755 -D %{SOURCE19} %{buildroot}/%{_libexecdir}/grub2-instdev-fixup.pl %endif R="%{buildroot}" -%ifarch %{ix86} x86_64 -%else -rm -f $R%{_sysconfdir}/grub.d/20_memtest86+ -%endif %ifarch ppc ppc64 ppc64le rm -f $R%{_sysconfdir}/grub.d/95_textmode @@ -1130,51 +1110,7 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst %if ! 0%{?only_efi:1} %post %{grubarch} -%if 0%{?update_bootloader_check_type_reinit_post:1} -%update_bootloader_check_type_reinit_post grub2 -%else -# To check by current loader settings -if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then - . %{_sysconfdir}/sysconfig/bootloader -fi - -# If the grub is the current loader, we'll handle the grub2 testing entry -if [ "x${LOADER_TYPE}" = "xgrub" ]; then - - exec >/dev/null 2>&1 - - # check if entry for grub2's core.img exists in the config - # if yes, we will correct obsoleted path and update grub2 stuff and config to make it work - # if no, do nothing - if [ -f /boot/grub/menu.lst ]; then - - # If grub config contains obsolete core.img path, remove and use the new one - if /usr/bin/grep -l "^\s*kernel\s*.*/boot/%{name}/core.img" /boot/grub/menu.lst; then - /sbin/update-bootloader --remove --image /boot/%{name}/core.img || true - /sbin/update-bootloader --add --image /boot/%{name}/i386-pc/core.img --name "GNU GRUB 2" || true - fi - - # Install grub2 stuff and config to make the grub2 testing entry to work with updated version - if /usr/bin/grep -l "^\s*kernel\s*.*/boot/%{name}/i386-pc/core.img" /boot/grub/menu.lst; then - # Determine the partition with /boot - BOOT_PARTITION=$(df -h /boot | sed -n '2s/[[:blank:]].*//p') - # Generate core.img, but don't let it be installed in boot sector - %{name}-install --no-bootsector $BOOT_PARTITION || true - # Create a working grub2 config, otherwise that entry is un-bootable - /usr/sbin/grub2-mkconfig -o /boot/%{name}/grub.cfg - fi - fi - -elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then - - # It's enought to call update-bootloader to install grub2 and update it's config - # Use new --reinit, if not available use --refresh - # --reinit: install and update bootloader config - # --refresh: update bootloader config - /sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' && - /sbin/update-bootloader --refresh || true -fi -%endif +%{?update_bootloader_check_type_reinit_post:%update_bootloader_check_type_reinit_post grub2} %posttrans %{grubarch} %{?update_bootloader_posttrans} @@ -1188,38 +1124,7 @@ fi %fde_tpm_update_post grub2-efi %endif -%if 0%{?update_bootloader_check_type_reinit_post:1} -%update_bootloader_check_type_reinit_post grub2-efi -%else -# To check by current loader settings -if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then - . %{_sysconfdir}/sysconfig/bootloader -fi - -if [ "x${LOADER_TYPE}" = "xgrub2-efi" ]; then - - if [ -d /boot/%{name}-efi ]; then - # Migrate settings to standard prefix /boot/grub2 - for i in custom.cfg grubenv; do - [ -f /boot/%{name}-efi/$i ] && cp -a /boot/%{name}-efi/$i /boot/%{name} || : - done - - fi - - # It's enough to call update-bootloader to install grub2 and update it's config - # Use new --reinit, if not available use --refresh - # --reinit: install and update bootloader config - # --refresh: update bootloader config - /sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' && - /sbin/update-bootloader --refresh || true -fi - -if [ -d /boot/%{name}-efi ]; then - mv /boot/%{name}-efi /boot/%{name}-efi.rpmsave -fi - -exit 0 -%endif +%{?update_bootloader_check_type_reinit_post:%update_bootloader_check_type_reinit_post grub2-efi} %posttrans %{grubefiarch} %{?update_bootloader_posttrans} @@ -1229,40 +1134,6 @@ exit 0 %preun %service_del_preun grub2-once.service -# We did not add core.img to grub1 menu.lst in new update-bootloader macro as what -# the old %%post ever did, then the %%preun counterpart which removed the added core.img -# entry from old %%post can be skipped entirely if having new macro in use. -%if ! 0%{?update_bootloader_posttrans:1}%{?only_efi:1} -if [ $1 = 0 ]; then - # To check by current loader settings - if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then - . %{_sysconfdir}/sysconfig/bootloader - fi - - if [ "x${LOADER_TYPE}" = "xgrub" ]; then - - exec >/dev/null 2>&1 - - if [ -f /boot/grub/menu.lst ]; then - - # Remove grub2 testing entry in menu.lst if has any - for i in /boot/%{name}/core.img /boot/%{name}/i386-pc/core.img; do - if /usr/bin/grep -l "^\s*kernel\s*.*$i" /boot/grub/menu.lst; then - /sbin/update-bootloader --remove --image "$i" || true - fi - done - fi - - # Cleanup config, to not confuse some tools determining bootloader in use - rm -f /boot/%{name}/grub.cfg - - # Cleanup installed files - # Unless grub2 provides grub2-uninstall, we don't remove any file because - # we have no idea what's been installed. (And a blind remove is dangerous - # to remove user's or other package's file accidently ..) - fi -fi -%endif %postun %service_del_postun grub2-once.service @@ -1299,9 +1170,6 @@ fi %ifnarch ppc ppc64 ppc64le %config(noreplace) %{_sysconfdir}/grub.d/95_textmode %endif -%ifarch %{ix86} x86_64 -%config(noreplace) %{_sysconfdir}/grub.d/20_memtest86+ -%endif %ifarch ppc ppc64 ppc64le %config(noreplace) %{_sysconfdir}/grub.d/20_ppc_terminfo %endif @@ -1390,6 +1258,9 @@ fi %{_mandir}/man8/%{name}-ofpathname.8.* %{_mandir}/man8/%{name}-sparc64-setup.8.* %endif +%ifarch %{efi} +%{_mandir}/man1/%{name}-protect.1.* +%endif %files branding-upstream %defattr(-,root,root,-)