From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 25 Apr 2024 16:21:45 +0800 Subject: [PATCH] tpm2: Add extra RSA SRK types Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has to support those parameters. Signed-off-by: Gary Lin --- grub-core/commands/tpm2_key_protector/args.c | 12 ++++++++++++ grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++-- util/grub-protect.c | 4 ++-- 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c index 48c39de01..b291793a7 100644 --- a/grub-core/commands/tpm2_key_protector/args.c +++ b/grub-core/commands/tpm2_key_protector/args.c @@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value, srk_type->type = TPM_ALG_RSA; srk_type->detail.rsa_bits = 2048; } + else if (grub_strcasecmp (value, "RSA") == 0 || + grub_strcasecmp (value, "RSA3072") == 0) + { + srk_type->type = TPM_ALG_RSA; + srk_type->detail.rsa_bits = 3072; + } + else if (grub_strcasecmp (value, "RSA") == 0 || + grub_strcasecmp (value, "RSA4096") == 0) + { + srk_type->type = TPM_ALG_RSA; + srk_type->detail.rsa_bits = 4096; + } else return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value); diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c index 74e79a545..ee16d7f15 100644 --- a/grub-core/commands/tpm2_key_protector/module.c +++ b/grub-core/commands/tpm2_key_protector/module.c @@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] = .arg = NULL, .type = ARG_TYPE_STRING, .doc = - N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)" - "(default: ECC)"), + N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, " + "and ECC (ECC_NIST_P256). (default: ECC)"), }, /* NV Index-mode options */ { @@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type) return "ECC_NIST_P256"; else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048) return "RSA2048"; + else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072) + return "RSA3072"; + else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096) + return "RSA4096"; return "Unknown"; } @@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx, .type = TPM_ALG_ECC, .detail.ecc_curve = TPM_ECC_NIST_P256, }, + { + .type = TPM_ALG_RSA, + .detail.rsa_bits = 4096, + }, + { + .type = TPM_ALG_RSA, + .detail.rsa_bits = 3072, + }, { .type = TPM_ALG_RSA, .detail.rsa_bits = 2048, diff --git a/util/grub-protect.c b/util/grub-protect.c index 5b7e952f4..f1108f2c5 100644 --- a/util/grub-protect.c +++ b/util/grub-protect.c @@ -202,8 +202,8 @@ static struct argp_option protect_options[] = .arg = "TYPE", .flags = 0, .doc = - N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)." - "(default: ECC)"), + N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, " + "and ECC (ECC_NIST_P256). (default: ECC)"), .group = 0 }, { -- 2.43.0