108 lines
3.7 KiB
Diff
108 lines
3.7 KiB
Diff
From 53c3dc557890466757090ee390a2c5d241e50483 Mon Sep 17 00:00:00 2001
|
|
From: Gary Lin <glin@suse.com>
|
|
Date: Thu, 25 Apr 2024 16:21:45 +0800
|
|
Subject: [PATCH] tpm2: Add extra RSA SRK types
|
|
|
|
Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
|
|
to support those parameters.
|
|
|
|
Also prevent RSA SRK type from being overwritten when 'rsaparent' is set
|
|
in the key file.
|
|
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
---
|
|
grub-core/commands/tpm2_key_protector/args.c | 10 ++++++++++
|
|
grub-core/commands/tpm2_key_protector/module.c | 18 +++++++++++++++---
|
|
util/grub-protect.c | 4 ++--
|
|
3 files changed, 27 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
|
|
index 48c39de01..5781a31f1 100644
|
|
--- a/grub-core/commands/tpm2_key_protector/args.c
|
|
+++ b/grub-core/commands/tpm2_key_protector/args.c
|
|
@@ -85,6 +85,16 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
|
srk_type->type = TPM_ALG_RSA;
|
|
srk_type->detail.rsa_bits = 2048;
|
|
}
|
|
+ else if (grub_strcasecmp (value, "RSA3072") == 0)
|
|
+ {
|
|
+ srk_type->type = TPM_ALG_RSA;
|
|
+ srk_type->detail.rsa_bits = 3072;
|
|
+ }
|
|
+ else if (grub_strcasecmp (value, "RSA4096") == 0)
|
|
+ {
|
|
+ srk_type->type = TPM_ALG_RSA;
|
|
+ srk_type->detail.rsa_bits = 4096;
|
|
+ }
|
|
else
|
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
|
|
|
|
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
|
index 74e79a545..1b2eb6b20 100644
|
|
--- a/grub-core/commands/tpm2_key_protector/module.c
|
|
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
|
@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
|
|
.arg = NULL,
|
|
.type = ARG_TYPE_STRING,
|
|
.doc =
|
|
- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
|
|
- "(default: ECC)"),
|
|
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
|
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
|
},
|
|
/* NV Index-mode options */
|
|
{
|
|
@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
|
return "ECC_NIST_P256";
|
|
else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
|
|
return "RSA2048";
|
|
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
|
|
+ return "RSA3072";
|
|
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
|
|
+ return "RSA4096";
|
|
|
|
return "Unknown";
|
|
}
|
|
@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
|
|
.type = TPM_ALG_ECC,
|
|
.detail.ecc_curve = TPM_ECC_NIST_P256,
|
|
},
|
|
+ {
|
|
+ .type = TPM_ALG_RSA,
|
|
+ .detail.rsa_bits = 4096,
|
|
+ },
|
|
+ {
|
|
+ .type = TPM_ALG_RSA,
|
|
+ .detail.rsa_bits = 3072,
|
|
+ },
|
|
{
|
|
.type = TPM_ALG_RSA,
|
|
.detail.rsa_bits = 2048,
|
|
@@ -882,7 +894,7 @@ tpm2_protector_srk_recover (const tpm2_protector_context_t *ctx,
|
|
if (err != GRUB_ERR_NONE)
|
|
goto exit1;
|
|
|
|
- if (rsaparent == 1)
|
|
+ if (rsaparent == 1 && ctx->srk_type.type != TPM_ALG_RSA)
|
|
{
|
|
tpm2_protector_context_t *ctx_w;
|
|
|
|
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
|
index 5b7e952f4..f1108f2c5 100644
|
|
--- a/util/grub-protect.c
|
|
+++ b/util/grub-protect.c
|
|
@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
|
|
.arg = "TYPE",
|
|
.flags = 0,
|
|
.doc =
|
|
- N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
|
- "(default: ECC)"),
|
|
+ N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
|
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
|
.group = 0
|
|
},
|
|
{
|
|
--
|
|
2.43.0
|
|
|