- Update the TPM2 patches to the upstream final version

* Update 0001-key_protector-Add-key-protectors-framework.patch
  * Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
    grub2-add-tss2-support.patch
  * Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
    0001-key_protector-Add-TPM2-Key-Protector.patch
  * Replace 0005-util-grub-protect-Add-new-tool.patch with
    0001-util-grub-protect-Add-new-tool.patch
  * Replace 0001-tpm2-Implement-NV-index.patch with
    0001-tpm2_key_protector-Implement-NV-index.patch
  * Replace 0001-tpm2-Support-authorized-policy.patch with
    0001-tpm2_key_protector-Support-authorized-policy.patch
- Refresh the TPM2 related patches
  * grub-read-pcr.patch
  * 0001-tpm2-Add-extra-RSA-SRK-types.patch
  * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
  * safe_tpm_pcr_snapshot.patch
  * tpm-record-pcrs.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=525

0001-key_protector-Add-key-protectors-framework.patch

@@ -1,7 +1,7 @@
-From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
+From 1bc53f8fc980914132040670b85a010e094559ec Mon Sep 17 00:00:00 2001
 From: Hernan Gatta <hegatta@linux.microsoft.com>
 Date: Tue, 1 Feb 2022 05:02:53 -0800
-Subject: [PATCH 1/5] key_protector: Add key protectors framework
+Subject: [PATCH] key_protector: Add key protectors framework
 
 A key protector encapsulates functionality to retrieve an unlocking key
 for a fully-encrypted disk from a specific source. A key protector
@@ -19,17 +19,18 @@ Cc: Vladimir Serbinenko <phcoder@gmail.com>
 Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
 Signed-off-by: Gary Lin <glin@suse.com>
 Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
  grub-core/Makefile.am          |  1 +
  grub-core/Makefile.core.def    |  5 +++
- grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
- include/grub/key_protector.h   | 46 ++++++++++++++++++++
- 4 files changed, 130 insertions(+)
+ grub-core/disk/key_protector.c | 73 ++++++++++++++++++++++++++++++++++
+ include/grub/key_protector.h   | 47 ++++++++++++++++++++++
+ 4 files changed, 126 insertions(+)
  create mode 100644 grub-core/disk/key_protector.c
  create mode 100644 include/grub/key_protector.h
 
 diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
-index f18550c1c..9d3d5f519 100644
+index 1eda467e0..e50db8106 100644
 --- a/grub-core/Makefile.am
 +++ b/grub-core/Makefile.am
 @@ -90,6 +90,7 @@ endif
@@ -41,10 +42,10 @@ index f18550c1c..9d3d5f519 100644
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
  KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
 diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index bc893e547..4307b8e2d 100644
+index a38955e18..37f131ae2 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
-@@ -1302,6 +1302,11 @@ module = {
+@@ -1282,6 +1282,11 @@ module = {
    common = disk/raid6_recover.c;
  };
  
@@ -58,13 +59,14 @@ index bc893e547..4307b8e2d 100644
    common = disk/scsi.c;
 diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
 new file mode 100644
-index 000000000..b84afe1c7
+index 000000000..0d146c1c0
 --- /dev/null
 +++ b/grub-core/disk/key_protector.c
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,73 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
++ *  Copyright (C) 2024 Free Software Foundation, Inc.
 + *
 + *  GRUB is free software: you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License as published by
@@ -93,16 +95,14 @@ index 000000000..b84afe1c7
 +grub_err_t
 +grub_key_protector_register (struct grub_key_protector *protector)
 +{
-+  if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
-+    return GRUB_ERR_BAD_ARGUMENT;
++  if (protector == NULL || protector->name == NULL || protector->name[0] == '\0')
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for registration");
 +
-+  if (grub_key_protectors &&
-+      grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+			    protector->name))
-+    return GRUB_ERR_BAD_ARGUMENT;
++  if (grub_key_protectors != NULL &&
++      grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector->name) != NULL)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Key protector '%s' already registered", protector->name);
 +
-+  grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
-+		  GRUB_AS_LIST (protector));
++  grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), GRUB_AS_LIST (protector));
 +
 +  return GRUB_ERR_NONE;
 +}
@@ -111,7 +111,7 @@ index 000000000..b84afe1c7
 +grub_key_protector_unregister (struct grub_key_protector *protector)
 +{
 +  if (protector == NULL)
-+    return GRUB_ERR_BAD_ARGUMENT;
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for unregistration");
 +
 +  grub_list_remove (GRUB_AS_LIST (protector));
 +
@@ -125,30 +125,27 @@ index 000000000..b84afe1c7
 +  struct grub_key_protector *kp = NULL;
 +
 +  if (grub_key_protectors == NULL)
-+    return GRUB_ERR_OUT_OF_RANGE;
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
 +
-+  if (protector == NULL || grub_strlen (protector) == 0)
-+    return GRUB_ERR_BAD_ARGUMENT;
++  if (protector == NULL || protector[0] == '\0')
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector");
 +
-+  kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+			     protector);
++  kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector);
 +  if (kp == NULL)
-+    return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+		       N_("A key protector with name '%s' could not be found. "
-+			  "Is the name spelled correctly and is the "
-+			  "corresponding module loaded?"), protector);
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
 +
 +  return kp->recover_key (key, key_size);
 +}
 diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
 new file mode 100644
-index 000000000..6e6a6fb24
+index 000000000..00b15c13d
 --- /dev/null
 +++ b/include/grub/key_protector.h
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,47 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
++ *  Copyright (C) 2024 Free Software Foundation, Inc.
 + *
 + *  GRUB is free software: you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License as published by
@@ -193,5 +190,5 @@ index 000000000..6e6a6fb24
 +
 +#endif /* ! GRUB_PROTECTOR_HEADER */
 -- 
-2.35.3
+2.43.0
 

0001-tpm2-Add-extra-RSA-SRK-types.patch

@@ -1,4 +1,4 @@
-From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
+From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Thu, 25 Apr 2024 16:21:45 +0800
 Subject: [PATCH] tpm2: Add extra RSA SRK types
@@ -8,16 +8,16 @@ to support those parameters.
 
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
- grub-core/tpm2/args.c   | 12 ++++++++++++
- grub-core/tpm2/module.c | 16 ++++++++++++++--
- util/grub-protect.c     |  4 ++--
+ grub-core/commands/tpm2_key_protector/args.c   | 12 ++++++++++++
+ grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
+ util/grub-protect.c                            |  4 ++--
  3 files changed, 28 insertions(+), 4 deletions(-)
 
-diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
-index c11280ab9..d140364d2 100644
---- a/grub-core/tpm2/args.c
-+++ b/grub-core/tpm2/args.c
-@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
+diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
+index 48c39de01..b291793a7 100644
+--- a/grub-core/commands/tpm2_key_protector/args.c
++++ b/grub-core/commands/tpm2_key_protector/args.c
+@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
        srk_type->type = TPM_ALG_RSA;
        srk_type->detail.rsa_bits = 2048;
      }
@@ -34,13 +34,13 @@ index c11280ab9..d140364d2 100644
 +      srk_type->detail.rsa_bits = 4096;
 +    }
    else
-     return grub_error (GRUB_ERR_OUT_OF_RANGE,
- 		       N_("Value '%s' is not a valid asymmetric key type"),
-diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index b754b38df..8b72ed6fa 100644
---- a/grub-core/tpm2/module.c
-+++ b/grub-core/tpm2/module.c
-@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
+     return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
+ 
+diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
+index 74e79a545..ee16d7f15 100644
+--- a/grub-core/commands/tpm2_key_protector/module.c
++++ b/grub-core/commands/tpm2_key_protector/module.c
+@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
        .arg      = NULL,
        .type     = ARG_TYPE_STRING,
        .doc      =
@@ -51,18 +51,18 @@ index b754b38df..8b72ed6fa 100644
      },
      /* NV Index-mode options */
      {
-@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
- 	{
- 	  case 2048:
- 	    return "RSA2048";
-+	  case 3072:
-+	    return "RSA3072";
-+	  case 4096:
-+	    return "RSA4096";
- 	}
-    }
+@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
+     return "ECC_NIST_P256";
+   else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
+     return "RSA2048";
++  else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
++    return "RSA3072";
++  else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
++    return "RSA4096";
  
-@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
+   return "Unknown";
+ }
+@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
        .type = TPM_ALG_ECC,
        .detail.ecc_curve = TPM_ECC_NIST_P256,
      },
@@ -78,20 +78,20 @@ index b754b38df..8b72ed6fa 100644
        .type = TPM_ALG_RSA,
        .detail.rsa_bits = 2048,
 diff --git a/util/grub-protect.c b/util/grub-protect.c
-index 869f45861..00be03ca0 100644
+index 5b7e952f4..f1108f2c5 100644
 --- a/util/grub-protect.c
 +++ b/util/grub-protect.c
-@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
+@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
        .arg   = "TYPE",
        .flags = 0,
        .doc   =
--	N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
+-	N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
 -	   "(default: ECC)"),
-+	N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
++	N_("Set the type of SRK: RSA (RSA2048),  RSA3072, RSA4096, "
 +	   "and ECC (ECC_NIST_P256). (default: ECC)"),
        .group = 0
      },
      {
 -- 
-2.35.3
+2.43.0
 

0001-tpm2-Support-authorized-policy.patch

@@ -1,171 +0,0 @@
-From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Thu, 6 Apr 2023 16:00:25 +0800
-Subject: [PATCH] tpm2: Support authorized policy
-
-This commit handles the TPM2_PolicyAuthorize command from the key file
-in TPM 2.0 Key File format.
-
-TPM2_PolicyAuthorize is the essential command to support authorized
-policy which allows the users to sign TPM policies with their own keys.
-Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
-comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
-'TPMT_SIGNATURE signature'. To verify the signature, the current policy
-digest is hashed with the hash algorithm written in 'signature', and then
-'signature' is verified with the hashed policy digest and 'pubkey'. Once
-TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
-signed policy.
-
-To create the key file with authorized policy, here are the pcr-oracle(*2)
-commands:
-
-  # Generate the RSA key and create the authorized policy file
-  $ pcr-oracle \
-	--rsa-generate-key \
-	--private-key policy-key.pem \
-	--auth authorized.policy \
-	create-authorized-policy 0,2,4,7,9
-
-  # Seal the secret with the authorized policy
-  $ pcr-oracle \
-	--key-format tpm2.0 \
-	--auth authorized.policy \
-	--input disk-secret.txt \
-	--output sealed.key \
-	seal-secret
-
-  # Sign the predicted PCR policy
-  $ pcr-oracle \
-	--key-format tpm2.0 \
-	--private-key policy-key.pem \
-	--from eventlog \
-	--stop-event "grub-file=grub.cfg" \
-	--after \
-	--input sealed.key \
-	--output sealed.tpm \
-	sign 0,2,4,7,9
-
-Then specify the key file and the key protector to grub.cfg in the EFI
-system partition:
-
-tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
-cryptomount -u <PART_UUID> -P tpm2
-
-For any change in the boot components, just run the 'sign' command again
-to update the signature in sealed.tpm, and TPM can unseal the key file
-with the updated PCR policy.
-
-(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
-(*2) https://github.com/okirch/pcr-oracle
-
-Signed-off-by: Gary Lin <glin@suse.com>
-Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
----
- grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 84 insertions(+)
-
-diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index 3db25ceca..e83b02865 100644
---- a/grub-core/tpm2/module.c
-+++ b/grub-core/tpm2/module.c
-@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
-   return GRUB_ERR_NONE;
- }
- 
-+static grub_err_t
-+grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session,
-+				     struct grub_tpm2_buffer *cmd_buf)
-+{
-+  TPM2B_PUBLIC pubkey;
-+  TPM2B_DIGEST policy_ref;
-+  TPMT_SIGNATURE signature;
-+  TPM2B_DIGEST pcr_policy;
-+  TPM2B_DIGEST pcr_policy_hash;
-+  TPMI_ALG_HASH sig_hash;
-+  TPMT_TK_VERIFIED verification_ticket;
-+  TPM_HANDLE pubkey_handle = 0;
-+  TPM2B_NAME pubname;
-+  TPM_RC rc;
-+  grub_err_t err;
-+
-+  grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
-+  grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
-+  grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
-+  if (cmd_buf->error != 0)
-+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
-+		       N_("Failed to unmarshal the buffer for TPM2_PolicyAuthorize"));
-+
-+  /* Retrieve Policy Digest */
-+  rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
-+  if (rc != TPM_RC_SUCCESS)
-+    return grub_error (GRUB_ERR_BAD_DEVICE,
-+		       N_("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x)."),
-+		       rc);
-+
-+  /* Calculate the digest of the polcy for VerifySignature */
-+  sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
-+  if (sig_hash == TPM_ALG_NULL)
-+    return grub_error (GRUB_ERR_BAD_ARGUMENT,
-+		       N_("Failed to get the hash algorithm of the signature"));
-+
-+  rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
-+		  TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
-+  if (rc != TPM_RC_SUCCESS)
-+    return grub_error (GRUB_ERR_BAD_DEVICE,
-+		       N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
-+		       rc);
-+
-+  /* Load the public key */
-+  rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
-+			  &pubkey_handle, &pubname, NULL);
-+  if (rc != TPM_RC_SUCCESS)
-+    return grub_error (GRUB_ERR_BAD_DEVICE,
-+		       N_("Failed to load public key (TPM2_LoadExternal: 0x%x)"),
-+		       rc);
-+
-+  /* Verify the signature against the public key and the policy digest */
-+  rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
-+			     &verification_ticket, NULL);
-+  if (rc != TPM_RC_SUCCESS)
-+    {
-+      err = grub_error (GRUB_ERR_BAD_DEVICE,
-+			N_("Failed to verify signature (TPM2_VerifySignature: 0x%x)"),
-+			rc);
-+      goto error;
-+    }
-+
-+  /* Authorize the signed policy with the public key and the verification ticket */
-+  rc = TPM2_PolicyAuthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
-+			     &verification_ticket, NULL);
-+  if (rc != TPM_RC_SUCCESS)
-+    {
-+      err = grub_error (GRUB_ERR_BAD_DEVICE,
-+			N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)"),
-+			rc);
-+      goto error;
-+    }
-+
-+  err = GRUB_ERR_NONE;
-+
-+error:
-+  TPM2_FlushContext (pubkey_handle);
-+
-+  return err;
-+}
-+
- static grub_err_t
- grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
- {
-@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
-     case TPM_CC_PolicyPCR:
-       err = grub_tpm2_protector_policypcr (session, &buf);
-       break;
-+    case TPM_CC_PolicyAuthorize:
-+      err = grub_tpm2_protector_policyauthorize (session, &buf);
-+      break;
-     default:
-       return grub_error (GRUB_ERR_BAD_ARGUMENT,
- 			 N_("Unknown TPM Command: 0x%x"), policy->cmd_code);
--- 
-2.35.3
-

0001-tpm2_key_protector-Implement-NV-index.patch

@@ -1,12 +1,12 @@
-From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
+From 53e24662523d033ae3506b73787b972ef332db36 Mon Sep 17 00:00:00 2001
 From: Patrick Colp <patrick.colp@oracle.com>
 Date: Mon, 31 Jul 2023 07:01:45 -0700
-Subject: [PATCH 1/4] tpm2: Implement NV index
+Subject: [PATCH] tpm2_key_protector: Implement NV index
 
 Currently with the TPM2 protector, only SRK mode is supported and
 NV index support is just a stub. Implement the NV index option.
 
-Note: This only extends support on the unseal path. grub2_protect
+Note: This only extends support on the unseal path. grub-protect
 has not been updated. tpm2-tools can be used to insert a key into
 the NV index.
 
@@ -36,41 +36,40 @@ Then to unseal the key in grub, add this to grub.cfg:
 Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
 Signed-off-by: Gary Lin <glin@suse.com>
 Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 ---
- grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
+ .../commands/tpm2_key_protector/module.c      | 23 +++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
 
-diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index e83b02865..b754b38df 100644
---- a/grub-core/tpm2/module.c
-+++ b/grub-core/tpm2/module.c
-@@ -1035,12 +1035,27 @@ static grub_err_t
- grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
- 				grub_uint8_t **key, grub_size_t *key_size)
+diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
+index 6b4b5d460..74e79a545 100644
+--- a/grub-core/commands/tpm2_key_protector/module.c
++++ b/grub-core/commands/tpm2_key_protector/module.c
+@@ -973,11 +973,26 @@ tpm2_protector_srk_recover (const tpm2_protector_context_t *ctx,
+ }
+ 
+ static grub_err_t
+-tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx __attribute__ ((unused)),
+-			   grub_uint8_t **key __attribute__ ((unused)),
+-			   grub_size_t *key_size __attribute__ ((unused)))
++tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx,
++			   grub_uint8_t **key, grub_size_t *key_size)
  {
--  (void)ctx;
--  (void)key;
--  (void)key_size;
-+  TPM_HANDLE sealed_handle = ctx->nv;
+-  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "NV Index mode is not implemented yet");
++  TPM_HANDLE_t sealed_handle = ctx->nv;
 +  tpm2key_policy_t policy_seq = NULL;
 +  grub_err_t err;
 +
 +  /* Create a basic policy sequence based on the given PCR selection */
-+  err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
++  err = tpm2_protector_simple_policy_seq (ctx, &policy_seq);
 +  if (err != GRUB_ERR_NONE)
 +    goto exit;
 +
-+  err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
++  err = tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
 +
-+  /* Pop error messages on success */
-+  if (err == GRUB_ERR_NONE)
-+    while (grub_error_pop ());
++ exit:
++  grub_tpm2_flushcontext (sealed_handle);
 +
-+exit:
-+  TPM2_FlushContext (sealed_handle);
- 
--  return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
--		     N_("NV Index mode is not implemented yet"));
 +  grub_tpm2key_free_policy_seq (policy_seq);
 +
 +  return err;
@@ -78,5 +77,5 @@ index e83b02865..b754b38df 100644
  
  static grub_err_t
 -- 
-2.35.3
+2.43.0
 

0001-tpm2_key_protector-Support-authorized-policy.patch

@@ -0,0 +1,158 @@
+From 7ef1b9b357c803cb8e30bbbebd44494b2b5c9d09 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 6 Apr 2023 16:00:25 +0800
+Subject: [PATCH] tpm2_key_protector: Support authorized policy
+
+This commit handles the TPM2_PolicyAuthorize command from the key file
+in TPM 2.0 Key File format.
+
+TPM2_PolicyAuthorize is the essential command to support authorized
+policy which allows the users to sign TPM policies with their own keys.
+Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
+comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
+'TPMT_SIGNATURE signature'. To verify the signature, the current policy
+digest is hashed with the hash algorithm written in 'signature', and then
+'signature' is verified with the hashed policy digest and 'pubkey'. Once
+TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
+signed policy.
+
+To create the key file with authorized policy, here are the pcr-oracle(*2)
+commands:
+
+  # Generate the RSA key and create the authorized policy file
+  $ pcr-oracle \
+	--rsa-generate-key \
+	--private-key policy-key.pem \
+	--auth authorized.policy \
+	create-authorized-policy 0,2,4,7,9
+
+  # Seal the secret with the authorized policy
+  $ pcr-oracle \
+	--key-format tpm2.0 \
+	--auth authorized.policy \
+	--input disk-secret.txt \
+	--output sealed.key \
+	seal-secret
+
+  # Sign the predicted PCR policy
+  $ pcr-oracle \
+	--key-format tpm2.0 \
+	--private-key policy-key.pem \
+	--from eventlog \
+	--stop-event "grub-file=grub.cfg" \
+	--after \
+	--input sealed.key \
+	--output /boot/efi/efi/grub/sealed.tpm \
+	sign 0,2,4,7,9
+
+Then specify the key file and the key protector to grub.cfg in the EFI
+system partition:
+
+tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
+cryptomount -u <PART_UUID> -P tpm2
+
+For any change in the boot components, just run the 'sign' command again
+to update the signature in sealed.tpm, and TPM can unseal the key file
+with the updated PCR policy.
+
+(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
+(*2) https://github.com/okirch/pcr-oracle
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ .../commands/tpm2_key_protector/module.c      | 70 +++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
+index 70d4d0df7..6b4b5d460 100644
+--- a/grub-core/commands/tpm2_key_protector/module.c
++++ b/grub-core/commands/tpm2_key_protector/module.c
+@@ -618,6 +618,73 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffe
+   return GRUB_ERR_NONE;
+ }
+ 
++static grub_err_t
++tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffer *cmd_buf)
++{
++  TPM2B_PUBLIC_t pubkey;
++  TPM2B_DIGEST_t policy_ref;
++  TPMT_SIGNATURE_t signature;
++  TPM2B_DIGEST_t pcr_policy;
++  TPM2B_DIGEST_t pcr_policy_hash;
++  TPMI_ALG_HASH_t sig_hash;
++  TPMT_TK_VERIFIED_t verification_ticket;
++  TPM_HANDLE_t pubkey_handle = 0;
++  TPM2B_NAME_t pubname;
++  TPM_RC_t rc;
++  grub_err_t err;
++
++  grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
++  grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
++  grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
++  if (cmd_buf->error != 0)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal the buffer for TPM2_PolicyAuthorize");
++
++  /* Retrieve Policy Digest */
++  rc = grub_tpm2_policygetdigest (session, NULL, &pcr_policy, NULL);
++  if (rc != TPM_RC_SUCCESS)
++    return grub_error (GRUB_ERR_BAD_DEVICE, "failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).", rc);
++
++  /* Calculate the digest of the polcy for VerifySignature */
++  sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
++  if (sig_hash == TPM_ALG_NULL)
++    return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to get the hash algorithm of the signature");
++
++  rc = grub_tpm2_hash (NULL, (TPM2B_MAX_BUFFER_t *) &pcr_policy, sig_hash,
++		       TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
++  if (rc != TPM_RC_SUCCESS)
++    return grub_error (GRUB_ERR_BAD_DEVICE, "failed to create PCR policy hash (TPM2_Hash: 0x%x)", rc);
++
++  /* Load the public key */
++  rc = grub_tpm2_loadexternal (NULL, NULL, &pubkey, TPM_RH_OWNER, &pubkey_handle, &pubname, NULL);
++  if (rc != TPM_RC_SUCCESS)
++    return grub_error (GRUB_ERR_BAD_DEVICE, "failed to load public key (TPM2_LoadExternal: 0x%x)", rc);
++
++  /* Verify the signature against the public key and the policy digest */
++  rc = grub_tpm2_verifysignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
++				  &verification_ticket, NULL);
++  if (rc != TPM_RC_SUCCESS)
++    {
++      err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to verify signature (TPM2_VerifySignature: 0x%x)", rc);
++      goto error;
++    }
++
++  /* Authorize the signed policy with the public key and the verification ticket */
++  rc = grub_tpm2_policyauthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
++				  &verification_ticket, NULL);
++  if (rc != TPM_RC_SUCCESS)
++    {
++      err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)", rc);
++      goto error;
++    }
++
++  err = GRUB_ERR_NONE;
++
++ error:
++  grub_tpm2_flushcontext (pubkey_handle);
++
++  return err;
++}
++
+ static grub_err_t
+ tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t session)
+ {
+@@ -636,6 +703,9 @@ tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t s
+     case TPM_CC_PolicyPCR:
+       err = tpm2_protector_policypcr (session, &buf);
+       break;
++    case TPM_CC_PolicyAuthorize:
++      err = tpm2_protector_policyauthorize (session, &buf);
++      break;
+     default:
+       return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown TPM Command: 0x%x", policy->cmd_code);
+     }
+-- 
+2.43.0
+

grub-read-pcr.patch

@@ -1,5 +1,7 @@
---- a/include/grub/tpm.h
-+++ b/include/grub/tpm.h
+Index: grub-2.12/include/grub/tpm.h
+===================================================================
+--- grub-2.12.orig/include/grub/tpm.h
++++ grub-2.12/include/grub/tpm.h
 @@ -36,6 +36,12 @@
  
  #define EV_IPL 0x0d
@@ -13,7 +15,7 @@
  grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
  			     grub_uint8_t pcr, const char *description);
  int grub_tpm_present (void);
-@@ -45,5 +51,7 @@
+@@ -45,5 +51,7 @@ grub_is_tpm_fail_fatal (void)
  {
    return grub_env_get_bool ("tpm_fail_fatal", false);
  }
@@ -21,29 +23,32 @@
 +void grub_tpm_digest_free (struct grub_tpm_digest *d);
  
  #endif
---- a/grub-core/commands/efi/tpm.c
-+++ b/grub-core/commands/efi/tpm.c
-@@ -24,6 +24,7 @@
- #include <grub/efi/efi.h>
- #include <grub/efi/cc.h>
- #include <grub/efi/tpm.h>
-+#include <grub/tpm2/tpm2.h>
- #include <grub/mm.h>
+Index: grub-2.12/grub-core/commands/efi/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/efi/tpm.c
++++ grub-2.12/grub-core/commands/efi/tpm.c
+@@ -28,6 +28,8 @@
  #include <grub/tpm.h>
  #include <grub/term.h>
-@@ -186,6 +187,91 @@
+ 
++#include <tpm2_cmd.h>
++
+ typedef TCG_PCR_EVENT grub_tpm_event_t;
+ 
+ static grub_guid_t tpm_guid = EFI_TPM_GUID;
+@@ -186,6 +188,91 @@ grub_tpm1_log_event (grub_efi_handle_t t
    return grub_efi_log_event_status (status);
  }
  
 +static void
-+grub_tpm2_select_pcr(TPML_PCR_SELECTION *o, unsigned int pcrIndex, unsigned int algo)
++grub_tpm2_select_pcr (TPML_PCR_SELECTION_t *o, unsigned int pcrIndex, unsigned int algo)
 +{
-+  TPMS_PCR_SELECTION *pcr;
++  TPMS_PCR_SELECTION_t *pcr;
 +
 +  pcr = &o->pcrSelections[o->count++];
 +  pcr->hash = algo;
 +  pcr->sizeOfSelect = 3;
-+  pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
++  TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
 +}
 +
 +struct grub_tpm_hash_info {
@@ -77,10 +82,10 @@
 +grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct grub_tpm_digest **ret)
 +{
 +  const struct grub_tpm_hash_info *info;
-+  TPML_PCR_SELECTION inSelection, outSelection;
++  TPML_PCR_SELECTION_t inSelection, outSelection;
 +  grub_uint32_t pcrUpdateCounter;
-+  TPML_DIGEST digests = { 0 };
-+  TPM2B_DIGEST *d;
++  TPML_DIGEST_t digests = { 0 };
++  TPM2B_DIGEST_t *d;
 +  struct grub_tpm_digest *result;
 +  int rc;
 +
@@ -92,7 +97,7 @@
 +  grub_memset(&outSelection, 0, sizeof(outSelection));
 +  grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
 +
-+  rc = TPM2_PCR_Read(
++  rc = grub_tpm2_pcr_read(
 +      NULL,
 +      &inSelection,
 +      &pcrUpdateCounter,
@@ -123,7 +128,7 @@
  static grub_err_t
  grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
  		     grub_size_t size, grub_uint8_t pcr,
-@@ -323,3 +409,26 @@
+@@ -323,3 +410,26 @@ grub_tpm_present (void)
        return grub_tpm2_present (tpm);
      }
  }
@@ -150,16 +155,15 @@
 +
 +  return result;
 +}
---- a/include/grub/tpm2/tpm2.h
-+++ b/include/grub/tpm2/tpm2.h
-@@ -23,6 +23,10 @@
- #include <grub/tpm2/internal/structs.h>
- #include <grub/tpm2/internal/functions.h>
- 
-+/* Defined in: TCG TPM Specification, v1.59, Part 2, Section 10.6.1. */
-+#define TPM2_PCR_TO_SELECT(x)  ((x) / 8)
-+#define TPM2_PCR_TO_BIT(x)     (1 << ((x) % 8))
-+
- /* Well-Known Windows SRK handle */
- #define TPM2_SRK_HANDLE 0x81000001
+Index: grub-2.12/grub-core/Makefile.core.def
+===================================================================
+--- grub-2.12.orig/grub-core/Makefile.core.def
++++ grub-2.12/grub-core/Makefile.core.def
+@@ -2606,6 +2606,7 @@ module = {
+   common = commands/tpm.c;
+   efi = commands/efi/tpm.c;
+   enable = efi;
++  cppflags = '-I$(srcdir)/lib/tss2';
+ };
  
+ module = {

grub2-bsc1220338-key_protector-implement-the-blocklist.patch

@@ -1,4 +1,4 @@
-From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
+From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Mon, 18 Mar 2024 14:53:11 +0800
 Subject: [PATCH] key_protector: implement the blocklist
@@ -15,11 +15,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
  include/grub/efi/api.h         |  5 +++++
  2 files changed, 36 insertions(+)
 
-diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
-index b84afe1c7..3d630ca4f 100644
---- a/grub-core/disk/key_protector.c
-+++ b/grub-core/disk/key_protector.c
-@@ -24,6 +24,10 @@
+Index: grub-2.12/grub-core/disk/key_protector.c
+===================================================================
+--- grub-2.12.orig/grub-core/disk/key_protector.c
++++ grub-2.12/grub-core/disk/key_protector.c
+@@ -25,6 +25,10 @@
  
  GRUB_MOD_LICENSE ("GPLv3+");
  
@@ -30,7 +30,7 @@ index b84afe1c7..3d630ca4f 100644
  struct grub_key_protector *grub_key_protectors = NULL;
  
  grub_err_t
-@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
+@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
    return GRUB_ERR_NONE;
  }
  
@@ -64,10 +64,10 @@ index b84afe1c7..3d630ca4f 100644
 +  grub_err_t err;
  
    if (grub_key_protectors == NULL)
-     return GRUB_ERR_OUT_OF_RANGE;
-@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
- 			  "Is the name spelled correctly and is the "
- 			  "corresponding module loaded?"), protector);
+     return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
+@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
+   if (kp == NULL)
+     return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
  
 +  err = grub_key_protector_check_blocklist ();
 +  if (err != GRUB_ERR_NONE)
@@ -75,10 +75,10 @@ index b84afe1c7..3d630ca4f 100644
 +
    return kp->recover_key (key, key_size);
  }
-diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
-index 7947cf592..975b90b09 100644
---- a/include/grub/efi/api.h
-+++ b/include/grub/efi/api.h
+Index: grub-2.12/include/grub/efi/api.h
+===================================================================
+--- grub-2.12.orig/include/grub/efi/api.h
++++ grub-2.12/include/grub/efi/api.h
 @@ -389,6 +389,11 @@
        { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
    }
@@ -91,6 +91,3 @@ index 7947cf592..975b90b09 100644
  struct grub_efi_sal_system_table
  {
    grub_uint32_t signature;
--- 
-2.35.3
-

grub2.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Tue Dec  3 07:18:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update the TPM2 patches to the upstream final version
+  * Update 0001-key_protector-Add-key-protectors-framework.patch
+  * Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
+    grub2-add-tss2-support.patch
+  * Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
+    0001-key_protector-Add-TPM2-Key-Protector.patch
+  * Replace 0005-util-grub-protect-Add-new-tool.patch with
+    0001-util-grub-protect-Add-new-tool.patch
+  * Replace 0001-tpm2-Implement-NV-index.patch with
+    0001-tpm2_key_protector-Implement-NV-index.patch
+  * Replace 0001-tpm2-Support-authorized-policy.patch with
+    0001-tpm2_key_protector-Support-authorized-policy.patch
+- Refresh the TPM2 related patches
+  * grub-read-pcr.patch
+  * 0001-tpm2-Add-extra-RSA-SRK-types.patch
+  * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+  * safe_tpm_pcr_snapshot.patch
+  * tpm-record-pcrs.patch
+
 -------------------------------------------------------------------
 Fri Nov 29 05:56:22 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 

grub2.spec

@@ -339,10 +339,10 @@ Patch147:       0001-grub-probe-Deduplicate-probed-partmap-output.patch
 Patch148:       0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
 Patch149:       0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
 Patch150:       0001-key_protector-Add-key-protectors-framework.patch
-Patch151:       0002-tpm2-Add-TPM-Software-Stack-TSS.patch
-Patch152:       0003-key_protector-Add-TPM2-Key-Protector.patch
+Patch151:       grub2-add-tss2-support.patch
+Patch152:       0001-key_protector-Add-TPM2-Key-Protector.patch
 Patch153:       0004-cryptodisk-Support-key-protectors.patch
-Patch154:       0005-util-grub-protect-Add-new-tool.patch
+Patch154:       0001-util-grub-protect-Add-new-tool.patch
 Patch155:       0008-linuxefi-Use-common-grub_initrd_load.patch
 Patch156:       0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
 Patch157:       0010-templates-import-etc-crypttab-to-grub.cfg.patch
@@ -356,7 +356,7 @@ Patch164:       0003-ieee1275-change-the-logic-of-ieee1275_get_devargs.patch
 Patch165:       0004-ofpath-controller-name-update.patch
 Patch166:       0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
 Patch167:       grub2-increase-crypttab-path-buffer.patch
-Patch170:       0001-tpm2-Support-authorized-policy.patch
+Patch170:       0001-tpm2_key_protector-Support-authorized-policy.patch
 Patch171:       0001-tpm2-Add-extra-RSA-SRK-types.patch
 Patch174:       0001-clean-up-crypttab-and-linux-modules-dependency.patch
 Patch175:       0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
@@ -368,7 +368,7 @@ Patch180:       0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
 Patch181:       0001-font-Try-memdisk-fonts-with-the-same-name.patch
 Patch182:       0001-Make-grub.cfg-compatible-to-old-binaries.patch
 Patch183:       grub2-change-bash-completion-dir.patch
-Patch184:       0001-tpm2-Implement-NV-index.patch
+Patch184:       0001-tpm2_key_protector-Implement-NV-index.patch
 Patch185:       0002-cryptodisk-Fallback-to-passphrase.patch
 Patch186:       0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
 Patch187:       0004-diskfilter-look-up-cryptodisk-devices-first.patch
@@ -779,7 +779,7 @@ CD_MODULES="all_video boot cat configfile echo true \
 PXE_MODULES="tftp http"
 CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 crypttab"
 %ifarch %{efi}
-CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tpm2 memdisk tar squash4 xzio blscfg"
+CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg"
 PXE_MODULES="${PXE_MODULES} efinet"
 %else
 CD_MODULES="${CD_MODULES} net ofnet"
@@ -877,7 +877,7 @@ mksquashfs ./boot memdisk.sqsh -keep-as-directory -comp xz -quiet -no-progress
     %{?sbat_generation:--sbat sbat.csv} \
     -d grub-core \
     all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt png reboot video \
-    fat tpm tpm2 memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
+    fat tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
 %endif
 
 %ifarch x86_64 aarch64

safe_tpm_pcr_snapshot.patch

@@ -3,20 +3,21 @@
  util/grub-install.c      |    6 ++++--
  2 files changed, 40 insertions(+), 12 deletions(-)
 
---- a/grub-core/commands/tpm.c
-+++ b/grub-core/commands/tpm.c
-@@ -27,8 +27,10 @@
+Index: grub-2.12/grub-core/commands/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/tpm.c
++++ grub-2.12/grub-core/commands/tpm.c
+@@ -27,7 +27,9 @@
  #include <grub/verify.h>
  #include <grub/dl.h>
  #include <grub/extcmd.h>
 +#ifdef GRUB_MACHINE_EFI
- #include <grub/tpm2/tpm2.h>
  #include <grub/efi/efi.h>
 +#endif
  
  GRUB_MOD_LICENSE ("GPLv3+");
  
-@@ -97,12 +99,6 @@
+@@ -96,12 +98,6 @@ struct grub_file_verifier grub_tpm_verif
    .verify_string = grub_tpm_verify_string,
  };
  
@@ -29,7 +30,7 @@
  static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
    {
      {
-@@ -118,6 +114,14 @@
+@@ -117,6 +113,14 @@ static const struct grub_arg_option grub
      {0, 0, 0, 0, 0, 0}
    };
  
@@ -44,7 +45,7 @@
  static grub_err_t
  grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned int *index)
  {
-@@ -269,6 +273,10 @@
+@@ -268,6 +272,10 @@ grub_tpm_record_pcrs (grub_extcmd_contex
    grub_size_t size = 0;
    int n, rv = 1;
  
@@ -55,7 +56,7 @@
    if (argc == 0)
      pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
    else
-@@ -297,6 +305,18 @@
+@@ -296,6 +304,18 @@ out:
    return rv;
  }
  
@@ -74,9 +75,11 @@
  static grub_extcmd_t cmd;
  
  GRUB_MOD_INIT (tpm)
---- a/util/grub-install.c
-+++ b/util/grub-install.c
-@@ -1560,8 +1560,9 @@
+Index: grub-2.12/util/grub-install.c
+===================================================================
+--- grub-2.12.orig/util/grub-install.c
++++ grub-2.12/util/grub-install.c
+@@ -1574,8 +1574,9 @@ main (int argc, char *argv[])
  
    grub_util_unlink (load_cfg);
  
@@ -87,7 +90,7 @@
        load_cfg_f = grub_util_fopen (load_cfg, "wb");
        have_load_cfg = 1;
        fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
-@@ -1569,7 +1570,8 @@
+@@ -1583,7 +1584,8 @@ main (int argc, char *argv[])
  
    if (debug_image && debug_image[0])
      {

tpm-record-pcrs.patch

@@ -1,16 +1,17 @@
---- a/grub-core/commands/tpm.c
-+++ b/grub-core/commands/tpm.c
-@@ -26,6 +26,9 @@
+Index: grub-2.12/grub-core/commands/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/tpm.c
++++ grub-2.12/grub-core/commands/tpm.c
+@@ -26,6 +26,8 @@
  #include <grub/term.h>
  #include <grub/verify.h>
  #include <grub/dl.h>
 +#include <grub/extcmd.h>
-+#include <grub/tpm2/tpm2.h>
 +#include <grub/efi/efi.h>
  
  GRUB_MOD_LICENSE ("GPLv3+");
  
-@@ -94,8 +97,214 @@
+@@ -94,8 +96,214 @@ struct grub_file_verifier grub_tpm_verif
    .verify_string = grub_tpm_verify_string,
  };
  
@@ -225,7 +226,7 @@
    /*
     * Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
     * it does seem to call it late enough in the initialization sequence so
-@@ -109,6 +318,7 @@
+@@ -109,6 +317,7 @@ GRUB_MOD_INIT (tpm)
  
  GRUB_MOD_FINI (tpm)
  {