diff --git a/0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch b/0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch new file mode 100644 index 0000000..bde2dec --- /dev/null +++ b/0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch @@ -0,0 +1,33 @@ +From f903b9a9adb64e733e581771d2a24efae7fbe529 Mon Sep 17 00:00:00 2001 +From: Fabian Vogt +Date: Thu, 5 Oct 2023 11:02:25 +0200 +Subject: [PATCH] fs/btrfs: Zero file data not backed by extents + +Implicit holes in file data need to be zeroed explicitly, instead of +just leaving the data in the buffer uninitialized. + +This led to kernels randomly failing to boot in "fun" ways when loaded +from btrfs with the no_holes feature enabled, because large blocks of +zeros in the kernel file contained random data instead. + +Signed-off-by: Fabian Vogt +--- + grub-core/fs/btrfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 19bff4610..ba0c58352 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -1603,6 +1603,8 @@ grub_btrfs_extent_read (struct grub_btrfs_data *data, + csize = grub_le_to_cpu64 (key_out.offset) - pos; + if (csize > len) + csize = len; ++ ++ grub_memset (buf, 0, csize); + buf += csize; + pos += csize; + len -= csize; +-- +2.42.0 + diff --git a/0002-tpm2-Add-TPM-Software-Stack-TSS.patch b/0002-tpm2-Add-TPM-Software-Stack-TSS.patch index d280f0b..81765e3 100644 --- a/0002-tpm2-Add-TPM-Software-Stack-TSS.patch +++ b/0002-tpm2-Add-TPM-Software-Stack-TSS.patch @@ -1,7 +1,7 @@ -From a4f5c4aa64e0484b08dcb9b7798395c55ca45ead Mon Sep 17 00:00:00 2001 +From c5a42cf3340aa740132bcdb8e8cee22c23306ef5 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:54 -0800 -Subject: [PATCH 2/5] tpm2: Add TPM Software Stack (TSS) +Subject: [PATCH v6 09/20] tpm2: Add TPM Software Stack (TSS) A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to compose, submit, and parse TPM commands and responses. @@ -38,11 +38,11 @@ Signed-off-by: Gary Lin include/grub/tpm2/buffer.h | 65 ++ include/grub/tpm2/internal/functions.h | 117 ++++ include/grub/tpm2/internal/structs.h | 675 +++++++++++++++++++++ - include/grub/tpm2/internal/types.h | 372 ++++++++++++ + include/grub/tpm2/internal/types.h | 370 ++++++++++++ include/grub/tpm2/mu.h | 292 +++++++++ include/grub/tpm2/tcg2.h | 34 ++ include/grub/tpm2/tpm2.h | 34 ++ - 11 files changed, 3445 insertions(+) + 11 files changed, 3443 insertions(+) create mode 100644 grub-core/tpm2/buffer.c create mode 100644 grub-core/tpm2/mu.c create mode 100644 grub-core/tpm2/tcg2.c @@ -55,6 +55,9 @@ Signed-off-by: Gary Lin create mode 100644 include/grub/tpm2/tcg2.h create mode 100644 include/grub/tpm2/tpm2.h +diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c +new file mode 100644 +index 000000000..cb9f29497 --- /dev/null +++ b/grub-core/tpm2/buffer.c @@ -0,0 +1,145 @@ @@ -203,6 +206,9 @@ Signed-off-by: Gary Lin + buffer->offset += sizeof (tmp); + *value = grub_be_to_cpu32 (tmp); +} +diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c +new file mode 100644 +index 000000000..1617f37cd --- /dev/null +++ b/grub-core/tpm2/mu.c @@ -0,0 +1,807 @@ @@ -1013,6 +1019,9 @@ Signed-off-by: Gary Lin + for (grub_uint32_t i = 0; i < digest->count; i++) + grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]); +} +diff --git a/grub-core/tpm2/tcg2.c b/grub-core/tpm2/tcg2.c +new file mode 100644 +index 000000000..9e4b7f565 --- /dev/null +++ b/grub-core/tpm2/tcg2.c @@ -0,0 +1,143 @@ @@ -1153,12 +1162,15 @@ Signed-off-by: Gary Lin + return err; + + status = protocol->submit_command (protocol, input_size, input, -+ output_size, output); ++ output_size, output); + if (status != GRUB_EFI_SUCCESS) + return GRUB_ERR_INVALID_COMMAND; + + return GRUB_ERR_NONE; +} +diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c +new file mode 100644 +index 000000000..d67699a24 --- /dev/null +++ b/grub-core/tpm2/tpm2.c @@ -0,0 +1,761 @@ @@ -1923,6 +1935,9 @@ Signed-off-by: Gary Lin + + return TPM_RC_SUCCESS; +} +diff --git a/include/grub/tpm2/buffer.h b/include/grub/tpm2/buffer.h +new file mode 100644 +index 000000000..87dcd8d6c --- /dev/null +++ b/include/grub/tpm2/buffer.h @@ -0,0 +1,65 @@ @@ -1991,6 +2006,9 @@ Signed-off-by: Gary Lin +grub_tpm2_buffer_unpack_u32 (grub_tpm2_buffer_t buffer, grub_uint32_t* value); + +#endif /* ! GRUB_TPM2_BUFFER_HEADER */ +diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h +new file mode 100644 +index 000000000..9380f26a2 --- /dev/null +++ b/include/grub/tpm2/internal/functions.h @@ -0,0 +1,117 @@ @@ -2111,6 +2129,9 @@ Signed-off-by: Gary Lin + TPMS_AUTH_RESPONSE *authResponse); + +#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */ +diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h +new file mode 100644 +index 000000000..72d71eb70 --- /dev/null +++ b/include/grub/tpm2/internal/structs.h @@ -0,0 +1,675 @@ @@ -2789,9 +2810,12 @@ Signed-off-by: Gary Lin +typedef struct TPMT_TK_CREATION TPMT_TK_CREATION; + +#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */ +diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h +new file mode 100644 +index 000000000..9118cad5d --- /dev/null +++ b/include/grub/tpm2/internal/types.h -@@ -0,0 +1,372 @@ +@@ -0,0 +1,370 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -3077,8 +3101,8 @@ Signed-off-by: Gary Lin +#define TPM_RH_AUTH_FF ((TPM_RH) 0x4000010F) +#define TPM_RH_LAST ((TPM_RH) 0x4000010F) + -+/* TPM2_ECC_CURVE Constants */ -+typedef grub_uint16_t TPM2_ECC_CURVE; ++/* TPM_ECC_CURVE Constants */ ++typedef grub_uint16_t TPM_ECC_CURVE; + +#define TPM_ECC_NONE ((TPM_ECC_CURVE) 0x0000) +#define TPM_ECC_NIST_P192 ((TPM_ECC_CURVE) 0x0001) @@ -3153,8 +3177,6 @@ Signed-off-by: Gary Lin +typedef grub_uint16_t TPM_KEY_BITS; + +/* TPM_ECC_CURVE Types */ -+typedef grub_uint16_t TPM_ECC_CURVE; -+ +typedef TPM_ECC_CURVE TPMI_ECC_CURVE; + +/* TPMI_RH_PROVISION Type */ @@ -3164,6 +3186,9 @@ Signed-off-by: Gary Lin +typedef TPM_HANDLE TPMI_DH_PERSISTENT; + +#endif /* ! GRUB_TPM2_INTERNAL_TYPES_HEADER */ +diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h +new file mode 100644 +index 000000000..c545976db --- /dev/null +++ b/include/grub/tpm2/mu.h @@ -0,0 +1,292 @@ @@ -3459,6 +3484,9 @@ Signed-off-by: Gary Lin + TPML_DIGEST* digest); + +#endif /* ! GRUB_TPM2_MU_HEADER */ +diff --git a/include/grub/tpm2/tcg2.h b/include/grub/tpm2/tcg2.h +new file mode 100644 +index 000000000..553b3fd93 --- /dev/null +++ b/include/grub/tpm2/tcg2.h @@ -0,0 +1,34 @@ @@ -3496,6 +3524,9 @@ Signed-off-by: Gary Lin + grub_uint8_t *output); + +#endif /* ! GRUB_TPM2_TCG2_HEADER */ +diff --git a/include/grub/tpm2/tpm2.h b/include/grub/tpm2/tpm2.h +new file mode 100644 +index 000000000..cfdc9edcd --- /dev/null +++ b/include/grub/tpm2/tpm2.h @@ -0,0 +1,34 @@ @@ -3533,3 +3564,6 @@ Signed-off-by: Gary Lin +} TPM2_SEALED_KEY; + +#endif /* ! GRUB_TPM2_TPM2_HEADER */ +-- +2.35.3 + diff --git a/0003-protectors-Add-TPM2-Key-Protector.patch b/0003-protectors-Add-TPM2-Key-Protector.patch index b74afb6..43d8f81 100644 --- a/0003-protectors-Add-TPM2-Key-Protector.patch +++ b/0003-protectors-Add-TPM2-Key-Protector.patch @@ -1,7 +1,7 @@ -From ab730e5bc42bae528da62178680284efdd64278e Mon Sep 17 00:00:00 2001 +From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:55 -0800 -Subject: [PATCH 3/5] protectors: Add TPM2 Key Protector +Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector The TPM2 key protector is a module that enables the automatic retrieval of a fully-encrypted disk's unlocking key from a TPM 2.0. @@ -77,18 +77,18 @@ command (modifications to this command are in a different patch). For instance, to unseal the raw sealed key file: tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key -cryptomount DISK1 -P tpm2 +cryptomount -u -P tpm2 tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key --pcrs=7,11 -cryptomount DISK2 -P tpm2 +cryptomount -u -P tpm2 Or, to unseal the TPM 2.0 Key file: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm -cryptomount DISK1 -P tpm2 +cryptomount -u -P tpm2 tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm --pcrs=7,11 -cryptomount DISK2 -P tpm2 +cryptomount -u -P tpm2 If a user does not initialize the key protector and attempts to use it anyway, the protector returns an error. @@ -117,14 +117,14 @@ Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin --- grub-core/Makefile.core.def | 13 + - grub-core/tpm2/args.c | 131 ++++ - grub-core/tpm2/module.c | 1033 +++++++++++++++++++++++++++++ + grub-core/tpm2/args.c | 177 +++++ + grub-core/tpm2/module.c | 1040 +++++++++++++++++++++++++++++ grub-core/tpm2/tpm2key.asn | 31 + grub-core/tpm2/tpm2key.c | 440 ++++++++++++ grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++ - include/grub/tpm2/internal/args.h | 39 ++ + include/grub/tpm2/internal/args.h | 41 ++ include/grub/tpm2/tpm2key.h | 83 +++ - 8 files changed, 1811 insertions(+) + 8 files changed, 1866 insertions(+) create mode 100644 grub-core/tpm2/args.c create mode 100644 grub-core/tpm2/module.c create mode 100644 grub-core/tpm2/tpm2key.asn @@ -133,12 +133,15 @@ Signed-off-by: Gary Lin create mode 100644 include/grub/tpm2/internal/args.h create mode 100644 include/grub/tpm2/tpm2key.h +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 5831d4265..38571119e 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def -@@ -2599,6 +2599,19 @@ +@@ -2553,6 +2553,19 @@ module = { + enable = efi; }; - module = { ++module = { + name = tpm2; + common = tpm2/args.c; + common = tpm2/buffer.c; @@ -151,13 +154,15 @@ Signed-off-by: Gary Lin + enable = efi; +}; + -+module = { + module = { name = tr; common = commands/tr.c; - }; +diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c +new file mode 100644 +index 000000000..274f4fef0 --- /dev/null +++ b/grub-core/tpm2/args.c -@@ -0,0 +1,131 @@ +@@ -0,0 +1,177 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -237,12 +242,58 @@ Signed-off-by: Gary Lin +} + +grub_err_t -+grub_tpm2_protector_parse_asymmetric (const char *value, TPM_ALG_ID *asymmetric) ++grub_tpm2_protector_parse_asymmetric (const char *value, ++ TPM_ALG_ID *asymmetric, ++ TPM_KEY_BITS *rsa_bits, ++ TPM_ECC_CURVE *ecc_curve) +{ -+ if (grub_strcasecmp (value, "ECC") == 0) -+ *asymmetric = TPM_ALG_ECC; -+ else if (grub_strcasecmp (value, "RSA") == 0) -+ *asymmetric = TPM_ALG_RSA; ++ if (grub_strcasecmp (value, "ECC") == 0 || ++ grub_strcasecmp (value, "ECC_NIST_P256") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_NIST_P256; ++ } ++ else if (grub_strcasecmp (value, "RSA") == 0 || ++ grub_strcasecmp (value, "RSA2048") == 0) ++ { ++ *asymmetric = TPM_ALG_RSA; ++ *rsa_bits = 2048; ++ } ++ else if (grub_strcasecmp (value, "RSA3072") == 0) ++ { ++ *asymmetric = TPM_ALG_RSA; ++ *rsa_bits = 3072; ++ } ++ else if (grub_strcasecmp (value, "RSA4096") == 0) ++ { ++ *asymmetric = TPM_ALG_RSA; ++ *rsa_bits = 4096; ++ } ++ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_NIST_P384; ++ } ++ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_NIST_P521; ++ } ++ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_BN_P256; ++ } ++ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_BN_P638; ++ } ++ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0) ++ { ++ *asymmetric = TPM_ALG_ECC; ++ *ecc_curve = TPM_ECC_SM2_P256; ++ } + else + return grub_error (GRUB_ERR_OUT_OF_RANGE, + N_("Value '%s' is not a valid asymmetric key type"), @@ -289,9 +340,12 @@ Signed-off-by: Gary Lin + + return GRUB_ERR_NONE; +} +diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c +new file mode 100644 +index 000000000..9605ddbc7 --- /dev/null +++ b/grub-core/tpm2/module.c -@@ -0,0 +1,1033 @@ +@@ -0,0 +1,1040 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -352,6 +406,8 @@ Signed-off-by: Gary Lin + grub_uint8_t pcrs[TPM_MAX_PCRS]; + grub_uint8_t pcr_count; + TPM_ALG_ID asymmetric; ++ TPM_KEY_BITS rsa_bits; ++ TPM_ECC_CURVE ecc_curve; + TPM_ALG_ID bank; + const char *tpm2key; + const char *keyfile; @@ -390,7 +446,7 @@ Signed-off-by: Gary Lin + .type = ARG_TYPE_STRING, + .doc = + N_("Bank of PCRs used to authorize key release: " -+ "SHA1, SHA256 (default), or SHA384."), ++ "SHA1, SHA256 (default), SHA384 or SHA512."), + }, + /* SRK-mode options */ + { @@ -431,7 +487,10 @@ Signed-off-by: Gary Lin + .arg = NULL, + .type = ARG_TYPE_STRING, + .doc = -+ N_("In SRK mode, the type of SRK: RSA (default) or ECC."), ++ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, " ++ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, " ++ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " ++ "(default is RSA2048)"), + }, + /* NV Index-mode options */ + { @@ -696,7 +755,7 @@ Signed-off-by: Gary Lin + inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048; ++ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits; + inPublic.publicArea.parameters.rsaDetail.exponent = 0; + } + else if (ctx->asymmetric == TPM_ALG_ECC) @@ -705,7 +764,7 @@ Signed-off-by: Gary Lin + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256; ++ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve; + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; + } + else @@ -977,10 +1036,7 @@ Signed-off-by: Gary Lin + /* Get the SRK to unseal the sealed key */ + err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle); + if (err != GRUB_ERR_NONE) -+ { -+ grub_error (err, N_("Failed to retrieve the SRK")); -+ goto exit1; -+ } ++ goto exit1; + + /* Load the sealed key and associate it with the SRK */ + authCmd.sessionHandle = TPM_RS_PW; @@ -1148,7 +1204,10 @@ Signed-off-by: Gary Lin + ctx->srk = TPM2_SRK_HANDLE; + + if (!ctx->asymmetric) -+ ctx->asymmetric = TPM_ALG_RSA; ++ { ++ ctx->asymmetric = TPM_ALG_RSA; ++ ctx->rsa_bits = 2048; ++ } + } + + return GRUB_ERR_NONE; @@ -1252,7 +1311,9 @@ Signed-off-by: Gary Lin + if (state[OPTION_ASYMMETRIC].set) /* asymmetric */ + { + err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg, -+ &grub_tpm2_protector_ctx.asymmetric); ++ &grub_tpm2_protector_ctx.asymmetric, ++ &grub_tpm2_protector_ctx.rsa_bits, ++ &grub_tpm2_protector_ctx.ecc_curve); + if (err != GRUB_ERR_NONE) + return err; + } @@ -1325,6 +1386,9 @@ Signed-off-by: Gary Lin + grub_unregister_extcmd (grub_tpm2_protector_clear_cmd); + grub_unregister_extcmd (grub_tpm2_protector_init_cmd); +} +diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn +new file mode 100644 +index 000000000..e3b6a03e0 --- /dev/null +++ b/grub-core/tpm2/tpm2key.asn @@ -0,0 +1,31 @@ @@ -1359,6 +1423,9 @@ Signed-off-by: Gary Lin +} + +END +diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c +new file mode 100644 +index 000000000..62f6d865b --- /dev/null +++ b/grub-core/tpm2/tpm2key.c @@ -0,0 +1,440 @@ @@ -1802,6 +1869,9 @@ Signed-off-by: Gary Lin + grub_free (authpol); + } +} +diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c +new file mode 100644 +index 000000000..551fc46ec --- /dev/null +++ b/grub-core/tpm2/tpm2key_asn1_tab.c @@ -0,0 +1,41 @@ @@ -1846,9 +1916,12 @@ Signed-off-by: Gary Lin + { "privkey", 7, NULL }, + { NULL, 0, NULL } +}; +diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h +new file mode 100644 +index 000000000..58d13e031 --- /dev/null +++ b/include/grub/tpm2/internal/args.h -@@ -0,0 +1,39 @@ +@@ -0,0 +1,41 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -1879,7 +1952,9 @@ Signed-off-by: Gary Lin + +grub_err_t +grub_tpm2_protector_parse_asymmetric (const char *value, -+ TPM_ALG_ID *asymmetric); ++ TPM_ALG_ID *asymmetric, ++ TPM_KEY_BITS *rsa_bits, ++ TPM_ECC_CURVE *ecc_curve); + +grub_err_t +grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank); @@ -1888,6 +1963,9 @@ Signed-off-by: Gary Lin +grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE *handle); + +#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */ +diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h +new file mode 100644 +index 000000000..df46203e3 --- /dev/null +++ b/include/grub/tpm2/tpm2key.h @@ -0,0 +1,83 @@ @@ -1974,3 +2052,6 @@ Signed-off-by: Gary Lin +grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq); + +#endif /* GRUB_TPM2_TPM2KEY_HEADER */ +-- +2.35.3 + diff --git a/0005-util-grub-protect-Add-new-tool.patch b/0005-util-grub-protect-Add-new-tool.patch index 8b1b6fa..c899bae 100644 --- a/0005-util-grub-protect-Add-new-tool.patch +++ b/0005-util-grub-protect-Add-new-tool.patch @@ -1,7 +1,7 @@ -From 38ebade1341ee99593568d97e0300f5b6aa626f3 Mon Sep 17 00:00:00 2001 +From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001 From: Hernan Gatta Date: Tue, 1 Feb 2022 05:02:57 -0800 -Subject: [PATCH 5/5] util/grub-protect: Add new tool +Subject: [PATCH v6 12/20] util/grub-protect: Add new tool To utilize the key protectors framework, there must be a way to protect full-disk encryption keys in the first place. The grub-protect tool @@ -15,8 +15,8 @@ a new LUKS key slot for this key. Then, the user invokes the grub-protect tool to seal this key file to a set of PCRs using the system's TPM 2.0. The resulting sealed key file is stored in an unencrypted partition such as the EFI System Partition (ESP) so that GRUB may read it. The user also -ensures the cryptomount command is included in GRUB's boot script and -that it carries the requisite key protector (-P) parameter. +has to ensure the cryptomount command is included in GRUB's boot script +and that it carries the requisite key protector (-P) parameter. Sample usage: @@ -41,14 +41,12 @@ $ sudo grub-protect --action=add \ Then, in the boot script, for TPM 2.0 Key File: tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm -cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2 +cryptomount -u -P tpm2 Or, for the raw sealed key: tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key -cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2 - -where the UUID corresponds to /dev/sdb1. +cryptomount -u -P tpm2 Signed-off-by: Hernan Gatta Signed-off-by: Gary Lin @@ -56,13 +54,15 @@ Signed-off-by: Gary Lin .gitignore | 2 + Makefile.util.def | 22 + configure.ac | 9 + - util/grub-protect.c | 1508 +++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 1541 insertions(+) + util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 1557 insertions(+) create mode 100644 util/grub-protect.c ---- a/Makefile.util.def -+++ b/Makefile.util.def -@@ -208,6 +208,28 @@ +Index: grub-2.12~rc1/Makefile.util.def +=================================================================== +--- grub-2.12~rc1.orig/Makefile.util.def ++++ grub-2.12~rc1/Makefile.util.def +@@ -208,6 +208,28 @@ program = { }; program = { @@ -91,9 +91,11 @@ Signed-off-by: Gary Lin name = grub-mkrelpath; mansection = 1; ---- a/configure.ac -+++ b/configure.ac -@@ -76,6 +76,7 @@ +Index: grub-2.12~rc1/configure.ac +=================================================================== +--- grub-2.12~rc1.orig/configure.ac ++++ grub-2.12~rc1/configure.ac +@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2]) grub_TRANSFORM([grub-mkrelpath]) grub_TRANSFORM([grub-mkrescue]) grub_TRANSFORM([grub-probe]) @@ -101,7 +103,7 @@ Signed-off-by: Gary Lin grub_TRANSFORM([grub-reboot]) grub_TRANSFORM([grub-script-check]) grub_TRANSFORM([grub-set-default]) -@@ -1992,6 +1993,14 @@ +@@ -1992,6 +1993,14 @@ fi AC_SUBST([LIBZFS]) AC_SUBST([LIBNVPAIR]) @@ -116,9 +118,11 @@ Signed-off-by: Gary Lin LIBS="" AC_SUBST([FONT_SOURCE]) +Index: grub-2.12~rc1/util/grub-protect.c +=================================================================== --- /dev/null -+++ b/util/grub-protect.c -@@ -0,0 +1,1508 @@ ++++ grub-2.12~rc1/util/grub-protect.c +@@ -0,0 +1,1524 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2022 Microsoft Corporation @@ -227,6 +231,8 @@ Signed-off-by: Gary Lin + grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS]; + grub_uint8_t tpm2_pcr_count; + TPM_ALG_ID tpm2_asymmetric; ++ TPM_KEY_BITS rsa_bits; ++ TPM_ECC_CURVE ecc_curve; + TPM_ALG_ID tpm2_bank; + TPM_HANDLE tpm2_srk; + const char *tpm2_keyfile; @@ -280,11 +286,11 @@ Signed-off-by: Gary Lin + { + .name = "tpm2-bank", + .key = GRUB_PROTECT_OPT_TPM2_BANK, -+ .arg = "SHA1|SHA256|SHA384", ++ .arg = "ALG", + .flags = 0, + .doc = + N_("Bank of PCRs used to authorize key release: " -+ "SHA1, SHA256 (default), or SHA384."), ++ "SHA1, SHA256 (default), or SHA512."), + .group = 0 + }, + { @@ -319,10 +325,13 @@ Signed-off-by: Gary Lin + { + .name = "tpm2-asymmetric", + .key = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC, -+ .arg = "RSA|ECC", ++ .arg = "TYPE", + .flags = 0, + .doc = -+ N_("The type of SRK: RSA (default) or ECC."), ++ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, " ++ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, " ++ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. " ++ "(default is RSA2048)"), + .group = 0 + }, + { @@ -648,6 +657,13 @@ Signed-off-by: Gary Lin + pcr_digest_len = TPM_SHA256_DIGEST_SIZE; + hash_spec = GRUB_MD_SHA256; + break; ++ case TPM_ALG_SHA512: ++ pcr_digest_len = TPM_SHA512_DIGEST_SIZE; ++ hash_spec = GRUB_MD_SHA512; ++ break; ++ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(), ++ it's not supported by the built-in libgcrypt, and we won't be able to ++ calculate the PCR digest, so SHA384 is marked as unsupported. */ + default: + return GRUB_ERR_BAD_ARGUMENT; + } @@ -797,7 +813,7 @@ Signed-off-by: Gary Lin + inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048; ++ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits; + inPublic.publicArea.parameters.rsaDetail.exponent = 0; + break; + @@ -806,7 +822,7 @@ Signed-off-by: Gary Lin + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128; + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB; + inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL; -+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256; ++ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve; + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL; + break; + @@ -1257,7 +1273,10 @@ Signed-off-by: Gary Lin + args->tpm2_srk = TPM2_SRK_HANDLE; + + if (args->tpm2_asymmetric == TPM_ALG_ERROR) -+ args->tpm2_asymmetric = TPM_ALG_RSA; ++ { ++ args->tpm2_asymmetric = TPM_ALG_RSA; ++ args->rsa_bits = 2048; ++ } + + if (args->tpm2_bank == TPM_ALG_ERROR) + args->tpm2_bank = TPM_ALG_SHA256; @@ -1426,7 +1445,8 @@ Signed-off-by: Gary Lin + return EINVAL; + } + -+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric); ++ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric, ++ &args->rsa_bits, &args->ecc_curve); + if (err != GRUB_ERR_NONE) + { + if (grub_errno != GRUB_ERR_NONE) diff --git a/grub2.changes b/grub2.changes index 6a6c424..ccea3cb 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Thu Oct 5 09:49:54 UTC 2023 - Fabian Vogt + +- Add patch to fix reading files from btrfs with "implicit" holes: + * 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch + +------------------------------------------------------------------- +Mon Oct 2 14:30:49 UTC 2023 - Gary Ching-Pang Lin + +- Update the TPM 2.0 patches to support more RSA and ECC algorithms + * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch + * 0003-protectors-Add-TPM2-Key-Protector.patch + * 0005-util-grub-protect-Add-new-tool.patch + +------------------------------------------------------------------- +Mon Oct 2 08:11:56 UTC 2023 - Michael Chang + +- Remove build require for gcc-32bit, target platform didn't rely on libgcc + function shipped with compiler but rather using functions supplied in grub + directly. + +------------------------------------------------------------------- +Fri Sep 29 08:38:13 UTC 2023 - Fabian Vogt + +- Add BuildIgnore to break cycle with the branding package + ------------------------------------------------------------------- Wed Sep 27 03:37:10 UTC 2023 - Gary Ching-Pang Lin diff --git a/grub2.spec b/grub2.spec index f35da99..83f14b5 100644 --- a/grub2.spec +++ b/grub2.spec @@ -28,14 +28,6 @@ %endif Name: grub2 -%ifarch x86_64 ppc64 -BuildRequires: gcc-32bit -BuildRequires: glibc-32bit -BuildRequires: glibc-devel-32bit -%else -BuildRequires: gcc -BuildRequires: glibc-devel -%endif BuildRequires: automake BuildRequires: bison BuildRequires: device-mapper-devel @@ -43,6 +35,8 @@ BuildRequires: fdupes BuildRequires: flex BuildRequires: freetype2-devel BuildRequires: fuse-devel +BuildRequires: gcc +BuildRequires: glibc-devel %if 0%{?suse_version} >= 1140 BuildRequires: dejavu-fonts BuildRequires: gnu-unifont @@ -157,6 +151,9 @@ BuildRequires: update-bootloader-rpm-macros %endif %ifarch %{efi} +# The branding package requires grub2. It's not necessary here, +# so break the dep to avoid a cycle. +#!BuildIgnore: grub2 BuildRequires: grub2-branding BuildRequires: squashfs %endif @@ -383,6 +380,7 @@ Patch187: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch Patch188: 0004-diskfilter-look-up-cryptodisk-devices-first.patch Patch189: grub2-mkconfig-riscv64.patch Patch190: arm64-Use-proper-memory-type-for-kernel-allocation.patch +Patch191: 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140