Accepting request 1115941 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1115941 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=302
2023-10-06 19:12:40 +00:00 · 2023-10-06 19:12:40 +00:00 · 476a65dabe
commit 476a65dabe
parent 181b9e3b63 a64c498922
6 changed files with 270 additions and 78 deletions
--- a/0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
+++ b/0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
@ -0,0 +1,33 @@
 From f903b9a9adb64e733e581771d2a24efae7fbe529 Mon Sep 17 00:00:00 2001
 From: Fabian Vogt <fvogt@suse.de>
 Date: Thu, 5 Oct 2023 11:02:25 +0200
 Subject: [PATCH] fs/btrfs: Zero file data not backed by extents
 Implicit holes in file data need to be zeroed explicitly, instead of
 just leaving the data in the buffer uninitialized.
 This led to kernels randomly failing to boot in "fun" ways when loaded
 from btrfs with the no_holes feature enabled, because large blocks of
 zeros in the kernel file contained random data instead.
 Signed-off-by: Fabian Vogt <fvogt@suse.de>
 ---
 grub-core/fs/btrfs.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
 index 19bff4610..ba0c58352 100644
 --- a/grub-core/fs/btrfs.c
 +++ b/grub-core/fs/btrfs.c
@@ -1603,6 +1603,8 @@ grub_btrfs_extent_read (struct grub_btrfs_data *data,
 	      csize = grub_le_to_cpu64 (key_out.offset) - pos;
 	      if (csize > len)
 		      csize = len;
 +
 +	      grub_memset (buf, 0, csize);
 	      buf += csize;
 	      pos += csize;
 	      len -= csize;
 -- 
 2.42.0
--- a/0002-tpm2-Add-TPM-Software-Stack-TSS.patch
+++ b/0002-tpm2-Add-TPM-Software-Stack-TSS.patch
@ -1,7 +1,7 @@
-From a4f5c4aa64e0484b08dcb9b7798395c55ca45ead Mon Sep 17 00:00:00 2001
+From c5a42cf3340aa740132bcdb8e8cee22c23306ef5 Mon Sep 17 00:00:00 2001
 From: Hernan Gatta <hegatta@linux.microsoft.com>
 Date: Tue, 1 Feb 2022 05:02:54 -0800
-Subject: [PATCH 2/5] tpm2: Add TPM Software Stack (TSS)
+Subject: [PATCH v6 09/20] tpm2: Add TPM Software Stack (TSS)
 A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
 compose, submit, and parse TPM commands and responses.
@ -38,11 +38,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
 include/grub/tpm2/buffer.h             |  65 ++
 include/grub/tpm2/internal/functions.h | 117 ++++
 include/grub/tpm2/internal/structs.h   | 675 +++++++++++++++++++++
- include/grub/tpm2/internal/types.h     | 372 ++++++++++++
+ include/grub/tpm2/internal/types.h     | 370 ++++++++++++
 include/grub/tpm2/mu.h                 | 292 +++++++++
 include/grub/tpm2/tcg2.h               |  34 ++
 include/grub/tpm2/tpm2.h               |  34 ++
- 11 files changed, 3445 insertions(+)
+ 11 files changed, 3443 insertions(+)
 create mode 100644 grub-core/tpm2/buffer.c
 create mode 100644 grub-core/tpm2/mu.c
 create mode 100644 grub-core/tpm2/tcg2.c
@ -55,6 +55,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 create mode 100644 include/grub/tpm2/tcg2.h
 create mode 100644 include/grub/tpm2/tpm2.h
 diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
 new file mode 100644
 index 000000000..cb9f29497
 --- /dev/null
 +++ b/grub-core/tpm2/buffer.c
@@ -0,0 +1,145 @@
@ -203,6 +206,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  buffer->offset += sizeof (tmp);
 +  *value = grub_be_to_cpu32 (tmp);
 +}
 diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
 new file mode 100644
 index 000000000..1617f37cd
 --- /dev/null
 +++ b/grub-core/tpm2/mu.c
@@ -0,0 +1,807 @@
@ -1013,6 +1019,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  for (grub_uint32_t i = 0; i < digest->count; i++)
 +    grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
 +}
 diff --git a/grub-core/tpm2/tcg2.c b/grub-core/tpm2/tcg2.c
 new file mode 100644
 index 000000000..9e4b7f565
 --- /dev/null
 +++ b/grub-core/tpm2/tcg2.c
@@ -0,0 +1,143 @@
@ -1153,12 +1162,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +    return err;
 +
 +  status = protocol->submit_command (protocol, input_size, input,
-+		       output_size, output);
+				     output_size, output);
 +  if (status != GRUB_EFI_SUCCESS)
 +    return GRUB_ERR_INVALID_COMMAND;
 +
 +  return GRUB_ERR_NONE;
 +}
 diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
 new file mode 100644
 index 000000000..d67699a24
 --- /dev/null
 +++ b/grub-core/tpm2/tpm2.c
@@ -0,0 +1,761 @@
@ -1923,6 +1935,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +
 +  return TPM_RC_SUCCESS;
 +}
 diff --git a/include/grub/tpm2/buffer.h b/include/grub/tpm2/buffer.h
 new file mode 100644
 index 000000000..87dcd8d6c
 --- /dev/null
 +++ b/include/grub/tpm2/buffer.h
@@ -0,0 +1,65 @@
@ -1991,6 +2006,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +grub_tpm2_buffer_unpack_u32 (grub_tpm2_buffer_t buffer, grub_uint32_t* value);
 +
 +#endif /* ! GRUB_TPM2_BUFFER_HEADER */
 diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h
 new file mode 100644
 index 000000000..9380f26a2
 --- /dev/null
 +++ b/include/grub/tpm2/internal/functions.h
@@ -0,0 +1,117 @@
@ -2111,6 +2129,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +		   TPMS_AUTH_RESPONSE *authResponse);
 +
 +#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
 diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
 new file mode 100644
 index 000000000..72d71eb70
 --- /dev/null
 +++ b/include/grub/tpm2/internal/structs.h
@@ -0,0 +1,675 @@
@ -2789,9 +2810,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
 +
 +#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
 diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
 new file mode 100644
 index 000000000..9118cad5d
 --- /dev/null
 +++ b/include/grub/tpm2/internal/types.h
-@@ -0,0 +1,372 @@
+@@ -0,0 +1,370 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
@ -3077,8 +3101,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +#define TPM_RH_AUTH_FF     ((TPM_RH) 0x4000010F)
 +#define TPM_RH_LAST        ((TPM_RH) 0x4000010F)
 +
-+/* TPM2_ECC_CURVE Constants */
+/* TPM_ECC_CURVE Constants */
-+typedef grub_uint16_t TPM2_ECC_CURVE;
+typedef grub_uint16_t TPM_ECC_CURVE;
 +
 +#define TPM_ECC_NONE      ((TPM_ECC_CURVE) 0x0000)
 +#define TPM_ECC_NIST_P192 ((TPM_ECC_CURVE) 0x0001)
@ -3153,8 +3177,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +typedef grub_uint16_t TPM_KEY_BITS;
 +
 +/* TPM_ECC_CURVE Types */
 +typedef grub_uint16_t TPM_ECC_CURVE;
 +
 +typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
 +
 +/* TPMI_RH_PROVISION Type */
@ -3164,6 +3186,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +typedef TPM_HANDLE TPMI_DH_PERSISTENT;
 +
 +#endif /* ! GRUB_TPM2_INTERNAL_TYPES_HEADER */
 diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
 new file mode 100644
 index 000000000..c545976db
 --- /dev/null
 +++ b/include/grub/tpm2/mu.h
@@ -0,0 +1,292 @@
@ -3459,6 +3484,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +				    TPML_DIGEST* digest);
 +
 +#endif /* ! GRUB_TPM2_MU_HEADER */
 diff --git a/include/grub/tpm2/tcg2.h b/include/grub/tpm2/tcg2.h
 new file mode 100644
 index 000000000..553b3fd93
 --- /dev/null
 +++ b/include/grub/tpm2/tcg2.h
@@ -0,0 +1,34 @@
@ -3496,6 +3524,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +			  grub_uint8_t *output);
 +
 +#endif /* ! GRUB_TPM2_TCG2_HEADER */
 diff --git a/include/grub/tpm2/tpm2.h b/include/grub/tpm2/tpm2.h
 new file mode 100644
 index 000000000..cfdc9edcd
 --- /dev/null
 +++ b/include/grub/tpm2/tpm2.h
@@ -0,0 +1,34 @@
@ -3533,3 +3564,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +} TPM2_SEALED_KEY;
 +
 +#endif /* ! GRUB_TPM2_TPM2_HEADER */
 -- 
 2.35.3
--- a/0003-protectors-Add-TPM2-Key-Protector.patch
+++ b/0003-protectors-Add-TPM2-Key-Protector.patch
@ -1,7 +1,7 @@
-From ab730e5bc42bae528da62178680284efdd64278e Mon Sep 17 00:00:00 2001
+From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001
 From: Hernan Gatta <hegatta@linux.microsoft.com>
 Date: Tue, 1 Feb 2022 05:02:55 -0800
-Subject: [PATCH 3/5] protectors: Add TPM2 Key Protector
+Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector
 The TPM2 key protector is a module that enables the automatic retrieval
 of a fully-encrypted disk's unlocking key from a TPM 2.0.
@ -77,18 +77,18 @@ command (modifications to this command are in a different patch).
 For instance, to unseal the raw sealed key file:
 tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key
-cryptomount DISK1 -P tpm2
+cryptomount -u <PART1_UUID> -P tpm2
 tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key --pcrs=7,11
-cryptomount DISK2 -P tpm2
+cryptomount -u <PART2_UUID> -P tpm2
 Or, to unseal the TPM 2.0 Key file:
 tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
-cryptomount DISK1 -P tpm2
+cryptomount -u <PART1_UUID> -P tpm2
 tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm --pcrs=7,11
-cryptomount DISK2 -P tpm2
+cryptomount -u <PART2_UUID> -P tpm2
 If a user does not initialize the key protector and attempts to use it
 anyway, the protector returns an error.
@ -117,14 +117,14 @@ Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 grub-core/Makefile.core.def       |   13 +
- grub-core/tpm2/args.c             |  131 ++++
+ grub-core/tpm2/args.c             |  177 +++++
- grub-core/tpm2/module.c           | 1033 +++++++++++++++++++++++++++++
+ grub-core/tpm2/module.c           | 1040 +++++++++++++++++++++++++++++
 grub-core/tpm2/tpm2key.asn        |   31 +
 grub-core/tpm2/tpm2key.c          |  440 ++++++++++++
 grub-core/tpm2/tpm2key_asn1_tab.c |   41 ++
- include/grub/tpm2/internal/args.h |   39 ++
+ include/grub/tpm2/internal/args.h |   41 ++
 include/grub/tpm2/tpm2key.h       |   83 +++
- 8 files changed, 1811 insertions(+)
+ 8 files changed, 1866 insertions(+)
 create mode 100644 grub-core/tpm2/args.c
 create mode 100644 grub-core/tpm2/module.c
 create mode 100644 grub-core/tpm2/tpm2key.asn
@ -133,12 +133,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
 create mode 100644 include/grub/tpm2/internal/args.h
 create mode 100644 include/grub/tpm2/tpm2key.h
 diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
 index 5831d4265..38571119e 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
-@@ -2599,6 +2599,19 @@
+@@ -2553,6 +2553,19 @@ module = {
   enable = efi;
 };
- module = {
+module = {
 +  name = tpm2;
 +  common = tpm2/args.c;
 +  common = tpm2/buffer.c;
@ -151,13 +154,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  enable = efi;
 +};
 +
-+module = {
+ module = {
   name = tr;
   common = commands/tr.c;
- };
+diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
 new file mode 100644
 index 000000000..274f4fef0
 --- /dev/null
 +++ b/grub-core/tpm2/args.c
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,177 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
@ -237,12 +242,58 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +}
 +
 +grub_err_t
-+grub_tpm2_protector_parse_asymmetric (const char *value, TPM_ALG_ID *asymmetric)
+grub_tpm2_protector_parse_asymmetric (const char *value,
 +				      TPM_ALG_ID *asymmetric,
 +				      TPM_KEY_BITS *rsa_bits,
 +				      TPM_ECC_CURVE *ecc_curve)
 +{
-+  if (grub_strcasecmp (value, "ECC") == 0)
+  if (grub_strcasecmp (value, "ECC") == 0 ||
-+    *asymmetric = TPM_ALG_ECC;
+      grub_strcasecmp (value, "ECC_NIST_P256") == 0)
-+  else if (grub_strcasecmp (value, "RSA") == 0)
+    {
-+    *asymmetric = TPM_ALG_RSA;
+      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_NIST_P256;
 +    }
 +  else if (grub_strcasecmp (value, "RSA") == 0 ||
 +	   grub_strcasecmp (value, "RSA2048") == 0)
 +    {
 +      *asymmetric = TPM_ALG_RSA;
 +      *rsa_bits = 2048;
 +    }
 +  else if (grub_strcasecmp (value, "RSA3072") == 0)
 +    {
 +      *asymmetric = TPM_ALG_RSA;
 +      *rsa_bits = 3072;
 +    }
 +  else if (grub_strcasecmp (value, "RSA4096") == 0)
 +    {
 +      *asymmetric = TPM_ALG_RSA;
 +      *rsa_bits = 4096;
 +    }
 +  else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
 +    {
 +      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_NIST_P384;
 +    }
 +  else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
 +    {
 +      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_NIST_P521;
 +    }
 +  else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
 +    {
 +      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_BN_P256;
 +    }
 +  else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
 +    {
 +      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_BN_P638;
 +    }
 +  else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
 +    {
 +      *asymmetric = TPM_ALG_ECC;
 +      *ecc_curve = TPM_ECC_SM2_P256;
 +    }
 +  else
 +    return grub_error (GRUB_ERR_OUT_OF_RANGE,
 +		       N_("Value '%s' is not a valid asymmetric key type"),
@ -289,9 +340,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +
 +  return GRUB_ERR_NONE;
 +}
 diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
 new file mode 100644
 index 000000000..9605ddbc7
 --- /dev/null
 +++ b/grub-core/tpm2/module.c
-@@ -0,0 +1,1033 @@
+@@ -0,0 +1,1040 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
@ -352,6 +406,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  grub_uint8_t pcrs[TPM_MAX_PCRS];
 +  grub_uint8_t pcr_count;
 +  TPM_ALG_ID asymmetric;
 +  TPM_KEY_BITS rsa_bits;
 +  TPM_ECC_CURVE ecc_curve;
 +  TPM_ALG_ID bank;
 +  const char *tpm2key;
 +  const char *keyfile;
@ -390,7 +446,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      .type     = ARG_TYPE_STRING,
 +      .doc      =
 +	N_("Bank of PCRs used to authorize key release: "
-+	   "SHA1, SHA256 (default), or SHA384."),
+	   "SHA1, SHA256 (default), SHA384 or SHA512."),
 +    },
 +    /* SRK-mode options */
 +    {
@ -431,7 +487,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      .arg      = NULL,
 +      .type     = ARG_TYPE_STRING,
 +      .doc      =
-+	N_("In SRK mode, the type of SRK: RSA (default) or ECC."),
+	N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
 +	   "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
 +	   "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
 +	   "(default is RSA2048)"),
 +    },
 +    /* NV Index-mode options */
 +    {
@ -696,7 +755,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
 +      inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
 +      inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
-+      inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
+      inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
 +      inPublic.publicArea.parameters.rsaDetail.exponent = 0;
 +    }
 +  else if (ctx->asymmetric == TPM_ALG_ECC)
@ -705,7 +764,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
 +      inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
 +      inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
-+      inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+      inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
 +      inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 +    }
 +  else
@ -977,10 +1036,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  /* Get the SRK to unseal the sealed key */
 +  err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
 +  if (err != GRUB_ERR_NONE)
-+    {
+    goto exit1;
 +      grub_error (err, N_("Failed to retrieve the SRK"));
 +      goto exit1;
 +    }
 +
 +  /* Load the sealed key and associate it with the SRK */
 +  authCmd.sessionHandle = TPM_RS_PW;
@ -1148,7 +1204,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +	ctx->srk = TPM2_SRK_HANDLE;
 +
 +      if (!ctx->asymmetric)
-+	ctx->asymmetric = TPM_ALG_RSA;
+        {
 +	  ctx->asymmetric = TPM_ALG_RSA;
 +	  ctx->rsa_bits = 2048;
 +        }
 +    }
 +
 +  return GRUB_ERR_NONE;
@ -1252,7 +1311,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  if (state[OPTION_ASYMMETRIC].set)  /* asymmetric */
 +    {
 +      err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg,
-+						  &grub_tpm2_protector_ctx.asymmetric);
+						  &grub_tpm2_protector_ctx.asymmetric,
 +						  &grub_tpm2_protector_ctx.rsa_bits,
 +						  &grub_tpm2_protector_ctx.ecc_curve);
 +      if (err != GRUB_ERR_NONE)
 +	return err;
 +    }
@ -1325,6 +1386,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  grub_unregister_extcmd (grub_tpm2_protector_clear_cmd);
 +  grub_unregister_extcmd (grub_tpm2_protector_init_cmd);
 +}
 diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
 new file mode 100644
 index 000000000..e3b6a03e0
 --- /dev/null
 +++ b/grub-core/tpm2/tpm2key.asn
@@ -0,0 +1,31 @@
@ -1359,6 +1423,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +}
 +
 +END
 diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
 new file mode 100644
 index 000000000..62f6d865b
 --- /dev/null
 +++ b/grub-core/tpm2/tpm2key.c
@@ -0,0 +1,440 @@
@ -1802,6 +1869,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      grub_free (authpol);
 +    }
 +}
 diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c
 new file mode 100644
 index 000000000..551fc46ec
 --- /dev/null
 +++ b/grub-core/tpm2/tpm2key_asn1_tab.c
@@ -0,0 +1,41 @@
@ -1846,9 +1916,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  { "privkey", 7, NULL },
 +  { NULL, 0, NULL }
 +};
 diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h
 new file mode 100644
 index 000000000..58d13e031
 --- /dev/null
 +++ b/include/grub/tpm2/internal/args.h
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,41 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
@ -1879,7 +1952,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +
 +grub_err_t
 +grub_tpm2_protector_parse_asymmetric (const char *value,
-+				      TPM_ALG_ID *asymmetric);
+				      TPM_ALG_ID *asymmetric,
 +				      TPM_KEY_BITS *rsa_bits,
 +				      TPM_ECC_CURVE *ecc_curve);
 +
 +grub_err_t
 +grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
@ -1888,6 +1963,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE *handle);
 +
 +#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
 diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h
 new file mode 100644
 index 000000000..df46203e3
 --- /dev/null
 +++ b/include/grub/tpm2/tpm2key.h
@@ -0,0 +1,83 @@
@ -1974,3 +2052,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq);
 +
 +#endif /* GRUB_TPM2_TPM2KEY_HEADER */
 -- 
 2.35.3
--- a/0005-util-grub-protect-Add-new-tool.patch
+++ b/0005-util-grub-protect-Add-new-tool.patch
@ -1,7 +1,7 @@
-From 38ebade1341ee99593568d97e0300f5b6aa626f3 Mon Sep 17 00:00:00 2001
+From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001
 From: Hernan Gatta <hegatta@linux.microsoft.com>
 Date: Tue, 1 Feb 2022 05:02:57 -0800
-Subject: [PATCH 5/5] util/grub-protect: Add new tool
+Subject: [PATCH v6 12/20] util/grub-protect: Add new tool
 To utilize the key protectors framework, there must be a way to protect
 full-disk encryption keys in the first place. The grub-protect tool
@ -15,8 +15,8 @@ a new LUKS key slot for this key. Then, the user invokes the grub-protect
 tool to seal this key file to a set of PCRs using the system's TPM 2.0.
 The resulting sealed key file is stored in an unencrypted partition such
 as the EFI System Partition (ESP) so that GRUB may read it. The user also
-ensures the cryptomount command is included in GRUB's boot script and
+has to ensure the cryptomount command is included in GRUB's boot script
-that it carries the requisite key protector (-P) parameter.
+and that it carries the requisite key protector (-P) parameter.
 Sample usage:
@ -41,14 +41,12 @@ $ sudo grub-protect --action=add \
 Then, in the boot script, for TPM 2.0 Key File:
 tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
-cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
+cryptomount -u <SDB1_UUID> -P tpm2
 Or, for the raw sealed key:
 tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key
-cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
+cryptomount -u <SDB1_UUID> -P tpm2
 where the UUID corresponds to /dev/sdb1.
 Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
 Signed-off-by: Gary Lin <glin@suse.com>
@ -56,13 +54,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
 .gitignore          |    2 +
 Makefile.util.def   |   22 +
 configure.ac        |    9 +
- util/grub-protect.c | 1508 +++++++++++++++++++++++++++++++++++++++++++
+ util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++
- 4 files changed, 1541 insertions(+)
+ 4 files changed, 1557 insertions(+)
 create mode 100644 util/grub-protect.c
--- a/Makefile.util.def
+Index: grub-2.12~rc1/Makefile.util.def
-+++ b/Makefile.util.def
+===================================================================
-@@ -208,6 +208,28 @@
+--- grub-2.12~rc1.orig/Makefile.util.def
 +++ grub-2.12~rc1/Makefile.util.def
@@ -208,6 +208,28 @@ program = {
 };
 program = {
@ -91,9 +91,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
   name = grub-mkrelpath;
   mansection = 1;
--- a/configure.ac
+Index: grub-2.12~rc1/configure.ac
-+++ b/configure.ac
+===================================================================
-@@ -76,6 +76,7 @@
+--- grub-2.12~rc1.orig/configure.ac
 +++ grub-2.12~rc1/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
 grub_TRANSFORM([grub-mkrelpath])
 grub_TRANSFORM([grub-mkrescue])
 grub_TRANSFORM([grub-probe])
@ -101,7 +103,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 grub_TRANSFORM([grub-reboot])
 grub_TRANSFORM([grub-script-check])
 grub_TRANSFORM([grub-set-default])
-@@ -1992,6 +1993,14 @@
+@@ -1992,6 +1993,14 @@ fi
 AC_SUBST([LIBZFS])
 AC_SUBST([LIBNVPAIR])
@ -116,9 +118,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
 LIBS=""
 AC_SUBST([FONT_SOURCE])
 Index: grub-2.12~rc1/util/grub-protect.c
 ===================================================================
 --- /dev/null
-+++ b/util/grub-protect.c
+++ grub-2.12~rc1/util/grub-protect.c
-@@ -0,0 +1,1508 @@
+@@ -0,0 +1,1524 @@
 +/*
 + *  GRUB  --  GRand Unified Bootloader
 + *  Copyright (C) 2022 Microsoft Corporation
@ -227,6 +231,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +  grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
 +  grub_uint8_t tpm2_pcr_count;
 +  TPM_ALG_ID tpm2_asymmetric;
 +  TPM_KEY_BITS rsa_bits;
 +  TPM_ECC_CURVE ecc_curve;
 +  TPM_ALG_ID tpm2_bank;
 +  TPM_HANDLE tpm2_srk;
 +  const char *tpm2_keyfile;
@ -280,11 +286,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +    {
 +      .name = "tpm2-bank",
 +      .key  = GRUB_PROTECT_OPT_TPM2_BANK,
-+      .arg   = "SHA1|SHA256|SHA384",
+      .arg   = "ALG",
 +      .flags = 0,
 +      .doc   =
 +	N_("Bank of PCRs used to authorize key release: "
-+	   "SHA1, SHA256 (default), or SHA384."),
+	   "SHA1, SHA256 (default), or SHA512."),
 +      .group = 0
 +    },
 +    {
@ -319,10 +325,13 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +    {
 +      .name = "tpm2-asymmetric",
 +      .key   = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
-+      .arg   = "RSA|ECC",
+      .arg   = "TYPE",
 +      .flags = 0,
 +      .doc   =
-+	N_("The type of SRK: RSA (default) or ECC."),
+	N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
 +	   "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
 +	   "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
 +	   "(default is RSA2048)"),
 +      .group = 0
 +    },
 +    {
@ -648,6 +657,13 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
 +      hash_spec = GRUB_MD_SHA256;
 +      break;
 +    case TPM_ALG_SHA512:
 +      pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
 +      hash_spec = GRUB_MD_SHA512;
 +      break;
 +    /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
 +       it's not supported by the built-in libgcrypt, and we won't be able to
 +       calculate the PCR digest, so SHA384 is marked as unsupported. */
 +    default:
 +      return GRUB_ERR_BAD_ARGUMENT;
 +    }
@ -797,7 +813,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
 +      inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
 +      inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
-+      inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
+      inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
 +      inPublic.publicArea.parameters.rsaDetail.exponent = 0;
 +      break;
 +
@ -806,7 +822,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +      inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
 +      inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
 +      inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
-+      inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+      inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
 +      inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 +      break;
 +
@ -1257,7 +1273,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +	args->tpm2_srk = TPM2_SRK_HANDLE;
 +
 +      if (args->tpm2_asymmetric == TPM_ALG_ERROR)
-+	args->tpm2_asymmetric = TPM_ALG_RSA;
+	{
 +	  args->tpm2_asymmetric = TPM_ALG_RSA;
 +	  args->rsa_bits = 2048;
 +	}
 +
 +      if (args->tpm2_bank == TPM_ALG_ERROR)
 +	args->tpm2_bank = TPM_ALG_SHA256;
@ -1426,7 +1445,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
 +	  return EINVAL;
 +	}
 +
-+      err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric);
+      err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric,
 +						  &args->rsa_bits, &args->ecc_curve);
 +      if (err != GRUB_ERR_NONE)
 +	{
 +	  if (grub_errno != GRUB_ERR_NONE)
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,29 @@
 -------------------------------------------------------------------
 Thu Oct  5 09:49:54 UTC 2023 - Fabian Vogt <fvogt@suse.com>
 - Add patch to fix reading files from btrfs with "implicit" holes:
  * 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
 -------------------------------------------------------------------
 Mon Oct  2 14:30:49 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
 - Update the TPM 2.0 patches to support more RSA and ECC algorithms
  * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
  * 0003-protectors-Add-TPM2-Key-Protector.patch
  * 0005-util-grub-protect-Add-new-tool.patch
 -------------------------------------------------------------------
 Mon Oct  2 08:11:56 UTC 2023 - Michael Chang <mchang@suse.com>
 - Remove build require for gcc-32bit, target platform didn't rely on libgcc
  function shipped with compiler but rather using functions supplied in grub
  directly.
 -------------------------------------------------------------------
 Fri Sep 29 08:38:13 UTC 2023 - Fabian Vogt <fvogt@suse.com>
 - Add BuildIgnore to break cycle with the branding package
 -------------------------------------------------------------------
 Wed Sep 27 03:37:10 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
--- a/grub2.spec
+++ b/grub2.spec
@ -28,14 +28,6 @@
 %endif
 Name:           grub2
 %ifarch x86_64 ppc64
 BuildRequires:  gcc-32bit
 BuildRequires:  glibc-32bit
 BuildRequires:  glibc-devel-32bit
 %else
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
 %endif
 BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  device-mapper-devel
@ -43,6 +35,8 @@ BuildRequires:  fdupes
 BuildRequires:  flex
 BuildRequires:  freetype2-devel
 BuildRequires:  fuse-devel
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
 %if 0%{?suse_version} >= 1140
 BuildRequires:  dejavu-fonts
 BuildRequires:  gnu-unifont
@ -157,6 +151,9 @@ BuildRequires:  update-bootloader-rpm-macros
 %endif
 %ifarch %{efi}
 # The branding package requires grub2. It's not necessary here,
 # so break the dep to avoid a cycle.
 #!BuildIgnore: grub2
 BuildRequires:  grub2-branding
 BuildRequires:  squashfs
 %endif
@ -383,6 +380,7 @@ Patch187:       0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
 Patch188:       0004-diskfilter-look-up-cryptodisk-devices-first.patch
 Patch189:       grub2-mkconfig-riscv64.patch
 Patch190:       arm64-Use-proper-memory-type-for-kernel-allocation.patch
 Patch191:       0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140