pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1174325 from home:gary_lin:branches:Base:System

Browse Source 
- Update to the latest upstreaming TPM2 patches
  * 0001-key_protector-Add-key-protectors-framework.patch
    - Replace 0001-protectors-Add-key-protectors-framework.patch
  * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
    - Merge other TSS patches
      * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
      * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
      * 0003-tpm2-Implement-more-TPM2-commands.patch
  * 0003-key_protector-Add-TPM2-Key-Protector.patch
    - Replace 0003-protectors-Add-TPM2-Key-Protector.patch
  * 0004-cryptodisk-Support-key-protectors.patch
  * 0005-util-grub-protect-Add-new-tool.patch
  * 0001-tpm2-Support-authorized-policy.patch
    - Replace 0004-tpm2-Support-authorized-policy.patch
  * 0001-tpm2-Add-extra-RSA-SRK-types.patch
  * 0001-tpm2-Implement-NV-index.patch
    - Replace 0001-protectors-Implement-NV-index.patch
  * 0002-cryptodisk-Fallback-to-passphrase.patch
  * 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
  * 0004-diskfilter-look-up-cryptodisk-devices-first.patch
- Refresh affected patches
  * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
  * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
- New manpage for grub2-protect

OBS-URL: https://build.opensuse.org/request/show/1174325
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=504
This commit is contained in:
Michael Chang 2024-05-16 07:26:55 +00:00 committed by Git OBS Bridge
parent cdfe0d404b
commit 53da76e569
18 changed files with 1959 additions and 1852 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
0001-Improve-TPM-key-protection-on-boot-interruptions.patch
View File

@ -1,7 +1,7 @@
From fe7ed9104cef56f9e532a0c9a7164393d5d69ae1 Mon Sep 17 00:00:00 2001
From 27b3e919b9b51a4fedeb3a5aef19c87f0cd7b687 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 17 Nov 2023 12:32:59 +0800
Subject: [PATCH 1/4] Improve TPM key protection on boot interruptions
Subject: [PATCH] Improve TPM key protection on boot interruptions
The unattended boot process for full disk encryption relies on an
authorized TPM policy to ensure the system's integrity before releasing
@ -125,7 +125,7 @@ index c2217ca98..9397bede9 100644
static grub_command_t cmd;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index c79d4125a..d90ca06dc 100644
index aa0d43562..babc94868 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name,
@ -139,14 +139,14 @@ index c79d4125a..d90ca06dc 100644
dev = grub_cryptodisk_get_by_source_disk (source);
@@ -1183,6 +1186,9 @@ grub_cryptodisk_scan_device_real (const char *name,
ret = grub_cryptodisk_insert (dev, name, source);
if (ret != GRUB_ERR_NONE)
goto error;
ret = grub_cryptodisk_insert (dev, name, source);
if (ret != GRUB_ERR_NONE)
goto error;
+#ifndef GRUB_UTIL
+ is_tpmkey = 1;
+ is_tpmkey = 1;
+#endif
goto cleanup;
}
goto cleanup;
}
}
@@ -1244,7 +1250,7 @@ grub_cryptodisk_scan_device_real (const char *name,
@ -282,5 +282,5 @@ index 113c53cfc..f86404686 100644
+grub_cryptokey_tpmkey_discard (void);
#endif /* ! GRUB_CRYPTTAB_HEADER */
--
2.42.1
2.35.3

86
0001-protectors-Add-key-protectors-framework.patch → 0001-key_protector-Add-key-protectors-framework.patch
View File

@ -1,7 +1,7 @@
From 5affde982dea827580e36ccc658e439397f51ce8 Mon Sep 17 00:00:00 2001
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
Subject: [PATCH 1/5] protectors: Add key protectors framework
Subject: [PATCH 1/5] key_protector: Add key protectors framework
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
@ -15,40 +15,53 @@ invoking a key protector by name. If a key protector with the specified
name exists and if an unlocking key is successfully retrieved by it, the
function returns to the caller the retrieved key and its length.
Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/protectors.c | 75 +++++++++++++++++++++++++++++++++++++
include/grub/protector.h | 48 ++++++++++++++++++++++++
4 files changed, 125 insertions(+)
create mode 100644 grub-core/kern/protectors.c
create mode 100644 include/grub/protector.h
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 5 +++
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
include/grub/key_protector.h | 46 ++++++++++++++++++++
4 files changed, 130 insertions(+)
create mode 100644 grub-core/disk/key_protector.c
create mode 100644 include/grub/key_protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index f18550c1c..9d3d5f519 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@
@@ -90,6 +90,7 @@ endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/protector.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index bc893e547..4307b8e2d 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -149,6 +149,7 @@
common = kern/misc.c;
common = kern/parser.c;
common = kern/partition.c;
+ common = kern/protectors.c;
common = kern/rescue_parser.c;
common = kern/rescue_reader.c;
common = kern/term.c;
@@ -1302,6 +1302,11 @@ module = {
common = disk/raid6_recover.c;
};
+module = {
+ name = key_protector;
+ common = disk/key_protector.c;
+};
+
module = {
name = scsi;
common = disk/scsi.c;
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
new file mode 100644
index 000000000..b84afe1c7
--- /dev/null
+++ b/grub-core/kern/protectors.c
@@ -0,0 +1,75 @@
+++ b/grub-core/disk/key_protector.c
@@ -0,0 +1,78 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -67,17 +80,20 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/dl.h>
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+struct grub_key_protector *grub_key_protectors = NULL;
+
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
+ if (protector == NULL || protector->name == NULL || grub_strlen(protector->name) == 0)
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ if (grub_key_protectors &&
@ -124,9 +140,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
new file mode 100644
index 000000000..6e6a6fb24
--- /dev/null
+++ b/include/grub/protector.h
@@ -0,0 +1,48 @@
+++ b/include/grub/key_protector.h
@@ -0,0 +1,46 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -161,17 +180,18 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size);
+};
+
+extern struct grub_key_protector *EXPORT_VAR (grub_key_protectors);
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_register) (struct grub_key_protector *protector);
+grub_key_protector_unregister (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_unregister) (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_recover_key) (const char *protector,
+ grub_uint8_t **key,
+ grub_size_t *key_size);
+grub_key_protector_recover_key (const char *protector,
+ grub_uint8_t **key,
+ grub_size_t *key_size);
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
2.35.3

204
0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
View File

@ -1,204 +0,0 @@
From 5a417f32f1afe0ffca7f5cbff67145a157b1589b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 18:31:12 +0800
Subject: [PATCH 1/4] tpm2: Add TPM2 types, structures, and command constants
Add new TPM2 types and structures as the preparation to support
authorized policy.
* New types:
TPM_ALG_ECDAA, TPM_ALG_ECDSA, TPM_ALG_ECSCHNORR, TPM_ALG_RSASSA,
TPM_ALG_RSAPSS, TPM_ALG_SM2, and TPMI_ALG_SIG_SCHEME
* New structures:
TPMS_EMPTY, TPMS_SIGNATURE_RSA, TPMS_SIGNATURE_ECC,
TPMS_SIGNATURE_ECDSA, TPMS_SIGNATURE_ECDAA, TPMS_SIGNATURE_SM2,
TPMS_SIGNATURE_ECSCHNORR, TPMU_SIGNATURE, and TPMT_TK_VERIFIED
* New command constants:
TPM_CC_LoadExternal, TPM_CC_HashSequenceStart, TPM_CC_SequenceUpdate,
TPM_CC_SequenceComplete, TPM_CC_Hash, TPM_CC_VerifySignature,
TPM_CC_PolicyAuthorize
Signed-off-by: Gary Lin <glin@suse.com>
---
include/grub/tpm2/internal/structs.h | 86 ++++++++++++++++++++++++++++
include/grub/tpm2/internal/types.h | 42 +++++++++-----
2 files changed, 114 insertions(+), 14 deletions(-)
diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
index 72d71eb70..db9eb6cf6 100644
--- a/include/grub/tpm2/internal/structs.h
+++ b/include/grub/tpm2/internal/structs.h
@@ -672,4 +672,90 @@ struct TPMT_TK_CREATION
};
typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
+/* TPMS_EMPTY Structure */
+struct TPMS_EMPTY {
+ grub_uint8_t empty[1]; /* a structure with no member */
+};
+typedef struct TPMS_EMPTY TPMS_EMPTY;
+
+/* TPMS_SIGNATURE_RSA Structure */
+struct TPMS_SIGNATURE_RSA {
+ TPMI_ALG_HASH hash;
+ TPM2B_PUBLIC_KEY_RSA sig;
+};
+typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA;
+
+/* Definition of Types for RSA Signature */
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA;
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS;
+
+/* TPMS_SIGNATURE_ECC Structure */
+struct TPMS_SIGNATURE_ECC {
+ TPMI_ALG_HASH hash;
+ TPM2B_ECC_PARAMETER signatureR;
+ TPM2B_ECC_PARAMETER signatureS;
+};
+typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC;
+
+/* Definition of Types for ECC TPMS_SIGNATURE_ECC */
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR;
+
+/* TPMU_SIGNATURE Structure */
+union TPMU_SIGNATURE {
+ TPMS_SIGNATURE_RSASSA rsassa;
+ TPMS_SIGNATURE_RSAPSS rsapss;
+ TPMS_SIGNATURE_ECDSA ecdsa;
+ TPMS_SIGNATURE_ECDAA ecdaa;
+ TPMS_SIGNATURE_SM2 sm2;
+ TPMS_SIGNATURE_ECSCHNORR ecschnorr;
+ TPMT_HA hmac;
+ TPMS_SCHEME_HASH any;
+ TPMS_EMPTY null;
+};
+typedef union TPMU_SIGNATURE TPMU_SIGNATURE;
+
+/* TPMT_SIGNATURE Structure */
+struct TPMT_SIGNATURE {
+ TPMI_ALG_SIG_SCHEME sigAlg;
+ TPMU_SIGNATURE signature;
+};
+typedef struct TPMT_SIGNATURE TPMT_SIGNATURE;
+
+static inline TPMI_ALG_HASH
+TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig)
+{
+ switch (sig->sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ return sig->signature.rsassa.hash;
+ case TPM_ALG_RSAPSS:
+ return sig->signature.rsapss.hash;
+ case TPM_ALG_ECDSA:
+ return sig->signature.ecdsa.hash;
+ case TPM_ALG_ECDAA:
+ return sig->signature.ecdaa.hash;
+ case TPM_ALG_SM2:
+ return sig->signature.sm2.hash;
+ case TPM_ALG_ECSCHNORR:
+ return sig->signature.ecschnorr.hash;
+ case TPM_ALG_HMAC:
+ return sig->signature.hmac.hashAlg;
+ default:
+ break;
+ }
+
+ return TPM_ALG_NULL;
+}
+
+/* TPMT_TK_VERIFIED Structure */
+struct TPMT_TK_VERIFIED {
+ TPM_ST tag;
+ TPMI_RH_HIERARCHY hierarchy;
+ TPM2B_DIGEST digest;
+};
+typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED;
+
#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
index 9714f75d4..a1902ef0c 100644
--- a/include/grub/tpm2/internal/types.h
+++ b/include/grub/tpm2/internal/types.h
@@ -181,6 +181,9 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043)
#define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044)
#define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023)
+#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A)
+#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018)
+#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C)
#define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005)
#define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022)
#define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020)
@@ -189,10 +192,13 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007)
#define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010)
#define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001)
+#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014)
+#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016)
#define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004)
#define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B)
#define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C)
#define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D)
+#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B)
#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012)
#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013)
#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025)
@@ -299,20 +305,27 @@ typedef grub_uint16_t TPM2_ECC_CURVE;
/* TPM_CC Constants */
typedef grub_uint32_t TPM_CC;
-#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
-#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
-#define TPM_CC_Create ((TPM_CC) 0x00000153)
-#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
-#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
-#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
-#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
-#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
-#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
-#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
-#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
-#define TPM_CC_Load ((TPM_CC) 0x00000157)
-#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
-#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
+#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
+#define TPM_CC_Create ((TPM_CC) 0x00000153)
+#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
+#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
+#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
+#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
+#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
+#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
+#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
+#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
+#define TPM_CC_Load ((TPM_CC) 0x00000157)
+#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167)
+#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
+#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_HashSequenceStart ((TPM_CC) 0x00000186)
+#define TPM_CC_SequenceUpdate ((TPM_CC) 0x0000015c)
+#define TPM_CC_SequenceComplete ((TPM_CC) 0x0000013e)
+#define TPM_CC_Hash ((TPM_CC) 0x0000017d)
+#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177)
+#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a)
/* Hash algorithm sizes */
#define TPM_SHA1_DIGEST_SIZE 20
@@ -354,6 +367,7 @@ typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_SYM;
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
/* TPM_KEY_BITS Type */
typedef grub_uint16_t TPM_KEY_BITS;
--
2.35.3

97
0001-tpm2-Add-extra-RSA-SRK-types.patch Normal file
View File

@ -0,0 +1,97 @@
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types
Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
to support those parameters.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/args.c | 12 ++++++++++++
grub-core/tpm2/module.c | 16 ++++++++++++++--
util/grub-protect.c | 4 ++--
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
index c11280ab9..d140364d2 100644
--- a/grub-core/tpm2/args.c
+++ b/grub-core/tpm2/args.c
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
srk_type->type = TPM_ALG_RSA;
srk_type->detail.rsa_bits = 2048;
}
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 4096;
+ }
else
return grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("Value '%s' is not a valid asymmetric key type"),
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index b754b38df..8b72ed6fa 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
.arg = NULL,
.type = ARG_TYPE_STRING,
.doc =
- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
- "(default: ECC)"),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
},
/* NV Index-mode options */
{
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
{
case 2048:
return "RSA2048";
+ case 3072:
+ return "RSA3072";
+ case 4096:
+ return "RSA4096";
}
}
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
.type = TPM_ALG_ECC,
.detail.ecc_curve = TPM_ECC_NIST_P256,
},
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 4096,
+ },
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 3072,
+ },
{
.type = TPM_ALG_RSA,
.detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 869f45861..00be03ca0 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
.arg = "TYPE",
.flags = 0,
.doc =
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- "(default: ECC)"),
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
.group = 0
},
{
--
2.35.3

12
0001-protectors-Implement-NV-index.patch → 0001-tpm2-Implement-NV-index.patch
View File

@ -1,7 +1,7 @@
From c3efb4ecbe91b63c127b92122dad3fa53d4efc69 Mon Sep 17 00:00:00 2001
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.colp@oracle.com>
Date: Mon, 31 Jul 2023 07:01:45 -0700
Subject: [PATCH 1/4] protectors: Implement NV index
Subject: [PATCH 1/4] tpm2: Implement NV index
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
@ -16,7 +16,7 @@ An example of inserting a key using tpm2-tools:
tpm2_getrandom 32 > key.dat
# Create primary object.
tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx
# Create policy object. `pcrs.dat` contains the PCR values to seal against.
tpm2_startauthsession -S session.dat
@ -34,15 +34,17 @@ Then to unseal the key in grub, add this to grub.cfg:
cryptomount -u <UUID> --protector tpm2
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index 5274296b7..d3a64187a 100644
index e83b02865..b754b38df 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -757,12 +757,27 @@ static grub_err_t
@@ -1035,12 +1035,27 @@ static grub_err_t
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
grub_uint8_t **key, grub_size_t *key_size)
{

15
0004-tpm2-Support-authorized-policy.patch → 0001-tpm2-Support-authorized-policy.patch
View File

@ -1,7 +1,7 @@
From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH v7 16/20] tpm2: Support authorized policy
Subject: [PATCH] tpm2: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
@ -43,12 +43,12 @@ commands:
--after \
--input sealed.key \
--output sealed.tpm \
sign 0,2,4,7.9
sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
@ -59,15 +59,16 @@ with the updated PCR policy.
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index df0727215..0cbfd06e8 100644
index 3db25ceca..e83b02865 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
return GRUB_ERR_NONE;
}
@ -155,7 +156,7 @@ index df0727215..0cbfd06e8 100644
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
{
@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;

8
0002-cryptodisk-Fallback-to-passphrase.patch
View File

@ -1,4 +1,4 @@
From 7cc578baf26986c2badce998125b429a2aeb4d33 Mon Sep 17 00:00:00 2001
From e62b26f9765e309691e014f322d4b02b220956a1 Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.colp@oracle.com>
Date: Sun, 30 Jul 2023 12:58:18 -0700
Subject: [PATCH 2/4] cryptodisk: Fallback to passphrase
@ -10,15 +10,17 @@ the protector(s) failed. Later code (e.g., LUKS code) fails as
proceeding with the passphrase.
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6620fca00..cf37a0934 100644
index af4104178..f9842f776 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1191,11 +1191,16 @@ grub_cryptodisk_scan_device_real (const char *name,
@@ -1193,11 +1193,16 @@ grub_cryptodisk_scan_device_real (const char *name,
source->name, source->partition != NULL ? "," : "",
part != NULL ? part : N_("UNKNOWN"), dev->uuid);
grub_free (part);

1232
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
View File

File diff suppressed because it is too large Load Diff

427
0002-tpm2-Add-more-marshal-unmarshal-functions.patch
View File

@ -1,427 +0,0 @@
From 1d34522075949581ccb34a08dd73607566517824 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 18:33:42 +0800
Subject: [PATCH 2/4] tpm2: Add more marshal/unmarshal functions
Add a few more marshal/unmarshal functions to support authorized policy.
* Marshal:
grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal()
grub_tpm2_mu_TPMT_SENSITIVE_Marshal()
grub_tpm2_mu_TPM2B_SENSITIVE_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal()
grub_tpm2_mu_TPMU_HA_Marshal()
grub_tpm2_mu_TPMT_HA_Marshal()
grub_tpm2_mu_TPMU_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal()
* Unmarshal:
grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal()
grub_tpm2_mu_TPMU_HA_Unmarshal()
grub_tpm2_mu_TPMT_HA_Unmarshal()
grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal()
grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal()
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/mu.c | 262 +++++++++++++++++++++++++++++++++++++++++
include/grub/tpm2/mu.h | 75 ++++++++++++
2 files changed, 337 insertions(+)
diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
index 1617f37cd..3a9a3c1be 100644
--- a/grub-core/tpm2/mu.c
+++ b/grub-core/tpm2/mu.c
@@ -383,6 +383,49 @@ grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Marshal (buffer, p->data.size, p->data.buffer);
}
+void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p)
+{
+ switch(type)
+ {
+ case TPM_ALG_RSA:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer);
+ break;
+ case TPM_ALG_ECC:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer);
+ break;
+ case TPM_ALG_KEYEDHASH:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer);
+ break;
+ case TPM_ALG_SYMCIPHER:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer);
+ break;
+ default:
+ buffer->error = 1;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer);
+ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType,
+ &p->sensitive);
+}
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPM2B_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->size);
+ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea);
+}
+
void
grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate)
@@ -405,6 +448,113 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_buffer_pack_u16 (buffer, 0);
}
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_RSA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_ECC *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]);
+ break;
+ case TPM_ALG_SHA256:
+ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]);
+ break;
+ case TPM_ALG_SHA384:
+ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]);
+ break;
+ case TPM_ALG_SHA512:
+ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_HA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->tag);
+ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer);
+}
+
void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer,
TPM2B* p)
@@ -775,6 +925,24 @@ grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
}
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_HASHCHECK *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection)
@@ -805,3 +973,97 @@ grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
for (grub_uint32_t i = 0; i < digest->count; i++)
grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_RSA *rsa)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&rsa->sig);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_ECC *ecc)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureR);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureS);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA256:
+ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA384:
+ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA512:
+ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_HA *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Unmarshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (buffer, p->sigAlg, &p->signature);
+}
diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
index c545976db..afb842ab5 100644
--- a/include/grub/tpm2/mu.h
+++ b/include/grub/tpm2/mu.h
@@ -147,6 +147,47 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate);
void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p);
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPM2B_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_TK_VERIFIED *p);
+void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buf,
TPM2B* p);
@@ -277,6 +318,14 @@ void
grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buf,
TPMT_TK_CREATION *p);
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_HASHCHECK *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_VERIFIED *p);
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection);
@@ -289,4 +338,30 @@ void
grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
TPML_DIGEST* digest);
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_SIGNATURE *p);
+
#endif /* ! GRUB_TPM2_MU_HEADER */
--
2.35.3

8
0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
View File

@ -1,4 +1,4 @@
From 64494ffc442a5de05b237ad48d27c70d22849a44 Mon Sep 17 00:00:00 2001
From 370e435b6ada53314888f04dcd8f096fc11cfadb Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 3 Aug 2023 15:52:52 +0800
Subject: [PATCH 3/4] cryptodisk: wipe out the cached keys from protectors
@ -9,16 +9,18 @@ protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wipe out the cached key when we don't need it.
Cc: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index cf37a0934..f42437f4e 100644
index f9842f776..aa0d43562 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1348,7 +1348,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
@@ -1355,7 +1355,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
return;
for (i = 0; cargs->protectors[i]; i++)

565
0003-protectors-Add-TPM2-Key-Protector.patch → 0003-key_protector-Add-TPM2-Key-Protector.patch
View File

@ -1,7 +1,7 @@
From 2a63876ca714d177f919b2392d8efa0e3bd3ebe2 Mon Sep 17 00:00:00 2001
From 2cb2b00028ca7f43fc069472fbad7b9f129ec24b Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:55 -0800
Subject: [PATCH v7 10/20] protectors: Add TPM2 Key Protector
Subject: [PATCH 3/5] key_protector: Add TPM2 Key Protector
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
@ -36,6 +36,8 @@ is mandatory. There are two supported key formats:
policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
secret [2] EXPLICIT OCTET STRING OPTIONAL
authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL
description [4] EXPLICIT UTF8String OPTIONAL,
rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
parent INTEGER
pubkey OCTET STRING
privkey OCTET STRING
@ -109,22 +111,24 @@ TPM 2.0 Key file without 'authPolicy' and 'policy', so the "TPMPolicy"
sequence is always based on the PCR selection from the command
parameters.
Currently, there is only one supported policy command: TPM2_PolicyPCR.
The command set can be extended to support advanced features, such as
authorized policy, in the future.
This commit only supports one policy command: TPM2_PolicyPCR. The
command set will be extended to support advanced features, such as
authorized policy, in the later commits.
Cc: Stefan Berger <stefanb@linux.ibm.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/Makefile.core.def | 13 +
grub-core/tpm2/args.c | 177 +++++
grub-core/tpm2/module.c | 1028 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 31 +
grub-core/tpm2/tpm2key.c | 447 +++++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
include/grub/tpm2/internal/args.h | 41 ++
include/grub/tpm2/tpm2key.h | 83 +++
8 files changed, 1861 insertions(+)
grub-core/tpm2/args.c | 140 ++++
grub-core/tpm2/module.c | 1226 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 33 +
grub-core/tpm2/tpm2key.c | 476 +++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 45 ++
include/grub/tpm2/internal/args.h | 49 ++
include/grub/tpm2/tpm2key.h | 86 ++
8 files changed, 2068 insertions(+)
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/tpm2key.asn
@ -134,10 +138,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
create mode 100644 include/grub/tpm2/tpm2key.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 5831d4265..38571119e 100644
index 4307b8e2d..a3c728442 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2553,6 +2553,19 @@ module = {
@@ -2612,6 +2612,19 @@ module = {
enable = efi;
};
@ -159,10 +163,10 @@ index 5831d4265..38571119e 100644
common = commands/tr.c;
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
new file mode 100644
index 000000000..274f4fef0
index 000000000..c11280ab9
--- /dev/null
+++ b/grub-core/tpm2/args.c
@@ -0,0 +1,177 @@
@@ -0,0 +1,140 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -243,56 +247,19 @@ index 000000000..274f4fef0
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve)
+ grub_srk_type_t *srk_type)
+{
+ if (grub_strcasecmp (value, "ECC") == 0 ||
+ grub_strcasecmp (value, "ECC_NIST_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P256;
+ srk_type->type = TPM_ALG_ECC;
+ srk_type->detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA2048") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 2048;
+ }
+ else if (grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 4096;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P384;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P521;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P256;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P638;
+ }
+ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_SM2_P256;
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 2048;
+ }
+ else
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
@ -342,10 +309,10 @@ index 000000000..274f4fef0
+}
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
new file mode 100644
index 000000000..df0727215
index 000000000..3db25ceca
--- /dev/null
+++ b/grub-core/tpm2/module.c
@@ -0,0 +1,1028 @@
@@ -0,0 +1,1226 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -371,7 +338,7 @@ index 000000000..df0727215
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
+#include <grub/tpm2/buffer.h>
+#include <grub/tpm2/internal/args.h>
+#include <grub/tpm2/internal/types.h>
@ -405,9 +372,7 @@ index 000000000..df0727215
+ grub_tpm2_protector_mode_t mode;
+ grub_uint8_t pcrs[TPM_MAX_PCRS];
+ grub_uint8_t pcr_count;
+ TPM_ALG_ID asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ grub_srk_type_t srk_type;
+ TPM_ALG_ID bank;
+ const char *tpm2key;
+ const char *keyfile;
@ -436,7 +401,7 @@ index 000000000..df0727215
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Comma-separated list of PCRs used to authorize key release "
+ "(e.g., '7,11', default is 7."),
+ "e.g., '7,11'. (default: 7)"),
+ },
+ {
+ .longarg = "bank",
@ -446,7 +411,7 @@ index 000000000..df0727215
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), SHA384 or SHA512."),
+ "SHA1, SHA256, SHA384 or SHA512. (default: SHA256)"),
+ },
+ /* SRK-mode options */
+ {
@ -456,8 +421,8 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Required in SRK mode, path to the key file in TPM 2.0 Key File Format "
+ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/secret.tpm)."),
+ N_("In SRK mode, path to the key file in the TPM 2.0 Key File format "
+ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.tpm)."),
+ },
+ {
+ .longarg = "keyfile",
@ -466,9 +431,9 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Required in SRK mode, path to the sealed key file to unseal using "
+ "the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed_key). "
+ "Use '-tpm2key' instead"),
+ N_("In SRK mode, path to the key file in the raw format to unseal "
+ "using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.key). "
+ "(Mainly for backward compatibility. Please use '--tpm2key'.)"),
+ },
+ {
+ .longarg = "srk",
@ -486,10 +451,8 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
+ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
+ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
+ "(default: ECC)"),
+ },
+ /* NV Index-mode options */
+ {
@ -567,7 +530,8 @@ index 000000000..df0727215
+ err = GRUB_ERR_NONE;
+
+error:
+ grub_file_close (file);
+ if (file != NULL)
+ grub_file_close (file);
+
+ return err;
+}
@ -589,7 +553,7 @@ index 000000000..df0727215
+ buf.size = sealed_key_size;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
+ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
+
+ if (buf.error)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key file"));
@ -602,10 +566,12 @@ index 000000000..df0727215
+ grub_size_t sealed_key_size,
+ tpm2key_policy_t *policy_seq,
+ tpm2key_authpolicy_t *authpol_seq,
+ grub_uint8_t *rsaparent,
+ grub_uint32_t *parent,
+ TPM2_SEALED_KEY *sk)
+{
+ asn1_node tpm2key = NULL;
+ grub_uint8_t rsaparent_tmp;
+ grub_uint32_t parent_tmp;
+ void *sealed_pub = NULL;
+ grub_size_t sealed_pub_size;
@ -622,6 +588,8 @@ index 000000000..df0727215
+ * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ * secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ * description [4] EXPLICIT UTF8String OPTIONAL,
+ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ * parent INTEGER,
+ * pubkey OCTET STRING,
+ * privkey OCTET STRING
@ -647,10 +615,25 @@ index 000000000..df0727215
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ /* Retrieve rsaParent */
+ err = grub_tpm2key_get_rsaparent (tpm2key, &rsaparent_tmp);
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ *rsaparent = rsaparent_tmp;
+
+ /* Retrieve the parent handle */
+ err = grub_tpm2key_get_parent (tpm2key, &parent_tmp);
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ /* The parent handle should be either PERMANENT or PERSISTENT. */
+ if (!TPM_HT_IS_PERMANENT (parent_tmp) && !TPM_HT_IS_PERSISTENT (parent_tmp))
+ {
+ err = GRUB_ERR_OUT_OF_RANGE;
+ goto error;
+ }
+
+ *parent = parent_tmp;
+
+ /* Retrieve the public part of the sealed key */
@ -679,7 +662,7 @@ index 000000000..df0727215
+ buf.offset = 0;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
+ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
+
+ if (buf.error)
+ {
@ -698,12 +681,31 @@ index 000000000..df0727215
+ return err;
+}
+
+/* Check if the SRK exists in the specified handle */
+static grub_err_t
+grub_tpm2_protector_srk_get (const struct grub_tpm2_protector_context *ctx,
+ TPM_HANDLE parent, TPM_HANDLE *srk)
+grub_tpm2_protector_srk_check (const TPM_HANDLE srk_handle)
+{
+ TPM_RC rc;
+ TPM2B_PUBLIC public;
+
+ /* Find SRK */
+ rc = TPM2_ReadPublic (srk_handle, NULL, &public);
+ if (rc == TPM_RC_SUCCESS)
+ return GRUB_ERR_NONE;
+
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic: 0x%x)"),
+ srk_handle, rc);
+}
+
+/* Get the SRK with the template */
+static grub_err_t
+grub_tpm2_protector_srk_get (const grub_srk_type_t srk_type,
+ const TPM_HANDLE parent,
+ TPM_HANDLE *srk_handle)
+{
+ TPM_RC rc;
+ TPMT_PUBLIC_PARMS parms = { 0 };
+ TPMS_AUTH_COMMAND authCommand = { 0 };
+ TPM2B_SENSITIVE_CREATE inSensitive = { 0 };
+ TPM2B_PUBLIC inPublic = { 0 };
@ -714,27 +716,10 @@ index 000000000..df0727215
+ TPM2B_DIGEST creationHash = { 0 };
+ TPMT_TK_CREATION creationTicket = { 0 };
+ TPM2B_NAME srkName = { 0 };
+ TPM_HANDLE srkHandle;
+ TPM_HANDLE tmp_handle = 0;
+
+ if (ctx->srk != 0)
+ {
+ /* Find SRK */
+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
+ if (rc == TPM_RC_SUCCESS)
+ {
+ *srk = ctx->srk;
+ return GRUB_ERR_NONE;
+ }
+
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to retrieve SRK (TPM2_ReadPublic: 0x%x)"),
+ rc);
+ }
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ inPublic.publicArea.type = ctx->asymmetric;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.type = srk_type.type;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.objectAttributes.restricted = 1;
+ inPublic.publicArea.objectAttributes.userWithAuth = 1;
+ inPublic.publicArea.objectAttributes.decrypt = 1;
@ -743,29 +728,42 @@ index 000000000..df0727215
+ inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+ inPublic.publicArea.objectAttributes.noDA = 1;
+
+ if (ctx->asymmetric == TPM_ALG_RSA)
+ if (srk_type.type == TPM_ALG_RSA)
+ {
+ inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = srk_type.detail.rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (ctx->asymmetric == TPM_ALG_ECC)
+ else if (srk_type.type == TPM_ALG_ECC)
+ {
+ inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.curveID = srk_type.detail.ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm"));
+
+ /* Test the parameters before SRK generation */
+ parms.type = srk_type.type;
+ grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters,
+ sizeof (TPMU_PUBLIC_PARMS));
+
+ rc = TPM2_TestParms (&parms, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Unsupported SRK template (TPM2_TestParms: 0x%x)"),
+ rc);
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
+ &outsideInfo, &creationPcr, &srkHandle, &outPublic,
+ &outsideInfo, &creationPcr, &tmp_handle, &outPublic,
+ &creationData, &creationHash, &creationTicket,
+ &srkName, NULL);
+ if (rc != TPM_RC_SUCCESS)
@ -773,11 +771,177 @@ index 000000000..df0727215
+ N_("Could not create SRK (TPM2_CreatePrimary: 0x%x)"),
+ rc);
+
+ *srk = srkHandle;
+ *srk_handle = tmp_handle;
+
+ return GRUB_ERR_NONE;
+}
+
+/* Load the SRK from the persistent handle or create one with a given type of
+ template, and then associate the sealed key with the SRK
+ Return values:
+ * GRUB_ERR_NONE: Everything is fine.
+ * GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one.
+ * Other: Something went wrong.
+*/
+static grub_err_t
+grub_tpm2_protector_srk_load (const grub_srk_type_t srk_type,
+ const TPM2_SEALED_KEY *sealed_key,
+ const TPM_HANDLE parent,
+ TPM_HANDLE *sealed_handle,
+ TPM_HANDLE *srk_handle)
+{
+ TPMS_AUTH_COMMAND authCmd = { 0 };
+ TPM2B_NAME name = { 0 };
+ TPM_RC rc;
+ grub_err_t err;
+
+ if (srk_handle == NULL)
+ return GRUB_ERR_BUG;
+
+ if (*srk_handle != 0)
+ {
+ err = grub_tpm2_protector_srk_check (*srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+ else
+ {
+ err = grub_tpm2_protector_srk_get (srk_type, parent, srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
+ rc = TPM2_Load (*srk_handle, &authCmd, &sealed_key->private, &sealed_key->public,
+ sealed_handle, &name, NULL);
+ /* If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it
+ implies the wrong SRK is used. */
+ if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1))
+ {
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("SRK not matched"));
+ goto error;
+ }
+ else if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
+ rc);
+ goto error;
+ }
+
+ return GRUB_ERR_NONE;
+
+error:
+ if (!TPM_HT_IS_PERSISTENT (*srk_handle))
+ TPM2_FlushContext (*srk_handle);
+
+ return err;
+}
+
+static const char *
+srk_type_to_name (grub_srk_type_t srk_type)
+{
+ if (srk_type.type == TPM_ALG_ECC)
+ {
+ switch (srk_type.detail.ecc_curve)
+ {
+ case TPM_ECC_NIST_P256:
+ return "ECC_NIST_P256";
+ }
+ }
+ else if (srk_type.type == TPM_ALG_RSA)
+ {
+ switch (srk_type.detail.rsa_bits)
+ {
+ case 2048:
+ return "RSA2048";
+ }
+ }
+
+ return "Unknown";
+}
+
+static grub_err_t
+grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
+ const TPM2_SEALED_KEY *sealed_key,
+ const TPM_HANDLE parent_handle,
+ TPM_HANDLE *sealed_handle,
+ TPM_HANDLE *srk_handle)
+{
+ grub_err_t err;
+ int i;
+ grub_srk_type_t fallback_srks[] = {
+ {
+ .type = TPM_ALG_ECC,
+ .detail.ecc_curve = TPM_ECC_NIST_P256,
+ },
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 2048,
+ },
+ {
+ .type = TPM_ALG_ERROR,
+ }
+ };
+
+ /* Try the given persistent SRK if exists */
+ if (*srk_handle != 0)
+ {
+ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_printf_ (N_("Trying the specified SRK algorithm: %s\n"),
+ srk_type_to_name (ctx->srk_type));
+ grub_errno = GRUB_ERR_NONE;
+ *srk_handle = 0;
+ }
+
+ /* Try the specified algorithm for the SRK template */
+ if (*srk_handle == 0)
+ {
+ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ *srk_handle = 0;
+ }
+
+ /* Try all the fallback SRK templates */
+ for (i = 0; fallback_srks[i].type != TPM_ALG_ERROR; i++)
+ {
+ /* Skip the specified algorithm */
+ if (fallback_srks[i].type == ctx->srk_type.type &&
+ (fallback_srks[i].detail.rsa_bits == ctx->srk_type.detail.rsa_bits ||
+ fallback_srks[i].detail.ecc_curve == ctx->srk_type.detail.ecc_curve))
+ continue;
+
+ grub_printf_ (N_("Trying fallback %s template\n"),
+ srk_type_to_name (fallback_srks[i]));
+
+ *srk_handle = 0;
+
+ err = grub_tpm2_protector_srk_load (fallback_srks[i], sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ }
+
+ return err;
+}
+
+static grub_err_t
+grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
+ struct grub_tpm2_buffer *cmd_buf)
@ -970,18 +1134,16 @@ index 000000000..df0727215
+grub_tpm2_protector_srk_recover (const struct grub_tpm2_protector_context *ctx,
+ grub_uint8_t **key, grub_size_t *key_size)
+{
+ TPMS_AUTH_COMMAND authCmd = { 0 };
+ TPM2_SEALED_KEY sealed_key = { 0 };
+ TPM2B_NAME name = { 0 };
+ void *file_bytes = NULL;
+ grub_size_t file_size = 0;
+ grub_uint8_t rsaparent = 0;
+ TPM_HANDLE parent_handle = 0;
+ TPM_HANDLE srk_handle = 0;
+ TPM_HANDLE sealed_handle = 0;
+ tpm2key_policy_t policy_seq = NULL;
+ tpm2key_authpolicy_t authpol = NULL;
+ tpm2key_authpolicy_t authpol_seq = NULL;
+ TPM_RC rc;
+ grub_err_t err;
+
+ /*
@ -999,10 +1161,21 @@ index 000000000..df0727215
+ file_size,
+ &policy_seq,
+ &authpol_seq,
+ &rsaparent,
+ &parent_handle,
+ &sealed_key);
+ if (err != GRUB_ERR_NONE)
+ goto exit1;
+
+ if (rsaparent == 1)
+ {
+ struct grub_tpm2_protector_context *ctx_w;
+
+ /* Overwrite the SRK type as noted in the key */
+ ctx_w = (struct grub_tpm2_protector_context *)ctx;
+ ctx_w->srk_type.type = TPM_ALG_RSA;
+ ctx_w->srk_type.detail.rsa_bits = 2048;
+ }
+ }
+ else
+ {
@ -1019,23 +1192,18 @@ index 000000000..df0727215
+ goto exit1;
+ }
+
+ /* Get the SRK to unseal the sealed key */
+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
+ /* Set the SRK handle if it is specified with '--srk' or inside the key file */
+ if (ctx->srk != 0)
+ srk_handle = ctx->srk;
+ else if (TPM_HT_IS_PERSISTENT (parent_handle))
+ srk_handle = parent_handle;
+
+ /* Load the sealed key into TPM and associate it with the SRK */
+ err = grub_tpm2_protector_load_key (ctx, &sealed_key, parent_handle,
+ &sealed_handle, &srk_handle);
+ if (err != GRUB_ERR_NONE)
+ goto exit1;
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
+ rc = TPM2_Load (srk_handle, &authCmd, &sealed_key.private, &sealed_key.public,
+ &sealed_handle, &name, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
+ rc);
+ goto exit2;
+ }
+
+ /*
+ * Set err to an error code to trigger the standalone policy sequence
+ * if there is no authpolicy sequence
@ -1071,7 +1239,7 @@ index 000000000..df0727215
+ {
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ if (err != GRUB_ERR_NONE)
+ goto exit3;
+ goto exit2;
+ }
+
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
@ -1081,11 +1249,11 @@ index 000000000..df0727215
+ if (err == GRUB_ERR_NONE)
+ while (grub_error_pop ());
+
+exit3:
+exit2:
+ TPM2_FlushContext (sealed_handle);
+
+exit2:
+ TPM2_FlushContext (srk_handle);
+ if (!TPM_HT_IS_PERSISTENT (srk_handle))
+ TPM2_FlushContext (srk_handle);
+
+exit1:
+ grub_tpm2key_free_policy_seq (policy_seq);
@ -1143,19 +1311,19 @@ index 000000000..df0727215
+ ctx->mode = GRUB_TPM2_PROTECTOR_MODE_SRK;
+
+ /* Checks for SRK mode */
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile == NULL
+ && ctx->tpm2key == NULL)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ (ctx->keyfile == NULL && ctx->tpm2key == NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, a key file must be specified: "
+ "--tpm2key/-T or --keyfile/-k"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile
+ && ctx->tpm2key)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ (ctx->keyfile != NULL && ctx->tpm2key != NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, please specify a key file with "
+ "only --tpm2key/-T or --keyfile/-k"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, an NV Index cannot be specified"));
+
@ -1166,15 +1334,16 @@ index 000000000..df0727215
+ "--nvindex or -n"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV &&
+ (ctx->tpm2key || ctx->keyfile))
+ (ctx->tpm2key != NULL || ctx->keyfile != NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, a keyfile cannot be specified"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, an SRK cannot be specified"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->asymmetric)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV &&
+ ctx->srk_type.type != TPM_ALG_ERROR)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, an asymmetric key type cannot be "
+ "specified"));
@ -1189,13 +1358,11 @@ index 000000000..df0727215
+ ctx->pcr_count = 1;
+ }
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ ctx->srk_type.type == TPM_ALG_ERROR)
+ {
+ if (!ctx->asymmetric)
+ {
+ ctx->asymmetric = TPM_ALG_RSA;
+ ctx->rsa_bits = 2048;
+ }
+ ctx->srk_type.type = TPM_ALG_ECC;
+ ctx->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+
+ return GRUB_ERR_NONE;
@ -1299,9 +1466,7 @@ index 000000000..df0727215
+ if (state[OPTION_ASYMMETRIC].set) /* asymmetric */
+ {
+ err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg,
+ &grub_tpm2_protector_ctx.asymmetric,
+ &grub_tpm2_protector_ctx.rsa_bits,
+ &grub_tpm2_protector_ctx.ecc_curve);
+ &grub_tpm2_protector_ctx.srk_type);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
@ -1376,10 +1541,10 @@ index 000000000..df0727215
+}
diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
new file mode 100644
index 000000000..e3b6a03e0
index 000000000..7ad4b6a2a
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.asn
@@ -0,0 +1,31 @@
@@ -0,0 +1,33 @@
+--
+-- TPM 2.0 key file format
+-- To generate tpm2key_asn1_tab.c: asn1Parser tpm2key.asn
@ -1405,6 +1570,8 @@ index 000000000..e3b6a03e0
+ policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ description [4] EXPLICIT UTF8String OPTIONAL,
+ rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ parent INTEGER,
+ pubkey OCTET STRING,
+ privkey OCTET STRING
@ -1413,10 +1580,10 @@ index 000000000..e3b6a03e0
+END
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
new file mode 100644
index 000000000..a26c287c9
index 000000000..7a55644e5
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.c
@@ -0,0 +1,447 @@
@@ -0,0 +1,476 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2023 SUSE LLC
@ -1518,17 +1685,19 @@ index 000000000..a26c287c9
+ grub_err_t err;
+
+ /*
+ TPMKey ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
+ policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ parent INTEGER,
+ pubkey OCTET STRING,
+ privkey OCTET STRING
+ }
+ */
+ * TPMKey ::= SEQUENCE {
+ * type OBJECT IDENTIFIER,
+ * emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
+ * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ * secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ * description [4] EXPLICIT UTF8String OPTIONAL,
+ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ * parent INTEGER,
+ * pubkey OCTET STRING,
+ * privkey OCTET STRING
+ * }
+ */
+ ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
+ if (ret != ASN1_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
@ -1579,11 +1748,8 @@ index 000000000..a26c287c9
+ err = GRUB_ERR_NONE;
+
+error:
+ if (type_oid)
+ grub_free (type_oid);
+
+ if (empty_auth)
+ grub_free (empty_auth);
+ grub_free (type_oid);
+ grub_free (empty_auth);
+
+ return err;
+}
@ -1591,12 +1757,42 @@ index 000000000..a26c287c9
+void
+grub_tpm2key_end_parsing (asn1_node tpm2key)
+{
+ if (tpm2key)
+ asn1_delete_structure (&tpm2key);
+ asn1_delete_structure (&tpm2key);
+ tpm2key = NULL;
+}
+
+grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent)
+{
+ void *bool_str = NULL;
+ grub_size_t bool_str_size = 0;
+ int ret;
+
+ if (rsaparent == NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("NULL pointer detected"));
+
+ if (tpm2key == NULL)
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid parent node"));
+
+ ret = asn1_allocate_and_read (tpm2key, "rsaParent", &bool_str, &bool_str_size);
+ if (ret == ASN1_SUCCESS)
+ {
+ if (grub_strncmp ("TRUE", bool_str, bool_str_size) == 0)
+ *rsaparent = 1;
+ else
+ *rsaparent = 0;
+ }
+ else if (ret == ASN1_ELEMENT_NOT_FOUND)
+ *rsaparent = 0;
+ else
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve rsaParent"));
+
+ grub_free (bool_str);
+
+ return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent)
+{
+ int ret;
@ -1805,7 +2001,7 @@ index 000000000..a26c287c9
+ /* Limit the number of authPolicy elements to two digits (99) */
+ if (authpol_n > 100 || authpol_n < 1)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Invalid number of autoPolicy elements"));
+ N_("Invalid number of authPolicy elements"));
+
+ /*
+ * Iterate the authPolicy elements backwards since grub_list_push() prepends
@ -1866,10 +2062,10 @@ index 000000000..a26c287c9
+}
diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c
new file mode 100644
index 000000000..551fc46ec
index 000000000..6868924f9
--- /dev/null
+++ b/grub-core/tpm2/tpm2key_asn1_tab.c
@@ -0,0 +1,41 @@
@@ -0,0 +1,45 @@
+/*
+ * This file is generated by 'asn1Parser tpm2key.asn' and the '#include'
+ * headers are replaced with the ones in grub2.
@ -1906,6 +2102,10 @@ index 000000000..551fc46ec
+ { "authPolicy", 1610637323, NULL },
+ { NULL, 1073743880, "3"},
+ { NULL, 2, "TPMAuthPolicy"},
+ { "description", 1610637346, NULL },
+ { NULL, 2056, "4"},
+ { "rsaParent", 1610637316, NULL },
+ { NULL, 2056, "5"},
+ { "parent", 1073741827, NULL },
+ { "pubkey", 1073741831, NULL },
+ { "privkey", 7, NULL },
@ -1913,10 +2113,10 @@ index 000000000..551fc46ec
+};
diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h
new file mode 100644
index 000000000..58d13e031
index 000000000..9f4c0eb9f
--- /dev/null
+++ b/include/grub/tpm2/internal/args.h
@@ -0,0 +1,41 @@
@@ -0,0 +1,49 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -1941,15 +2141,23 @@ index 000000000..58d13e031
+#include <grub/err.h>
+#include <grub/tpm2/tpm2.h>
+
+struct grub_srk_type
+{
+ TPMI_ALG_PUBLIC type;
+ union {
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ } detail;
+};
+typedef struct grub_srk_type grub_srk_type_t;
+
+grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs,
+ grub_uint8_t *pcr_count);
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve);
+ grub_srk_type_t *srk_type);
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
@ -1960,10 +2168,10 @@ index 000000000..58d13e031
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h
new file mode 100644
index 000000000..df46203e3
index 000000000..c27b5305e
--- /dev/null
+++ b/include/grub/tpm2/tpm2key.h
@@ -0,0 +1,83 @@
@@ -0,0 +1,86 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2023 SUSE LLC
@ -2026,6 +2234,9 @@ index 000000000..df46203e3
+grub_tpm2key_end_parsing (asn1_node tpm2key);
+
+grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent);
+
+grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent);
+
+grub_err_t

543
0003-tpm2-Implement-more-TPM2-commands.patch
View File

@ -1,543 +0,0 @@
From a49c4dcbcb04078434f461ed3356c04042be461a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 8 Feb 2023 10:30:55 +0800
Subject: [PATCH 3/4] tpm2: Implement more TPM2 commands
This commit implements a few more TPM2 commands as the preparation for
the authorized policy support.
* TPM2_LoadExternal
This command is added to load the external public key to verify the
signed policy digest
* TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_SequenceComplete,
and TPM2_Hash
With those commands, we can use the TPM as a coprocessor to calculate
the hash of a given binary blob.
* TPM2_VerifySignature
This command verifies the given signature with the given public key
and returns the validation ticket to authorize the policy.
* TPM2_PolicyAuthorize
This command approves the given policy digest so that we can unseal
the key with the newly authorized policy.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/tpm2.c | 424 +++++++++++++++++++++++++
include/grub/tpm2/internal/functions.h | 57 ++++
2 files changed, 481 insertions(+)
diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
index d67699a24..159353b08 100644
--- a/grub-core/tpm2/tpm2.c
+++ b/grub-core/tpm2/tpm2.c
@@ -427,6 +427,73 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
return TPM_RC_SUCCESS;
}
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM_HANDLE objectHandleTmp;
+ TPM2B_NAME nameTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!inPublic)
+ return TPM_RC_VALUE;
+
+ if (!objectHandle)
+ objectHandle = &objectHandleTmp;
+ if (!name)
+ name = &nameTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (objectHandle, 0, sizeof (*objectHandle));
+ grub_memset (name, 0, sizeof (*name));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (inPrivate)
+ grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (&in, inPrivate);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&in, inPublic);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_LoadExternal, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ grub_tpm2_buffer_unpack_u32 (&out, objectHandle);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT itemHandle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -759,3 +826,360 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
return TPM_RC_SUCCESS;
}
+
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMI_DH_OBJECT sequenceHandleTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!auth)
+ return TPM_RC_VALUE;
+
+ if (!sequenceHandle)
+ sequenceHandle = &sequenceHandleTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (sequenceHandle, 0, sizeof (*sequenceHandle));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, auth->size, auth->buffer);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_HashSequenceStart, &responseCode, &in,
+ &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, sequenceHandle);
+ if (tag == TPM_ST_SESSIONS)
+ {
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ }
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceUpdate,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM2B_DIGEST resultTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!result)
+ result = &resultTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (result, 0, sizeof (*result));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceComplete,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, result);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM2B_DIGEST outHashTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (hashAlg == TPM_ALG_NULL)
+ return TPM_RC_VALUE;
+
+ if (!outHash)
+ outHash = &outHashTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (outHash, 0, sizeof (*outHash));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (data)
+ grub_tpm2_mu_TPM2B_Marshal (&in, data->size, data->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_Hash, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, outHash);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPMT_TK_VERIFIED validationTmp;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!digest || !signature)
+ return TPM_RC_VALUE;
+
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_buffer_pack_u32 (&in, keyHandle);
+ grub_tpm2_mu_TPM2B_Marshal (&in, digest->size, digest->buffer);
+ grub_tpm2_mu_TPMT_SIGNATURE_Marshal (&in, signature);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_VerifySignature, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!approvedPolicy || !keySign || !checkTicket)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, policySession);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, approvedPolicy->size, approvedPolicy->buffer);
+ if (policyRef)
+ grub_tpm2_mu_TPM2B_Marshal (&in, policyRef->size, policyRef->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_Marshal (&in, keySign->size, keySign->name);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (&in, checkTicket);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_PolicyAuthorize, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h
index 9380f26a2..67b78fab8 100644
--- a/include/grub/tpm2/internal/functions.h
+++ b/include/grub/tpm2/internal/functions.h
@@ -70,6 +70,15 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
TPM2B_NAME *name,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse);
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT item_handle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -114,4 +123,52 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
const TPMI_DH_PERSISTENT persistentHandle,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse);
+
#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
--
2.35.3

114
0004-cryptodisk-Support-key-protectors.patch
View File

@ -1,42 +1,50 @@
From 9888bf40d960339a59dc18fb6e1df5f65b4668e3 Mon Sep 17 00:00:00 2001
From 7ce7b7889ce73174a0d8091978254ecf2d2e205f Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:56 -0800
Subject: [PATCH 13/14] cryptodisk: Support key protectors
Subject: [PATCH 4/5] cryptodisk: Support key protectors
Add a new parameter to cryptomount to support the key protectors framework: -k.
Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provides a usable key for any
given disk.
Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
Makefile.util.def | 1 +
grub-core/disk/cryptodisk.c | 166 +++++++++++++++++++++++++++++-------
include/grub/cryptodisk.h | 14 +++
3 files changed, 151 insertions(+), 30 deletions(-)
grub-core/disk/cryptodisk.c | 172 +++++++++++++++++++++++++++++-------
include/grub/cryptodisk.h | 16 ++++
3 files changed, 158 insertions(+), 31 deletions(-)
diff --git a/Makefile.util.def b/Makefile.util.def
index 3b9435307..252d70af2 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -35,6 +35,7 @@
common = grub-core/kern/list.c;
common = grub-core/kern/misc.c;
common = grub-core/kern/partition.c;
+ common = grub-core/kern/protectors.c;
common = grub-core/lib/crypto.c;
common = grub-core/lib/json/json.c;
@@ -40,6 +40,7 @@ library = {
common = grub-core/disk/luks.c;
common = grub-core/disk/luks2.c;
common = grub-core/disk/geli.c;
+ common = grub-core/disk/key_protector.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
common = grub-core/lib/pbkdf2.c;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 2246af51b..b7648ffb7 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -26,6 +26,7 @@
#include <grub/file.h>
#include <grub/procfs.h>
#include <grub/partition.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
#ifdef GRUB_UTIL
#include <grub/emu/hostdisk.h>
@@ -44,7 +45,8 @@
@@ -44,7 +45,8 @@ enum
OPTION_KEYFILE,
OPTION_KEYFILE_OFFSET,
OPTION_KEYFILE_SIZE,
@ -46,7 +54,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
};
static const struct grub_arg_option options[] =
@@ -58,6 +60,8 @@
@@ -58,6 +60,8 @@ static const struct grub_arg_option options[] =
{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
@ -55,7 +63,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
{0, 0, 0, 0, 0, 0}
};
@@ -1061,6 +1065,7 @@
@@ -1061,6 +1065,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_err_t ret = GRUB_ERR_NONE;
grub_cryptodisk_t dev;
grub_cryptodisk_dev_t cr;
@ -63,7 +71,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
struct cryptodisk_read_hook_ctx read_hook_data = {0};
int askpass = 0;
char *part = NULL;
@@ -1113,41 +1118,112 @@
@@ -1113,41 +1118,112 @@ grub_cryptodisk_scan_device_real (const char *name,
goto error_no_close;
if (!dev)
continue;
@ -84,13 +92,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
- cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
- if (cargs->key_data == NULL)
- goto error_no_close;
+ if (dev == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_MODULE,
+ "no cryptodisk module can handle this device");
+ goto error_no_close;
+ }
-
- if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
- {
- grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
@ -98,16 +100,23 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
- }
- cargs->key_len = grub_strlen ((char *) cargs->key_data);
- }
+ if (dev == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_MODULE,
+ "no cryptodisk module can handle this device");
+ goto error_no_close;
+ }
- ret = cr->recover_key (source, dev, cargs);
- if (ret != GRUB_ERR_NONE)
- goto error;
+ if (cargs->protectors)
+ {
+ for (i = 0; cargs->protectors[i]; i++)
+ {
+ if (cargs->key_cache[i].invalid)
+ continue;
- ret = cr->recover_key (source, dev, cargs);
- if (ret != GRUB_ERR_NONE)
- goto error;
+
+ if (cargs->key_cache[i].key == NULL)
+ {
+ ret = grub_key_protector_recover_key (cargs->protectors[i],
@ -146,16 +155,16 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
+ cargs->protectors[i], source->name,
+ source->partition != NULL ? "," : "",
+ part != NULL ? part : N_("UNKNOWN"), dev->uuid);
+ grub_free (part);
+ continue;
+ grub_free (part);
+ continue;
+ }
+ else
+ {
+ ret = grub_cryptodisk_insert (dev, name, source);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+ goto cleanup;
+ }
+ else
+ {
+ ret = grub_cryptodisk_insert (dev, name, source);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+ goto cleanup;
+ }
+ }
- ret = grub_cryptodisk_insert (dev, name, source);
@ -205,7 +214,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
goto cleanup;
error:
@@ -1258,6 +1334,20 @@
@@ -1259,6 +1335,20 @@ grub_cryptodisk_scan_device (const char *name,
return ret;
}
@ -226,7 +235,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
static grub_err_t
grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
@@ -1270,6 +1360,10 @@
@@ -1271,6 +1361,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
if (grub_cryptodisk_list == NULL)
return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded");
@ -237,7 +246,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (state[OPTION_PASSWORD].set) /* password */
{
cargs.key_data = (grub_uint8_t *) state[OPTION_PASSWORD].arg;
@@ -1362,6 +1456,15 @@
@@ -1363,6 +1457,15 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
return grub_errno;
}
@ -253,7 +262,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (state[OPTION_UUID].set) /* uuid */
{
int found_uuid;
@@ -1370,6 +1473,7 @@
@@ -1371,6 +1474,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
dev = grub_cryptodisk_get_by_uuid (args[0]);
if (dev)
{
@ -261,7 +270,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
grub_dprintf ("cryptodisk",
"already mounted as crypto%lu\n", dev->id);
return GRUB_ERR_NONE;
@@ -1378,6 +1482,7 @@
@@ -1379,6 +1483,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
cargs.check_boot = state[OPTION_BOOT].set;
cargs.search_uuid = args[0];
found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@ -269,7 +278,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (found_uuid)
return GRUB_ERR_NONE;
@@ -1397,6 +1502,7 @@
@@ -1398,6 +1503,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
cargs.check_boot = state[OPTION_BOOT].set;
grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@ -277,7 +286,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
return GRUB_ERR_NONE;
}
else
@@ -1420,6 +1526,7 @@
@@ -1421,6 +1527,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
disk = grub_disk_open (diskname);
if (!disk)
{
@ -285,7 +294,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (disklast)
*disklast = ')';
return grub_errno;
@@ -1430,12 +1537,14 @@
@@ -1431,12 +1538,14 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id);
grub_disk_close (disk);
@ -300,7 +309,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
grub_disk_close (disk);
if (disklast)
@@ -1576,6 +1685,7 @@
@@ -1590,6 +1699,7 @@ GRUB_MOD_INIT (cryptodisk)
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
N_("[ [-p password] | [-k keyfile"
" [-O keyoffset] [-S keysize] ] ] [-H file]"
@ -308,9 +317,11 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
" <SOURCE|-u UUID|-a|-b>"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index d94df68b6..0b41e249e 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -70,6 +70,18 @@
@@ -70,6 +70,18 @@ typedef gcry_err_code_t
(*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
grub_uint64_t zoneno);
@ -329,7 +340,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
struct grub_cryptomount_args
{
/* scan: Flag to indicate that only bootable volumes should be decrypted */
@@ -81,6 +93,10 @@
@@ -81,6 +93,10 @@ struct grub_cryptomount_args
/* recover_key: Length of key_data */
grub_size_t key_len;
grub_file_t hdr_file;
@ -340,3 +351,6 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
};
typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
--
2.35.3

18
0004-diskfilter-look-up-cryptodisk-devices-first.patch
View File

@ -1,4 +1,4 @@
From b7e2fb6a680447b7bb7eb18bb7570afa8d2b7f09 Mon Sep 17 00:00:00 2001
From 91a99dffbe78b91a0c18b32ebecf755ba9d74032 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 10 Aug 2023 10:19:29 +0800
Subject: [PATCH 4/4] diskfilter: look up cryptodisk devices first
@ -12,15 +12,15 @@ look like this:
Since the disk search order is based on the order of module loading, the
attacker could insert a malicious disk with the same FS-UUID root to
trick grub2 to boot into th malicious root and further dump memory to
trick grub2 to boot into the malicious root and further dump memory to
steal the unsealed key.
To defend such attack, we can specify the hint provided by 'grub-probe'
to search the encrypted partition first:
Do defend against such an attack, we can specify the hint provided by
'grub-probe' to search the encrypted partition first:
search --fs-uuid --set=root --hint='cryptouuid/<PART-UUID>' <FS-UUID>
However, for LVM on a encrypted partition, the search hint provided by
However, for LVM on an encrypted partition, the search hint provided by
'grub-probe' is:
--hint='lvmid/<VG-UUID>/<LV-UUID>'
@ -29,20 +29,22 @@ It doesn't guarantee to look up the logical volume from the encrypted
partition, so the attacker may have the chance to fool grub2 to boot
into the malicious disk.
To mininize the attack surface, this commit tweaks the disk device search
To minimize the attack surface, this commit tweaks the disk device search
in diskfilter to look up cryptodisk devices first and then others, so
that the auto-unlocked disk will be found first, not the attacker's disk.
Cc: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/diskfilter.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 61a311efd..94832c8dd 100644
index 41e177549..c45bef1ca 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -226,15 +226,32 @@ scan_devices (const char *arname)
@@ -322,15 +322,32 @@ scan_devices (const char *arname)
int need_rescan;
for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)

386
0005-util-grub-protect-Add-new-tool.patch
View File

@ -1,7 +1,7 @@
From 1116bc4b9a27aceaec53421e89eb887e6ad3aef8 Mon Sep 17 00:00:00 2001
From c8c567c463cbe6090e086430251efc0dd4f58164 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:57 -0800
Subject: [PATCH v7 12/20] util/grub-protect: Add new tool
Subject: [PATCH 5/5] util/grub-protect: Add new tool
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
@ -27,6 +27,7 @@ To seal the key with TPM 2.0 Key File (recommended):
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2key \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm
@ -35,6 +36,7 @@ Or, to seal the key with the raw sealed key:
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/boot/grub2/sealed.key
@ -45,29 +47,38 @@ cryptomount -u <SDB1_UUID> -P tpm2
Or, for the raw sealed key:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key --pcrs=0,2,4,7,9
cryptomount -u <SDB1_UUID> -P tpm2
The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.
Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile.util.def | 22 +
configure.ac | 9 +
util/grub-protect.c | 1492 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 1525 insertions(+)
.gitignore | 2 +
Makefile.util.def | 24 +
configure.ac | 30 +
docs/man/grub-protect.h2m | 4 +
util/grub-protect.c | 1420 +++++++++++++++++++++++++++++++++++++
5 files changed, 1480 insertions(+)
create mode 100644 docs/man/grub-protect.h2m
create mode 100644 util/grub-protect.c
diff --git a/Makefile.util.def b/Makefile.util.def
index e89abb38f..f43c223b9 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -207,6 +207,28 @@ program = {
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
Index: grub-2.12/Makefile.util.def
===================================================================
--- grub-2.12.orig/Makefile.util.def
+++ grub-2.12/Makefile.util.def
@@ -208,6 +208,30 @@ program = {
};
+program = {
program = {
+ name = grub-protect;
+ mansection = 1;
+
+ common = grub-core/kern/emu/argp_common.c;
+ common = grub-core/osdep/init.c;
+ common = grub-core/tpm2/args.c;
+ common = grub-core/tpm2/buffer.c;
@ -84,16 +95,17 @@ index e89abb38f..f43c223b9 100644
+ ldadd = '$(LIBTASN1)';
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+
+ enable = efi;
+ condition = COND_GRUB_PROTECT;
+};
+
program = {
+program = {
name = grub-mkrelpath;
mansection = 1;
diff --git a/configure.ac b/configure.ac
index c19779c14..9796e5f9b 100644
--- a/configure.ac
+++ b/configure.ac
Index: grub-2.12/configure.ac
===================================================================
--- grub-2.12.orig/configure.ac
+++ grub-2.12/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
@ -102,27 +114,70 @@ index c19779c14..9796e5f9b 100644
grub_TRANSFORM([grub-reboot])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
@@ -2018,6 +2019,14 @@ fi
@@ -2057,6 +2058,29 @@ fi
AC_SUBST([LIBZFS])
AC_SUBST([LIBNVPAIR])
+AC_ARG_ENABLE([grub-protect],
+ [AS_HELP_STRING([--enable-grub-protect],
+ [build and install the `grub-protect' utility (default=guessed)])])
+if test x"$enable_grub_protect" = xno ; then
+ grub_protect_excuse="explicitly disabled"
+fi
+
+LIBTASN1=
+if test x"$platform" = xefi; then
+ AC_CHECK_LIB([tasn1], [asn1_write_value], [],
+ [AC_MSG_ERROR([Your platform requires libtasn1])])
+ LIBTASN1="-ltasn1"
+if test x"$grub_protect_excuse" = x ; then
+ AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], [grub_protect_excuse="need libtasn1 library"])
+fi
+AC_SUBST([LIBTASN1])
+
+if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; then
+ AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled ($grub_protect_excuse)])
+fi
+if test x"$grub_protect_excuse" = x ; then
+enable_grub_protect=yes
+else
+enable_grub_protect=no
+fi
+AC_SUBST([enable_grub_protect])
+
LIBS=""
AC_SUBST([FONT_SOURCE])
diff --git a/util/grub-protect.c b/util/grub-protect.c
new file mode 100644
index 000000000..c6d41ea40
@@ -2177,6 +2201,7 @@ AM_CONDITIONAL([COND_GRUB_EMU_SDL], [tes
AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes])
AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes])
AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes])
+AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes])
AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x])
if test x$FONT_SOURCE != x ; then
HAVE_FONT_SOURCE=1
@@ -2304,6 +2329,11 @@ echo grub-mount: Yes
else
echo grub-mount: No "($grub_mount_excuse)"
fi
+if [ x"$grub_protect_excuse" = x ]; then
+echo grub-protect: Yes
+else
+echo grub-protect: No "($grub_protect_excuse)"
+fi
if [ x"$starfield_excuse" = x ]; then
echo starfield theme: Yes
echo With DejaVuSans font from $DJVU_FONT_SOURCE
Index: grub-2.12/docs/man/grub-protect.h2m
===================================================================
--- /dev/null
+++ b/util/grub-protect.c
@@ -0,0 +1,1492 @@
+++ grub-2.12/docs/man/grub-protect.h2m
@@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to pretect a disk encryption key with a specified key protector.
Index: grub-2.12/util/grub-protect.c
===================================================================
--- /dev/null
+++ grub-2.12/util/grub-protect.c
@@ -0,0 +1,1420 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -151,8 +206,6 @@ index 000000000..c6d41ea40
+#include <string.h>
+#include <unistd.h>
+
+#include <grub/crypto.h>
+#include <grub/emu/getroot.h>
+#include <grub/emu/hostdisk.h>
+#include <grub/emu/misc.h>
+#include <grub/tpm2/buffer.h>
@ -228,9 +281,7 @@ index 000000000..c6d41ea40
+ const char *tpm2_device;
+ grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+ grub_uint8_t tpm2_pcr_count;
+ TPM_ALG_ID tpm2_asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ grub_srk_type_t srk_type;
+ TPM_ALG_ID tpm2_bank;
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
@ -267,7 +318,7 @@ index 000000000..c6d41ea40
+ .arg = "FILE",
+ .flags = 0,
+ .doc =
+ N_("Path to the TPM2 device (default is /dev/tpm0)."),
+ N_("Path to the TPM2 device. (default: /dev/tpm0)"),
+ .group = 0
+ },
+ {
@ -277,7 +328,11 @@ index 000000000..c6d41ea40
+ .flags = 0,
+ .doc =
+ N_("Comma-separated list of PCRs used to authorize key release "
+ "(e.g., '7,11', default is 7."),
+ "e.g., '7,11'. Please be aware that PCR 0~7 are used by the "
+ "firmware and the measurement result may change after a "
+ "firmware update (for baremetal systems) or a package "
+ "(OVMF/SeaBIOS/SLOF) update in the VM host. This may lead to"
+ "the failure of key unsealing. (default: 7)"),
+ .group = 0
+ },
+ {
@ -287,7 +342,7 @@ index 000000000..c6d41ea40
+ .flags = 0,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), or SHA512."),
+ "SHA1, SHA256, SHA384, or SHA512. (default: SHA256)"),
+ .group = 0
+ },
+ {
@ -324,10 +379,8 @@ index 000000000..c6d41ea40
+ .arg = "TYPE",
+ .flags = 0,
+ .doc =
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
+ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
+ "(default: ECC)"),
+ .group = 0
+ },
+ {
@ -374,7 +427,7 @@ index 000000000..c6d41ea40
+ }
+
+ len = ftell (f);
+ if (len == 0)
+ if (len <= 0)
+ {
+ err = GRUB_ERR_FILE_READ_ERROR;
+ goto exit1;
@ -434,88 +487,6 @@ index 000000000..c6d41ea40
+ return err;
+}
+
+static grub_err_t
+grub_protect_get_grub_drive_for_file (const char *filepath, char **drive)
+{
+ grub_err_t err = GRUB_ERR_IO;
+ char *disk;
+ char **devices;
+ char *grub_dev;
+ char *grub_path;
+ char *efi_drive;
+ char *partition;
+ char *grub_drive;
+ grub_device_t dev;
+ grub_size_t grub_drive_len;
+ int n;
+
+ grub_path = grub_canonicalize_file_name (filepath);
+ if (grub_path == NULL)
+ goto exit1;
+
+ devices = grub_guess_root_devices (grub_path);
+ if (devices == NULL || devices[0] == NULL)
+ goto exit2;
+
+ disk = devices[0];
+
+ grub_util_pull_device (disk);
+
+ grub_dev = grub_util_get_grub_dev (disk);
+ if (grub_dev == NULL)
+ goto exit3;
+
+ dev = grub_device_open (grub_dev);
+ if (dev == NULL)
+ goto exit4;
+
+ efi_drive = grub_util_guess_efi_drive (disk);
+ if (efi_drive == NULL)
+ goto exit5;
+
+ partition = grub_partition_get_name (dev->disk->partition);
+ if (partition == NULL)
+ goto exit6;
+
+ grub_drive_len = grub_strlen (efi_drive) + grub_strlen (partition) + 3;
+ grub_drive = grub_malloc (grub_drive_len + 1);
+ if (grub_drive == NULL)
+ goto exit7;
+
+ n = grub_snprintf (grub_drive, grub_drive_len + 1, "(%s,%s)", efi_drive,
+ partition);
+ if (n != grub_drive_len)
+ goto exit8;
+
+ *drive = grub_drive;
+ grub_drive = NULL;
+ err = GRUB_ERR_NONE;
+
+exit8:
+ grub_free (grub_drive);
+
+exit7:
+ grub_free (partition);
+
+exit6:
+ grub_free (efi_drive);
+
+exit5:
+ grub_device_close (dev);
+
+exit4:
+ grub_free (grub_dev);
+
+exit3:
+ grub_free (devices);
+
+exit2:
+ grub_free (grub_path);
+
+exit1:
+ return err;
+}
+
+grub_err_t
+grub_tcg2_get_max_output_size (grub_size_t *size)
+{
@ -552,7 +523,7 @@ index 000000000..c6d41ea40
+ grub_protector_tpm2_fd = open (dev_node, O_RDWR);
+ if (grub_protector_tpm2_fd == -1)
+ {
+ fprintf (stderr, _("Could not open TPM device (Error: %u).\n"), errno);
+ fprintf (stderr, _("Could not open TPM device (%s).\n"), strerror (errno));
+ return GRUB_ERR_FILE_NOT_FOUND;
+ }
+
@ -595,20 +566,15 @@ index 000000000..c6d41ea40
+ };
+ TPML_PCR_SELECTION pcr_sel_out = { 0 };
+ TPML_DIGEST pcr_values = { 0 };
+ grub_uint8_t *pcr_digest;
+ TPM2B_DIGEST pcr_digest = { 0 };
+ grub_size_t pcr_digest_len;
+ grub_uint8_t *pcr_concat;
+ TPM2B_MAX_BUFFER pcr_concat = { 0 };
+ grub_size_t pcr_concat_len;
+ grub_uint8_t *pcr_cursor;
+ const gcry_md_spec_t *hash_spec;
+ TPM2B_NONCE nonce = { 0 };
+ TPM2B_ENCRYPTED_SECRET salt = { 0 };
+ TPMT_SYM_DEF symmetric = { 0 };
+ TPMI_SH_AUTH_SESSION session = 0;
+ TPM2B_DIGEST pcr_digest_in = {
+ .size = TPM_SHA256_DIGEST_SIZE,
+ .buffer = { 0 }
+ };
+ TPM2B_DIGEST policy_digest = { 0 };
+ grub_uint8_t i;
+ grub_err_t err;
@ -637,40 +603,28 @@ index 000000000..c6d41ea40
+ {
+ case TPM_ALG_SHA1:
+ pcr_digest_len = TPM_SHA1_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA1;
+ break;
+ case TPM_ALG_SHA256:
+ pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA256;
+ break;
+ case TPM_ALG_SHA384:
+ pcr_digest_len = TPM_SHA384_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA512:
+ pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA512;
+ break;
+ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
+ it's not supported by the built-in libgcrypt, and we won't be able to
+ calculate the PCR digest, so SHA384 is marked as unsupported. */
+ default:
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ pcr_digest = grub_malloc (pcr_digest_len);
+ if (!pcr_digest)
+ {
+ fprintf (stderr, _("Failed to allocate PCR digest buffer.\n"));
+ return GRUB_ERR_OUT_OF_MEMORY;
+ }
+
+ pcr_concat_len = pcr_digest_len * args->tpm2_pcr_count;
+ pcr_concat = grub_malloc (pcr_concat_len);
+ if (pcr_concat == NULL)
+ if (pcr_concat_len > TPM_MAX_DIGEST_BUFFER)
+ {
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ fprintf (stderr, _("Failed to allocate PCR concatenation buffer.\n"));
+ goto exit1;
+ fprintf (stderr, _("PCR concatenation buffer not enough.\n"));
+ return GRUB_ERR_OUT_OF_RANGE;
+ }
+
+ pcr_cursor = pcr_concat;
+ pcr_cursor = pcr_concat.buffer;
+ for (i = 0; i < args->tpm2_pcr_count; i++)
+ {
+ if (pcr_values.digests[i].size != pcr_digest_len)
@ -678,14 +632,21 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Bad PCR value size: expected %" PRIuGRUB_SIZE " bytes but got %u bytes.\n"),
+ pcr_digest_len, pcr_values.digests[i].size);
+ goto exit2;
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ grub_memcpy (pcr_cursor, pcr_values.digests[i].buffer, pcr_digest_len);
+ pcr_cursor += pcr_digest_len;
+ }
+ pcr_concat.size = pcr_concat_len;
+
+ grub_crypto_hash (hash_spec, pcr_digest, pcr_concat, pcr_concat_len);
+ rc = TPM2_Hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest,
+ NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to generate PCR digest (TPM2_Hash: 0x%x)\n"), rc);
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
+ /* Start Trial Session */
+ nonce.size = TPM_SHA256_DIGEST_SIZE;
@ -699,20 +660,17 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Failed to start trial policy session (TPM2_StartAuthSession: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit2;
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
+ /* PCR Policy */
+ memcpy (pcr_digest_in.buffer, pcr_digest, TPM_SHA256_DIGEST_SIZE);
+
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL);
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest, &pcr_sel, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
+ goto error;
+ }
+
+ /* Retrieve Policy Digest */
@ -722,22 +680,16 @@ index 000000000..c6d41ea40
+ fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
+ goto error;
+ }
+
+ /* Epilogue */
+ *digest = policy_digest;
+ err = GRUB_ERR_NONE;
+
+exit3:
+error:
+ TPM2_FlushContext (session);
+
+exit2:
+ grub_free (pcr_concat);
+
+exit1:
+ grub_free (pcr_digest);
+
+ return err;
+}
+
@ -781,8 +733,8 @@ index 000000000..c6d41ea40
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ inPublic.publicArea.type = args->tpm2_asymmetric;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.type = args->srk_type.type;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.objectAttributes.restricted = 1;
+ inPublic.publicArea.objectAttributes.userWithAuth = 1;
+ inPublic.publicArea.objectAttributes.decrypt = 1;
@ -791,14 +743,14 @@ index 000000000..c6d41ea40
+ inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+ inPublic.publicArea.objectAttributes.noDA = 1;
+
+ switch (args->tpm2_asymmetric)
+ switch (args->srk_type.type)
+ {
+ case TPM_ALG_RSA:
+ inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->srk_type.detail.rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ break;
+
@ -807,7 +759,7 @@ index 000000000..c6d41ea40
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.curveID = args->srk_type.detail.ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ break;
+
@ -948,6 +900,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "type", sealed_key_oid, 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'type': 0x%u\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -956,6 +909,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "emptyAuth", "TRUE", 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'emptyAuth': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -964,6 +918,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "policy", "NEW", 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -972,6 +927,7 @@ index 000000000..c6d41ea40
+ sizeof (cmd_code));
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy CommandCode': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -979,6 +935,7 @@ index 000000000..c6d41ea40
+ pol_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy CommandPolicy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -987,6 +944,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "secret", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'secret': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -995,15 +953,48 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "authPolicy", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'authPolicy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /* Use TPM_RH_OWNER as the default parent handle */
+ parent = grub_cpu_to_be32 (TPM_RH_OWNER);
+ /* Remove 'description' */
+ ret = asn1_write_value (tpm2key, "description", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'description': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /*
+ * Use the SRK handle as the parent handle if specified
+ * Otherwise, Use TPM_RH_OWNER as the default parent handle
+ */
+ if (args->tpm2_srk != 0)
+ parent = grub_cpu_to_be32 (args->tpm2_srk);
+ else
+ parent = grub_cpu_to_be32 (TPM_RH_OWNER);
+ ret = asn1_write_value (tpm2key, "parent", &parent, sizeof (parent));
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'parent': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /*
+ * Set 'rsaParent' to TRUE if the RSA SRK is specified and the SRK
+ * handle is not persistent. Otherwise, remove 'rsaParent'.
+ */
+ if (args->tpm2_srk == 0 && args->srk_type.type == TPM_ALG_RSA)
+ ret = asn1_write_value (tpm2key, "rsaParent", "TRUE", 1);
+ else
+ ret = asn1_write_value (tpm2key, "rsaParent", NULL, 0);
+
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'rsaParent': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1012,6 +1003,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "pubkey", pub_buf.data, pub_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'pubkey': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1020,6 +1012,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "privkey", priv_buf.data, priv_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'privkey': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1027,10 +1020,17 @@ index 000000000..c6d41ea40
+ /* Create the DER binary */
+ der_buf_size = 0;
+ ret = asn1_der_coding (tpm2key, "", NULL, &der_buf_size, NULL);
+ if (ret != ASN1_MEM_ERROR)
+ {
+ fprintf (stderr, _("Failed to get DER size: 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ der_buf = grub_malloc (der_buf_size);
+ if (der_buf == NULL)
+ {
+ fprintf (stderr, _("Failed to allocate memory for DER encoding\n"));
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ goto error;
+ }
@ -1038,6 +1038,7 @@ index 000000000..c6d41ea40
+ ret = asn1_der_coding (tpm2key, "", der_buf, &der_buf_size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, "DER coding error: 0x%x\n", ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1082,14 +1083,11 @@ index 000000000..c6d41ea40
+grub_protect_tpm2_add (struct grub_protect_args *args)
+{
+ grub_err_t err;
+ grub_uint8_t *key;
+ grub_uint8_t *key = NULL;
+ grub_size_t key_size;
+ TPM_HANDLE srk;
+ TPM2B_DIGEST policy_digest;
+ TPM2_SEALED_KEY sealed_key;
+ char *grub_drive = NULL;
+
+ grub_protect_get_grub_drive_for_file (args->tpm2_outfile, &grub_drive);
+
+ err = grub_protect_tpm2_open_device (args->tpm2_device);
+ if (err != GRUB_ERR_NONE)
@ -1104,7 +1102,8 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Input key is too long, maximum allowed size is %u bytes.\n"),
+ TPM_MAX_SYM_DATA);
+ return GRUB_ERR_OUT_OF_RANGE;
+ err = GRUB_ERR_OUT_OF_RANGE;
+ goto exit2;
+ }
+
+ err = grub_protect_tpm2_get_srk (args, &srk);
@ -1127,19 +1126,6 @@ index 000000000..c6d41ea40
+ if (err != GRUB_ERR_NONE)
+ goto exit3;
+
+ if (grub_drive)
+ {
+ printf (_("GRUB drive for the sealed key file: %s\n"), grub_drive);
+ grub_free (grub_drive);
+ }
+ else
+ {
+ fprintf (stderr,
+ _("Warning: Could not determine GRUB drive for sealed key "
+ "file.\n"));
+ err = GRUB_ERR_NONE;
+ }
+
+exit3:
+ TPM2_FlushContext (srk);
+
@ -1254,10 +1240,10 @@ index 000000000..c6d41ea40
+ args->tpm2_pcr_count = 1;
+ }
+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
+ if (args->srk_type.type == TPM_ALG_ERROR)
+ {
+ args->tpm2_asymmetric = TPM_ALG_RSA;
+ args->rsa_bits = 2048;
+ args->srk_type.type = TPM_ALG_ECC;
+ args->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+
+ if (args->tpm2_bank == TPM_ALG_ERROR)
@ -1424,8 +1410,7 @@ index 000000000..c6d41ea40
+ return EINVAL;
+ }
+
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric,
+ &args->rsa_bits, &args->ecc_curve);
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->srk_type);
+ if (err != GRUB_ERR_NONE)
+ {
+ if (grub_errno != GRUB_ERR_NONE)
@ -1555,7 +1540,6 @@ index 000000000..c6d41ea40
+ grub_util_biosdisk_init (NULL);
+
+ grub_init_all ();
+ grub_gcry_init_all ();
+
+ grub_lvm_fini ();
+ grub_mdraid09_fini ();
@ -1570,7 +1554,6 @@ index 000000000..c6d41ea40
+static void
+grub_protect_fini (void)
+{
+ grub_gcry_fini_all ();
+ grub_fini_all ();
+ grub_util_biosdisk_fini ();
+}
@ -1615,6 +1598,3 @@ index 000000000..c6d41ea40
+
+ return err;
+}
--
2.35.3

35
grub2-bsc1220338-key_protector-implement-the-blocklist.patch
View File

@ -1,4 +1,4 @@
From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
@ -11,17 +11,17 @@ action for the key recovery.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++
include/grub/efi/api.h | 5 +++++
grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
Index: grub-2.12/grub-core/kern/protectors.c
===================================================================
--- grub-2.12.orig/grub-core/kern/protectors.c
+++ grub-2.12/grub-core/kern/protectors.c
@@ -21,6 +21,10 @@
#include <grub/mm.h>
#include <grub/protector.h>
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
index b84afe1c7..3d630ca4f 100644
--- a/grub-core/disk/key_protector.c
+++ b/grub-core/disk/key_protector.c
@@ -24,6 +24,10 @@
GRUB_MOD_LICENSE ("GPLv3+");
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
@ -30,7 +30,7 @@ Index: grub-2.12/grub-core/kern/protectors.c
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
return GRUB_ERR_NONE;
}
@ -65,7 +65,7 @@ Index: grub-2.12/grub-core/kern/protectors.c
if (grub_key_protectors == NULL)
return GRUB_ERR_OUT_OF_RANGE;
@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
"Is the name spelled correctly and is the "
"corresponding module loaded?"), protector);
@ -75,10 +75,10 @@ Index: grub-2.12/grub-core/kern/protectors.c
+
return kp->recover_key (key, key_size);
}
Index: grub-2.12/include/grub/efi/api.h
===================================================================
--- grub-2.12.orig/include/grub/efi/api.h
+++ grub-2.12/include/grub/efi/api.h
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index 7947cf592..975b90b09 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
@ -91,3 +91,6 @@ Index: grub-2.12/include/grub/efi/api.h
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
--
2.35.3

28
grub2.changes
View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed May 15 06:19:54 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Update to the latest upstreaming TPM2 patches
* 0001-key_protector-Add-key-protectors-framework.patch
- Replace 0001-protectors-Add-key-protectors-framework.patch
* 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
- Merge other TSS patches
* 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
* 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
* 0003-tpm2-Implement-more-TPM2-commands.patch
* 0003-key_protector-Add-TPM2-Key-Protector.patch
- Replace 0003-protectors-Add-TPM2-Key-Protector.patch
* 0004-cryptodisk-Support-key-protectors.patch
* 0005-util-grub-protect-Add-new-tool.patch
* 0001-tpm2-Support-authorized-policy.patch
- Replace 0004-tpm2-Support-authorized-policy.patch
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
* 0001-tpm2-Implement-NV-index.patch
- Replace 0001-protectors-Implement-NV-index.patch
* 0002-cryptodisk-Fallback-to-passphrase.patch
* 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
* 0004-diskfilter-look-up-cryptodisk-devices-first.patch
- Refresh affected patches
* 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
* grub2-bsc1220338-key_protector-implement-the-blocklist.patch
- New manpage for grub2-protect
-------------------------------------------------------------------
Wed May 15 00:46:14 UTC 2024 - Michael Chang <mchang@suse.com>

13
grub2.spec
View File

@ -338,9 +338,9 @@ Patch146: 0001-install-fix-software-raid1-on-esp.patch
Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
Patch150: 0001-protectors-Add-key-protectors-framework.patch
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
Patch152: 0003-protectors-Add-TPM2-Key-Protector.patch
Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
Patch153: 0004-cryptodisk-Support-key-protectors.patch
Patch154: 0005-util-grub-protect-Add-new-tool.patch
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
@ -358,10 +358,8 @@ Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
Patch167: grub2-increase-crypttab-path-buffer.patch
Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
Patch170: 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
Patch171: 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
Patch172: 0003-tpm2-Implement-more-TPM2-commands.patch
Patch173: 0004-tpm2-Support-authorized-policy.patch
Patch170: 0001-tpm2-Support-authorized-policy.patch
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
Patch176: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
@ -372,7 +370,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
Patch183: grub2-change-bash-completion-dir.patch
Patch184: 0001-protectors-Implement-NV-index.patch
Patch184: 0001-tpm2-Implement-NV-index.patch
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
@ -1225,6 +1223,7 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%{_mandir}/man1/%{name}-mkrelpath.1.*
%{_mandir}/man1/%{name}-mkrescue.1.*
%{_mandir}/man1/%{name}-mkstandalone.1.*
%{_mandir}/man1/%{name}-protect.1.*
%{_mandir}/man1/%{name}-render-label.1.*
%{_mandir}/man1/%{name}-script-check.1.*
%{_mandir}/man1/%{name}-syslinux2cfg.1.*