Accepting request 1127240 from home:gary_lin:branches:Base:System
- Update the TPM2 patches to skip the persistent SRK handle if not specified and improve the error messages + 0003-protectors-Add-TPM2-Key-Protector.patch + 0005-util-grub-protect-Add-new-tool.patch + 0004-tpm2-Support-authorized-policy.patch OBS-URL: https://build.opensuse.org/request/show/1127240 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=475
This commit is contained in:
parent
d2d2c88ea6
commit
82ab887bba
@ -1,7 +1,7 @@
|
|||||||
From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001
|
From 2a63876ca714d177f919b2392d8efa0e3bd3ebe2 Mon Sep 17 00:00:00 2001
|
||||||
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Date: Tue, 1 Feb 2022 05:02:55 -0800
|
Date: Tue, 1 Feb 2022 05:02:55 -0800
|
||||||
Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector
|
Subject: [PATCH v7 10/20] protectors: Add TPM2 Key Protector
|
||||||
|
|
||||||
The TPM2 key protector is a module that enables the automatic retrieval
|
The TPM2 key protector is a module that enables the automatic retrieval
|
||||||
of a fully-encrypted disk's unlocking key from a TPM 2.0.
|
of a fully-encrypted disk's unlocking key from a TPM 2.0.
|
||||||
@ -111,20 +111,20 @@ parameters.
|
|||||||
|
|
||||||
Currently, there is only one supported policy command: TPM2_PolicyPCR.
|
Currently, there is only one supported policy command: TPM2_PolicyPCR.
|
||||||
The command set can be extended to support advanced features, such as
|
The command set can be extended to support advanced features, such as
|
||||||
as authorized policy, in the future.
|
authorized policy, in the future.
|
||||||
|
|
||||||
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
---
|
---
|
||||||
grub-core/Makefile.core.def | 13 +
|
grub-core/Makefile.core.def | 13 +
|
||||||
grub-core/tpm2/args.c | 177 +++++
|
grub-core/tpm2/args.c | 177 +++++
|
||||||
grub-core/tpm2/module.c | 1040 +++++++++++++++++++++++++++++
|
grub-core/tpm2/module.c | 1028 +++++++++++++++++++++++++++++
|
||||||
grub-core/tpm2/tpm2key.asn | 31 +
|
grub-core/tpm2/tpm2key.asn | 31 +
|
||||||
grub-core/tpm2/tpm2key.c | 440 ++++++++++++
|
grub-core/tpm2/tpm2key.c | 447 +++++++++++++
|
||||||
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
|
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
|
||||||
include/grub/tpm2/internal/args.h | 41 ++
|
include/grub/tpm2/internal/args.h | 41 ++
|
||||||
include/grub/tpm2/tpm2key.h | 83 +++
|
include/grub/tpm2/tpm2key.h | 83 +++
|
||||||
8 files changed, 1866 insertions(+)
|
8 files changed, 1861 insertions(+)
|
||||||
create mode 100644 grub-core/tpm2/args.c
|
create mode 100644 grub-core/tpm2/args.c
|
||||||
create mode 100644 grub-core/tpm2/module.c
|
create mode 100644 grub-core/tpm2/module.c
|
||||||
create mode 100644 grub-core/tpm2/tpm2key.asn
|
create mode 100644 grub-core/tpm2/tpm2key.asn
|
||||||
@ -342,10 +342,10 @@ index 000000000..274f4fef0
|
|||||||
+}
|
+}
|
||||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..9605ddbc7
|
index 000000000..df0727215
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/grub-core/tpm2/module.c
|
+++ b/grub-core/tpm2/module.c
|
||||||
@@ -0,0 +1,1040 @@
|
@@ -0,0 +1,1028 @@
|
||||||
+/*
|
+/*
|
||||||
+ * GRUB -- GRand Unified Bootloader
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
+ * Copyright (C) 2022 Microsoft Corporation
|
+ * Copyright (C) 2022 Microsoft Corporation
|
||||||
@ -477,8 +477,7 @@ index 000000000..9605ddbc7
|
|||||||
+ .arg = NULL,
|
+ .arg = NULL,
|
||||||
+ .type = ARG_TYPE_STRING,
|
+ .type = ARG_TYPE_STRING,
|
||||||
+ .doc =
|
+ .doc =
|
||||||
+ N_("In SRK mode, the SRK handle if the SRK is persistent "
|
+ N_("In SRK mode, the SRK handle if the SRK is persistent."),
|
||||||
+ "(default is 0x81000001)."),
|
|
||||||
+ },
|
+ },
|
||||||
+ {
|
+ {
|
||||||
+ .longarg = "asymmetric",
|
+ .longarg = "asymmetric",
|
||||||
@ -519,51 +518,58 @@ index 000000000..9605ddbc7
|
|||||||
+ grub_off_t file_size;
|
+ grub_off_t file_size;
|
||||||
+ void *read_buffer;
|
+ void *read_buffer;
|
||||||
+ grub_off_t read_n;
|
+ grub_off_t read_n;
|
||||||
|
+ grub_err_t err;
|
||||||
+
|
+
|
||||||
+ /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into PCR9
|
+ /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into PCR9
|
||||||
+ * otherwise we'll never be able to predict the value of PCR9 at unseal time */
|
+ * otherwise we'll never be able to predict the value of PCR9 at unseal time */
|
||||||
+ file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
|
+ file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
|
||||||
+ if (file == NULL)
|
+ if (file == NULL)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Could not open file: %s\n", filepath);
|
+ /* Push errno from grub_file_open() into the error message stack */
|
||||||
+ /* grub_file_open sets grub_errno on error, and if we do no unset it,
|
+ grub_error_push();
|
||||||
+ * future calls to grub_file_open will fail (and so will anybody up the
|
+ err = grub_error (GRUB_ERR_FILE_NOT_FOUND,
|
||||||
+ * stack who checks the value, if any). */
|
+ N_("Could not open file: %s\n"),
|
||||||
+ grub_errno = GRUB_ERR_NONE;
|
+ filepath);
|
||||||
+ return GRUB_ERR_FILE_NOT_FOUND;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ file_size = grub_file_size (file);
|
+ file_size = grub_file_size (file);
|
||||||
+ if (file_size == 0)
|
+ if (file_size == 0)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Could not read file size: %s\n", filepath);
|
+ err = grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||||
+ grub_file_close (file);
|
+ N_("Could not read file size: %s"),
|
||||||
+ return GRUB_ERR_OUT_OF_RANGE;
|
+ filepath);
|
||||||
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ read_buffer = grub_malloc (file_size);
|
+ read_buffer = grub_malloc (file_size);
|
||||||
+ if (read_buffer == NULL)
|
+ if (read_buffer == NULL)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Could not allocate buffer for %s.\n", filepath);
|
+ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
+ grub_file_close (file);
|
+ N_("Could not allocate buffer for %s"),
|
||||||
+ return GRUB_ERR_OUT_OF_MEMORY;
|
+ filepath);
|
||||||
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ read_n = grub_file_read (file, read_buffer, file_size);
|
+ read_n = grub_file_read (file, read_buffer, file_size);
|
||||||
+ if (read_n != file_size)
|
+ if (read_n != file_size)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Could not retrieve file contents: %s\n", filepath);
|
|
||||||
+ grub_free (read_buffer);
|
+ grub_free (read_buffer);
|
||||||
+ grub_file_close (file);
|
+ err = grub_error (GRUB_ERR_FILE_READ_ERROR,
|
||||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
+ N_("Could not retrieve file contents: %s"),
|
||||||
|
+ filepath);
|
||||||
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ grub_file_close (file);
|
|
||||||
+
|
|
||||||
+ *buffer = read_buffer;
|
+ *buffer = read_buffer;
|
||||||
+ *buffer_size = file_size;
|
+ *buffer_size = file_size;
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ err = GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+error:
|
||||||
|
+ grub_file_close (file);
|
||||||
|
+
|
||||||
|
+ return err;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+static grub_err_t
|
+static grub_err_t
|
||||||
@ -575,12 +581,9 @@ index 000000000..9605ddbc7
|
|||||||
+
|
+
|
||||||
+ grub_tpm2_buffer_init (&buf);
|
+ grub_tpm2_buffer_init (&buf);
|
||||||
+ if (sealed_key_size > buf.cap)
|
+ if (sealed_key_size > buf.cap)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
+ grub_dprintf ("tpm2", "Sealed key file is larger than decode buffer "
|
+ N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
|
||||||
+ "(%" PRIuGRUB_SIZE " vs %" PRIuGRUB_SIZE " bytes).\n",
|
+ buf.cap);
|
||||||
+ sealed_key_size, buf.cap);
|
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ grub_memcpy (buf.data, sealed_key, sealed_key_size);
|
+ grub_memcpy (buf.data, sealed_key, sealed_key_size);
|
||||||
+ buf.size = sealed_key_size;
|
+ buf.size = sealed_key_size;
|
||||||
@ -589,11 +592,7 @@ index 000000000..9605ddbc7
|
|||||||
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
|
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
|
||||||
+
|
+
|
||||||
+ if (buf.error)
|
+ if (buf.error)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key file"));
|
||||||
+ grub_dprintf ("tpm2", "Could not unmarshal sealed key file, it is likely "
|
|
||||||
+ "malformed.\n");
|
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+}
|
+}
|
||||||
@ -668,10 +667,9 @@ index 000000000..9605ddbc7
|
|||||||
+ grub_tpm2_buffer_init (&buf);
|
+ grub_tpm2_buffer_init (&buf);
|
||||||
+ if (sealed_pub_size + sealed_priv_size > buf.cap)
|
+ if (sealed_pub_size + sealed_priv_size > buf.cap)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Sealed key is larger than decode buffer "
|
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
+ "(%" PRIuGRUB_SIZE " vs %" PRIuGRUB_SIZE " bytes).\n",
|
+ N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
|
||||||
+ sealed_pub_size, buf.cap);
|
+ buf.cap);
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -685,9 +683,7 @@ index 000000000..9605ddbc7
|
|||||||
+
|
+
|
||||||
+ if (buf.error)
|
+ if (buf.error)
|
||||||
+ {
|
+ {
|
||||||
+ grub_dprintf ("tpm2", "Could not unmarshal sealed key, it is likely "
|
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM 2.0 key file"));
|
||||||
+ "malformed.\n");
|
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -720,21 +716,19 @@ index 000000000..9605ddbc7
|
|||||||
+ TPM2B_NAME srkName = { 0 };
|
+ TPM2B_NAME srkName = { 0 };
|
||||||
+ TPM_HANDLE srkHandle;
|
+ TPM_HANDLE srkHandle;
|
||||||
+
|
+
|
||||||
+ /* Find SRK */
|
+ if (ctx->srk != 0)
|
||||||
+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
|
|
||||||
+ if (rc == TPM_RC_SUCCESS)
|
|
||||||
+ {
|
+ {
|
||||||
+ *srk = ctx->srk;
|
+ /* Find SRK */
|
||||||
+ return GRUB_ERR_NONE;
|
+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
|
||||||
+ }
|
+ if (rc == TPM_RC_SUCCESS)
|
||||||
|
+ {
|
||||||
|
+ *srk = ctx->srk;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ /* The handle exists but its public area could not be read. */
|
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
|
+ N_("Failed to retrieve SRK (TPM2_ReadPublic: 0x%x)"),
|
||||||
+ {
|
+ rc);
|
||||||
+ grub_dprintf ("tpm2", "The SRK handle (0x%x) exists on the TPM but its "
|
|
||||||
+ "public area could not be read (TPM2_ReadPublic "
|
|
||||||
+ "failed with TSS/TPM error %u).\n", ctx->srk, rc);
|
|
||||||
+ return GRUB_ERR_BAD_DEVICE;
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Create SRK */
|
+ /* Create SRK */
|
||||||
@ -768,7 +762,7 @@ index 000000000..9605ddbc7
|
|||||||
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
|
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
|
||||||
+ }
|
+ }
|
||||||
+ else
|
+ else
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm"));
|
||||||
+
|
+
|
||||||
+ rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
|
+ rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
|
||||||
+ &outsideInfo, &creationPcr, &srkHandle, &outPublic,
|
+ &outsideInfo, &creationPcr, &srkHandle, &outPublic,
|
||||||
@ -931,8 +925,8 @@ index 000000000..9605ddbc7
|
|||||||
+ &session, NULL, NULL);
|
+ &session, NULL, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ N_("Failed to start auth session (TPM2_StartAuthSession: "
|
+ N_("Failed to start auth session (TPM2_StartAuthSession: 0x%x)"),
|
||||||
+ "0x%x)"), rc);
|
+ rc);
|
||||||
+
|
+
|
||||||
+ /* Enforce the policy command sequence */
|
+ /* Enforce the policy command sequence */
|
||||||
+ err = grub_tpm2_protector_enforce_policy_seq (policy_seq, session);
|
+ err = grub_tpm2_protector_enforce_policy_seq (policy_seq, session);
|
||||||
@ -944,9 +938,9 @@ index 000000000..9605ddbc7
|
|||||||
+ rc = TPM2_Unseal (sealed_handle, &authCmd, &data, NULL);
|
+ rc = TPM2_Unseal (sealed_handle, &authCmd, &data, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ grub_error (err, N_("Failed to unseal sealed key (TPM2_Unseal: 0x%x)"),
|
+ N_("Failed to unseal sealed key (TPM2_Unseal: 0x%x)"),
|
||||||
+ rc);
|
+ rc);
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -954,8 +948,8 @@ index 000000000..9605ddbc7
|
|||||||
+ key_out = grub_malloc (data.size);
|
+ key_out = grub_malloc (data.size);
|
||||||
+ if (key_out == NULL)
|
+ if (key_out == NULL)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_OUT_OF_MEMORY;
|
+ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
+ grub_error (err, N_("No memory left to allocate unlock key buffer"));
|
+ N_("No memory left to allocate unlock key buffer"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -999,7 +993,7 @@ index 000000000..9605ddbc7
|
|||||||
+ err = grub_tpm2_protector_srk_read_file (ctx->tpm2key, &file_bytes,
|
+ err = grub_tpm2_protector_srk_read_file (ctx->tpm2key, &file_bytes,
|
||||||
+ &file_size);
|
+ &file_size);
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
+ return grub_error (err, N_("Failed to read key file %s"), ctx->tpm2key);
|
+ return err;
|
||||||
+
|
+
|
||||||
+ err = grub_tpm2_protector_srk_unmarshal_tpm2key (file_bytes,
|
+ err = grub_tpm2_protector_srk_unmarshal_tpm2key (file_bytes,
|
||||||
+ file_size,
|
+ file_size,
|
||||||
@ -1008,29 +1002,21 @@ index 000000000..9605ddbc7
|
|||||||
+ &parent_handle,
|
+ &parent_handle,
|
||||||
+ &sealed_key);
|
+ &sealed_key);
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
+ {
|
+ goto exit1;
|
||||||
+ grub_error (err, N_("Failed to unmarshal key, ensure the key file is in "
|
|
||||||
+ "TPM 2.0 Key File format"));
|
|
||||||
+ goto exit1;
|
|
||||||
+ }
|
|
||||||
+ }
|
+ }
|
||||||
+ else
|
+ else
|
||||||
+ {
|
+ {
|
||||||
+ err = grub_tpm2_protector_srk_read_file (ctx->keyfile, &file_bytes,
|
+ err = grub_tpm2_protector_srk_read_file (ctx->keyfile, &file_bytes,
|
||||||
+ &file_size);
|
+ &file_size);
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
+ return grub_error (err, N_("Failed to read key file %s"), ctx->keyfile);
|
+ return err;
|
||||||
+
|
+
|
||||||
+ parent_handle = TPM_RH_OWNER;
|
+ parent_handle = TPM_RH_OWNER;
|
||||||
+ err = grub_tpm2_protector_srk_unmarshal_keyfile (file_bytes,
|
+ err = grub_tpm2_protector_srk_unmarshal_keyfile (file_bytes,
|
||||||
+ file_size,
|
+ file_size,
|
||||||
+ &sealed_key);
|
+ &sealed_key);
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
+ {
|
+ goto exit1;
|
||||||
+ grub_error (err, N_("Failed to unmarshal key, ensure the key file is in "
|
|
||||||
+ "TPM wire format"));
|
|
||||||
+ goto exit1;
|
|
||||||
+ }
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Get the SRK to unseal the sealed key */
|
+ /* Get the SRK to unseal the sealed key */
|
||||||
@ -1044,11 +1030,16 @@ index 000000000..9605ddbc7
|
|||||||
+ &sealed_handle, &name, NULL);
|
+ &sealed_handle, &name, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ grub_error (err, N_("Failed to load sealed key (TPM2_Load: 0x%x)"), rc);
|
+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
|
||||||
|
+ rc);
|
||||||
+ goto exit2;
|
+ goto exit2;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Set err to an error code to trigger the standalone policy sequence
|
||||||
|
+ * if there is no authpolicy sequence
|
||||||
|
+ */
|
||||||
+ err = GRUB_ERR_READ_ERROR;
|
+ err = GRUB_ERR_READ_ERROR;
|
||||||
+
|
+
|
||||||
+ /* Iterate the authpolicy sequence to find one that unseals the key */
|
+ /* Iterate the authpolicy sequence to find one that unseals the key */
|
||||||
@ -1200,9 +1191,6 @@ index 000000000..9605ddbc7
|
|||||||
+
|
+
|
||||||
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK)
|
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK)
|
||||||
+ {
|
+ {
|
||||||
+ if (!ctx->srk)
|
|
||||||
+ ctx->srk = TPM2_SRK_HANDLE;
|
|
||||||
+
|
|
||||||
+ if (!ctx->asymmetric)
|
+ if (!ctx->asymmetric)
|
||||||
+ {
|
+ {
|
||||||
+ ctx->asymmetric = TPM_ALG_RSA;
|
+ ctx->asymmetric = TPM_ALG_RSA;
|
||||||
@ -1425,10 +1413,10 @@ index 000000000..e3b6a03e0
|
|||||||
+END
|
+END
|
||||||
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
|
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..62f6d865b
|
index 000000000..a26c287c9
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/grub-core/tpm2/tpm2key.c
|
+++ b/grub-core/tpm2/tpm2key.c
|
||||||
@@ -0,0 +1,440 @@
|
@@ -0,0 +1,447 @@
|
||||||
+/*
|
+/*
|
||||||
+ * GRUB -- GRand Unified Bootloader
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
+ * Copyright (C) 2023 SUSE LLC
|
+ * Copyright (C) 2023 SUSE LLC
|
||||||
@ -1543,24 +1531,29 @@ index 000000000..62f6d865b
|
|||||||
+ */
|
+ */
|
||||||
+ ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
|
+ ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Failed to parse TPM2KEY ASN.1 array"));
|
||||||
+
|
+
|
||||||
+ ret = asn1_create_element (tpm2key_asn1, "TPM2KEY.TPMKey", &tpm2key);
|
+ ret = asn1_create_element (tpm2key_asn1, "TPM2KEY.TPMKey", &tpm2key);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Failed to create TPM2KEY.TPMKey"));
|
||||||
+
|
+
|
||||||
+ ret = asn1_der_decoding (&tpm2key, data, size, NULL);
|
+ ret = asn1_der_decoding (&tpm2key, data, size, NULL);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Failed to decode TPM2KEY DER"));
|
||||||
+
|
+
|
||||||
+ /* Check if 'type' is Sealed Key or not */
|
+ /* Check if 'type' is Sealed Key or not */
|
||||||
+ ret = asn1_allocate_and_read (tpm2key, "type", &type_oid, &type_oid_size);
|
+ ret = asn1_allocate_and_read (tpm2key, "type", &type_oid, &type_oid_size);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||||
|
+ N_("Not a valid TPM2KEY file"));
|
||||||
+
|
+
|
||||||
+ if (grub_memcmp (sealed_key_oid, type_oid, type_oid_size) != 0)
|
+ if (grub_memcmp (sealed_key_oid, type_oid, type_oid_size) != 0)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_FILE_TYPE;
|
+ err = grub_error (GRUB_ERR_BAD_FILE_TYPE,
|
||||||
|
+ N_("Not a valid TPM2KEY file"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1568,7 +1561,7 @@ index 000000000..62f6d865b
|
|||||||
+ ret = asn1_allocate_and_read (tpm2key, "emptyAuth", &empty_auth, &empty_auth_size);
|
+ ret = asn1_allocate_and_read (tpm2key, "emptyAuth", &empty_auth, &empty_auth_size);
|
||||||
+ if (ret != ASN1_SUCCESS || grub_strncmp ("TRUE", empty_auth, empty_auth_size) != 0)
|
+ if (ret != ASN1_SUCCESS || grub_strncmp ("TRUE", empty_auth, empty_auth_size) != 0)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("emptyAuth not TRUE"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1576,7 +1569,8 @@ index 000000000..62f6d865b
|
|||||||
+ ret = asn1_read_value (tpm2key, "secret", NULL, &tmp_size);
|
+ ret = asn1_read_value (tpm2key, "secret", NULL, &tmp_size);
|
||||||
+ if (ret != ASN1_ELEMENT_NOT_FOUND)
|
+ if (ret != ASN1_ELEMENT_NOT_FOUND)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("\"secret\" not allowed for Sealed Key"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1608,14 +1602,14 @@ index 000000000..62f6d865b
|
|||||||
+ int ret;
|
+ int ret;
|
||||||
+
|
+
|
||||||
+ if (parent == NULL)
|
+ if (parent == NULL)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("NULL pointer detected"));
|
||||||
+
|
+
|
||||||
+ if (tpm2key == NULL)
|
+ if (tpm2key == NULL)
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid parent node"));
|
||||||
+
|
+
|
||||||
+ ret = asn1_read_uint32 (tpm2key, "parent", parent);
|
+ ret = asn1_read_uint32 (tpm2key, "parent", parent);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve parent"));
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+}
|
+}
|
||||||
@ -1626,14 +1620,16 @@ index 000000000..62f6d865b
|
|||||||
+ int ret;
|
+ int ret;
|
||||||
+
|
+
|
||||||
+ if (name == NULL || data == NULL || size == NULL)
|
+ if (name == NULL || data == NULL || size == NULL)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Invalid parameter(s)"));
|
||||||
+
|
+
|
||||||
+ if (tpm2key == NULL)
|
+ if (tpm2key == NULL)
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid %s node"), name);
|
||||||
+
|
+
|
||||||
+ ret = asn1_allocate_and_read (tpm2key, name, data, size);
|
+ ret = asn1_allocate_and_read (tpm2key, name, data, size);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
+ return grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Failed to retrieve %s"),
|
||||||
|
+ name);
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+}
|
+}
|
||||||
@ -1764,9 +1760,7 @@ index 000000000..62f6d865b
|
|||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+ }
|
+ }
|
||||||
+ else if (ret != ASN1_SUCCESS)
|
+ else if (ret != ASN1_SUCCESS)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve policy"));
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+}
|
+}
|
||||||
@ -1806,13 +1800,12 @@ index 000000000..62f6d865b
|
|||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+ }
|
+ }
|
||||||
+ else if (ret != ASN1_SUCCESS)
|
+ else if (ret != ASN1_SUCCESS)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve authPolicy"));
|
||||||
+ return GRUB_ERR_READ_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ /* Limit the number of authPolicy elements to two digits (99) */
|
+ /* Limit the number of authPolicy elements to two digits (99) */
|
||||||
+ if (authpol_n > 100 || authpol_n < 1)
|
+ if (authpol_n > 100 || authpol_n < 1)
|
||||||
+ return GRUB_ERR_OUT_OF_RANGE;
|
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||||
|
+ N_("Invalid number of autoPolicy elements"));
|
||||||
+
|
+
|
||||||
+ /*
|
+ /*
|
||||||
+ * Iterate the authPolicy elements backwards since grub_list_push() prepends
|
+ * Iterate the authPolicy elements backwards since grub_list_push() prepends
|
||||||
@ -1822,7 +1815,8 @@ index 000000000..62f6d865b
|
|||||||
+ authpol = grub_zalloc (sizeof (struct tpm2key_authpolicy));
|
+ authpol = grub_zalloc (sizeof (struct tpm2key_authpolicy));
|
||||||
+ if (authpol == NULL)
|
+ if (authpol == NULL)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_OUT_OF_MEMORY;
|
+ err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Failed to allocate memory for authPolicy"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+ grub_snprintf (authpol_pol, AUTHPOLICY_POL_MAX, "authPolicy.?%d.Policy", i);
|
+ grub_snprintf (authpol_pol, AUTHPOLICY_POL_MAX, "authPolicy.?%d.Policy", i);
|
||||||
@ -1830,7 +1824,8 @@ index 000000000..62f6d865b
|
|||||||
+ ret = tpm2key_get_policy_seq (tpm2key, authpol_pol, &authpol->policy_seq);
|
+ ret = tpm2key_get_policy_seq (tpm2key, authpol_pol, &authpol->policy_seq);
|
||||||
+ if (ret != ASN1_SUCCESS)
|
+ if (ret != ASN1_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_READ_ERROR;
|
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Failed to retrieve policy from authPolicy"));
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
|
@ -1,31 +1,73 @@
|
|||||||
From d6e2d32d53d9a1aac2383fc6c075f3827111b643 Mon Sep 17 00:00:00 2001
|
From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Lin <glin@suse.com>
|
From: Gary Lin <glin@suse.com>
|
||||||
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
||||||
Subject: [PATCH 4/4] tpm2: Support authorized policy
|
Subject: [PATCH v7 16/20] tpm2: Support authorized policy
|
||||||
|
|
||||||
TPM2_PolicyAuthorize is the key command to support authorized policy
|
This commit handles the TPM2_PolicyAuthorize command from the key file
|
||||||
which allows the users to sign TPM policies with their own keys.
|
in TPM 2.0 Key File format.
|
||||||
|
|
||||||
Per TPM 2.0 Key File(*), CommandPolicy for TPM2_PolicyAuthorize
|
TPM2_PolicyAuthorize is the essential command to support authorized
|
||||||
|
policy which allows the users to sign TPM policies with their own keys.
|
||||||
|
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
|
||||||
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
||||||
'TPMT_SIGNATURE signature'. This commit unmarshals those data
|
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
|
||||||
structures, fetches the current policy digest, hashes the policy digest
|
digest is hashed with the hash algorithm written in 'signature', and then
|
||||||
with the hash algorithm written in 'signature', and then verifies
|
'signature' is verified with the hashed policy digest and 'pubkey'. Once
|
||||||
'signature' with 'pubkey'. If everything goes well, TPM2_PolicyAuthorize
|
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
|
||||||
is invoked to authorize the signed policy.
|
signed policy.
|
||||||
|
|
||||||
(*) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
To create the key file with authorized policy, here are the pcr-oracle(*2)
|
||||||
|
commands:
|
||||||
|
|
||||||
|
# Generate the RSA key and create the authorized policy file
|
||||||
|
$ pcr-oracle \
|
||||||
|
--rsa-generate-key \
|
||||||
|
--private-key policy-key.pem \
|
||||||
|
--auth authorized.policy \
|
||||||
|
create-authorized-policy 0,2,4,7,9
|
||||||
|
|
||||||
|
# Seal the secret with the authorized policy
|
||||||
|
$ pcr-oracle \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--auth authorized.policy \
|
||||||
|
--input disk-secret.txt \
|
||||||
|
--output sealed.key \
|
||||||
|
seal-secret
|
||||||
|
|
||||||
|
# Sign the predicted PCR policy
|
||||||
|
$ pcr-oracle \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--private-key policy-key.pem \
|
||||||
|
--from eventlog \
|
||||||
|
--stop-event "grub-file=grub.cfg" \
|
||||||
|
--after \
|
||||||
|
--input sealed.key \
|
||||||
|
--output sealed.tpm \
|
||||||
|
sign 0,2,4,7.9
|
||||||
|
|
||||||
|
Then specify the key file and the key protector to grub.cfg in the EFI
|
||||||
|
system partition:
|
||||||
|
|
||||||
|
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
||||||
|
cryptomount -u <PART_UUID> -P tpm2
|
||||||
|
|
||||||
|
For any change in the boot components, just run the 'sign' command again
|
||||||
|
to update the signature in sealed.tpm, and TPM can unseal the key file
|
||||||
|
with the updated PCR policy.
|
||||||
|
|
||||||
|
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
||||||
|
(*2) https://github.com/okirch/pcr-oracle
|
||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
---
|
---
|
||||||
grub-core/tpm2/module.c | 98 +++++++++++++++++++++++++++++++++++++++++
|
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
|
||||||
1 file changed, 98 insertions(+)
|
1 file changed, 84 insertions(+)
|
||||||
|
|
||||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||||
index 5274296b7..e5235c2ac 100644
|
index df0727215..0cbfd06e8 100644
|
||||||
--- a/grub-core/tpm2/module.c
|
--- a/grub-core/tpm2/module.c
|
||||||
+++ b/grub-core/tpm2/module.c
|
+++ b/grub-core/tpm2/module.c
|
||||||
@@ -454,6 +454,101 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
||||||
return GRUB_ERR_NONE;
|
return GRUB_ERR_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -49,59 +91,45 @@ index 5274296b7..e5235c2ac 100644
|
|||||||
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
||||||
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
||||||
+ if (cmd_buf->error != 0)
|
+ if (cmd_buf->error != 0)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
+ N_("Failed to unmarshal the buffer for TPM2_PolicyAuthorize"));
|
||||||
+ return grub_error (err, N_("Failed to unmarshal the buffer for "
|
|
||||||
+ "TPM2_PolicyAuthorize"));
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ /* Retrieve Policy Digest */
|
+ /* Retrieve Policy Digest */
|
||||||
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
|
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ N_("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x)."),
|
||||||
+ grub_error (err, N_("Failed to get policy digest (TPM error: 0x%x)."),
|
+ rc);
|
||||||
+ rc);
|
|
||||||
+ return err;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ /* Calculate the digest of the polcy for VerifySignature */
|
+ /* Calculate the digest of the polcy for VerifySignature */
|
||||||
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
||||||
+ if (sig_hash == TPM_ALG_NULL)
|
+ if (sig_hash == TPM_ALG_NULL)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
+ err = GRUB_ERR_BAD_ARGUMENT;
|
+ N_("Failed to get the hash algorithm of the signature"));
|
||||||
+ grub_error (err, N_("Failed to get the hash algorithm of the signature"));
|
+
|
||||||
+ return err;
|
|
||||||
+ }
|
|
||||||
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
|
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
|
||||||
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
|
||||||
+ grub_error (err, N_("Failed to create PCR policy hash (TPM2_Hash failed "
|
+ rc);
|
||||||
+ "with TSS/TPM error %u)"), rc);
|
|
||||||
+ return err;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ /* Load the public key */
|
+ /* Load the public key */
|
||||||
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
|
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
|
||||||
+ &pubkey_handle, &pubname, NULL);
|
+ &pubkey_handle, &pubname, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ N_("Failed to load public key (TPM2_LoadExternal: 0x%x)"),
|
||||||
+ grub_error (err, N_("Failed to load public key (TPM2_LoadExternal failed "
|
+ rc);
|
||||||
+ "with TSS/TPM error %u)"), rc);
|
|
||||||
+ return err;
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ /* Verify the signature against the public key and the policy digest */
|
+ /* Verify the signature against the public key and the policy digest */
|
||||||
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
||||||
+ &verification_ticket, NULL);
|
+ &verification_ticket, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ grub_error (err, N_("Failed to verify signature (TPM2_VerifySignature "
|
+ N_("Failed to verify signature (TPM2_VerifySignature: 0x%x)"),
|
||||||
+ "failed with TSS/TPM error %u)"), rc);
|
+ rc);
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -110,9 +138,9 @@ index 5274296b7..e5235c2ac 100644
|
|||||||
+ &verification_ticket, NULL);
|
+ &verification_ticket, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||||
+ grub_error (err, N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize "
|
+ N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)"),
|
||||||
+ "failed with TSS/TPM error: 0x%u).\n"), rc);
|
+ rc);
|
||||||
+ goto error;
|
+ goto error;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -127,7 +155,7 @@ index 5274296b7..e5235c2ac 100644
|
|||||||
static grub_err_t
|
static grub_err_t
|
||||||
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
|
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
|
||||||
{
|
{
|
||||||
@@ -473,6 +568,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
||||||
case TPM_CC_PolicyPCR:
|
case TPM_CC_PolicyPCR:
|
||||||
err = grub_tpm2_protector_policypcr (session, &buf);
|
err = grub_tpm2_protector_policypcr (session, &buf);
|
||||||
break;
|
break;
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001
|
From 1116bc4b9a27aceaec53421e89eb887e6ad3aef8 Mon Sep 17 00:00:00 2001
|
||||||
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Date: Tue, 1 Feb 2022 05:02:57 -0800
|
Date: Tue, 1 Feb 2022 05:02:57 -0800
|
||||||
Subject: [PATCH v6 12/20] util/grub-protect: Add new tool
|
Subject: [PATCH v7 12/20] util/grub-protect: Add new tool
|
||||||
|
|
||||||
To utilize the key protectors framework, there must be a way to protect
|
To utilize the key protectors framework, there must be a way to protect
|
||||||
full-disk encryption keys in the first place. The grub-protect tool
|
full-disk encryption keys in the first place. The grub-protect tool
|
||||||
@ -51,21 +51,21 @@ cryptomount -u <SDB1_UUID> -P tpm2
|
|||||||
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
---
|
---
|
||||||
.gitignore | 2 +
|
|
||||||
Makefile.util.def | 22 +
|
Makefile.util.def | 22 +
|
||||||
configure.ac | 9 +
|
configure.ac | 9 +
|
||||||
util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++
|
util/grub-protect.c | 1492 +++++++++++++++++++++++++++++++++++++++++++
|
||||||
4 files changed, 1557 insertions(+)
|
4 files changed, 1525 insertions(+)
|
||||||
create mode 100644 util/grub-protect.c
|
create mode 100644 util/grub-protect.c
|
||||||
|
|
||||||
Index: grub-2.12~rc1/Makefile.util.def
|
diff --git a/Makefile.util.def b/Makefile.util.def
|
||||||
===================================================================
|
index e89abb38f..f43c223b9 100644
|
||||||
--- grub-2.12~rc1.orig/Makefile.util.def
|
--- a/Makefile.util.def
|
||||||
+++ grub-2.12~rc1/Makefile.util.def
|
+++ b/Makefile.util.def
|
||||||
@@ -208,6 +208,28 @@ program = {
|
@@ -207,6 +207,28 @@ program = {
|
||||||
|
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
|
||||||
};
|
};
|
||||||
|
|
||||||
program = {
|
+program = {
|
||||||
+ name = grub-protect;
|
+ name = grub-protect;
|
||||||
+
|
+
|
||||||
+ common = grub-core/osdep/init.c;
|
+ common = grub-core/osdep/init.c;
|
||||||
@ -87,14 +87,13 @@ Index: grub-2.12~rc1/Makefile.util.def
|
|||||||
+ enable = efi;
|
+ enable = efi;
|
||||||
+};
|
+};
|
||||||
+
|
+
|
||||||
+program = {
|
program = {
|
||||||
name = grub-mkrelpath;
|
name = grub-mkrelpath;
|
||||||
mansection = 1;
|
mansection = 1;
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
Index: grub-2.12~rc1/configure.ac
|
index c19779c14..9796e5f9b 100644
|
||||||
===================================================================
|
--- a/configure.ac
|
||||||
--- grub-2.12~rc1.orig/configure.ac
|
+++ b/configure.ac
|
||||||
+++ grub-2.12~rc1/configure.ac
|
|
||||||
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
|
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
|
||||||
grub_TRANSFORM([grub-mkrelpath])
|
grub_TRANSFORM([grub-mkrelpath])
|
||||||
grub_TRANSFORM([grub-mkrescue])
|
grub_TRANSFORM([grub-mkrescue])
|
||||||
@ -103,7 +102,7 @@ Index: grub-2.12~rc1/configure.ac
|
|||||||
grub_TRANSFORM([grub-reboot])
|
grub_TRANSFORM([grub-reboot])
|
||||||
grub_TRANSFORM([grub-script-check])
|
grub_TRANSFORM([grub-script-check])
|
||||||
grub_TRANSFORM([grub-set-default])
|
grub_TRANSFORM([grub-set-default])
|
||||||
@@ -1992,6 +1993,14 @@ fi
|
@@ -2018,6 +2019,14 @@ fi
|
||||||
AC_SUBST([LIBZFS])
|
AC_SUBST([LIBZFS])
|
||||||
AC_SUBST([LIBNVPAIR])
|
AC_SUBST([LIBNVPAIR])
|
||||||
|
|
||||||
@ -118,11 +117,12 @@ Index: grub-2.12~rc1/configure.ac
|
|||||||
LIBS=""
|
LIBS=""
|
||||||
|
|
||||||
AC_SUBST([FONT_SOURCE])
|
AC_SUBST([FONT_SOURCE])
|
||||||
Index: grub-2.12~rc1/util/grub-protect.c
|
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
||||||
===================================================================
|
new file mode 100644
|
||||||
|
index 000000000..c6d41ea40
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ grub-2.12~rc1/util/grub-protect.c
|
+++ b/util/grub-protect.c
|
||||||
@@ -0,0 +1,1524 @@
|
@@ -0,0 +1,1492 @@
|
||||||
+/*
|
+/*
|
||||||
+ * GRUB -- GRand Unified Bootloader
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
+ * Copyright (C) 2022 Microsoft Corporation
|
+ * Copyright (C) 2022 Microsoft Corporation
|
||||||
@ -184,7 +184,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ GRUB_PROTECT_OPT_TPM2_SRK,
|
+ GRUB_PROTECT_OPT_TPM2_SRK,
|
||||||
+ GRUB_PROTECT_OPT_TPM2_KEYFILE,
|
+ GRUB_PROTECT_OPT_TPM2_KEYFILE,
|
||||||
+ GRUB_PROTECT_OPT_TPM2_OUTFILE,
|
+ GRUB_PROTECT_OPT_TPM2_OUTFILE,
|
||||||
+ GRUB_PROTECT_OPT_TPM2_PERSIST,
|
|
||||||
+ GRUB_PROTECT_OPT_TPM2_EVICT,
|
+ GRUB_PROTECT_OPT_TPM2_EVICT,
|
||||||
+ GRUB_PROTECT_OPT_TPM2_TPM2KEY
|
+ GRUB_PROTECT_OPT_TPM2_TPM2KEY
|
||||||
+} grub_protect_opt;
|
+} grub_protect_opt;
|
||||||
@ -203,9 +202,8 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ GRUB_PROTECT_ARG_TPM2_SRK = 1 << 6,
|
+ GRUB_PROTECT_ARG_TPM2_SRK = 1 << 6,
|
||||||
+ GRUB_PROTECT_ARG_TPM2_KEYFILE = 1 << 7,
|
+ GRUB_PROTECT_ARG_TPM2_KEYFILE = 1 << 7,
|
||||||
+ GRUB_PROTECT_ARG_TPM2_OUTFILE = 1 << 8,
|
+ GRUB_PROTECT_ARG_TPM2_OUTFILE = 1 << 8,
|
||||||
+ GRUB_PROTECT_ARG_TPM2_PERSIST = 1 << 9,
|
+ GRUB_PROTECT_ARG_TPM2_EVICT = 1 << 9,
|
||||||
+ GRUB_PROTECT_ARG_TPM2_EVICT = 1 << 10,
|
+ GRUB_PROTECT_ARG_TPM2_TPM2KEY = 1 << 10
|
||||||
+ GRUB_PROTECT_ARG_TPM2_TPM2KEY = 1 << 11
|
|
||||||
+} grub_protect_arg_t;
|
+} grub_protect_arg_t;
|
||||||
+
|
+
|
||||||
+typedef enum grub_protect_protector
|
+typedef enum grub_protect_protector
|
||||||
@ -237,7 +235,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ TPM_HANDLE tpm2_srk;
|
+ TPM_HANDLE tpm2_srk;
|
||||||
+ const char *tpm2_keyfile;
|
+ const char *tpm2_keyfile;
|
||||||
+ const char *tpm2_outfile;
|
+ const char *tpm2_outfile;
|
||||||
+ int tpm2_persist;
|
|
||||||
+ int tpm2_evict;
|
+ int tpm2_evict;
|
||||||
+ int tpm2_tpm2key;
|
+ int tpm2_tpm2key;
|
||||||
+};
|
+};
|
||||||
@ -318,8 +315,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ .arg = "NUM",
|
+ .arg = "NUM",
|
||||||
+ .flags = 0,
|
+ .flags = 0,
|
||||||
+ .doc =
|
+ .doc =
|
||||||
+ N_("The SRK handle if the SRK is to be made persistent "
|
+ N_("The SRK handle if the SRK is to be made persistent."),
|
||||||
+ "(default is 0x81000001)."),
|
|
||||||
+ .group = 0
|
+ .group = 0
|
||||||
+ },
|
+ },
|
||||||
+ {
|
+ {
|
||||||
@ -335,16 +331,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ .group = 0
|
+ .group = 0
|
||||||
+ },
|
+ },
|
||||||
+ {
|
+ {
|
||||||
+ .name = "tpm2-persist",
|
|
||||||
+ .key = GRUB_PROTECT_OPT_TPM2_PERSIST,
|
|
||||||
+ .arg = NULL,
|
|
||||||
+ .flags = 0,
|
|
||||||
+ .doc =
|
|
||||||
+ N_("Whether to persist the SRK onto the TPM, otherwise it is recreated "
|
|
||||||
+ "ephemerally during boot (default is to not persist it)."),
|
|
||||||
+ .group = 0
|
|
||||||
+ },
|
|
||||||
+ {
|
|
||||||
+ .name = "tpm2-evict",
|
+ .name = "tpm2-evict",
|
||||||
+ .key = GRUB_PROTECT_OPT_TPM2_EVICT,
|
+ .key = GRUB_PROTECT_OPT_TPM2_EVICT,
|
||||||
+ .arg = NULL,
|
+ .arg = NULL,
|
||||||
@ -634,7 +620,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ rc = TPM2_PCR_Read (NULL, &pcr_sel, NULL, &pcr_sel_out, &pcr_values, NULL);
|
+ rc = TPM2_PCR_Read (NULL, &pcr_sel, NULL, &pcr_sel_out, &pcr_values, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr, _("Failed to read PCRs (TPM error: 0x%x).\n"), rc);
|
+ fprintf (stderr, _("Failed to read PCRs (TPM2_PCR_Read: 0x%x).\n"), rc);
|
||||||
+ return GRUB_ERR_BAD_DEVICE;
|
+ return GRUB_ERR_BAD_DEVICE;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -711,7 +697,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr,
|
+ fprintf (stderr,
|
||||||
+ _("Failed to start trial policy session (TPM error: 0x%x).\n"),
|
+ _("Failed to start trial policy session (TPM2_StartAuthSession: 0x%x).\n"),
|
||||||
+ rc);
|
+ rc);
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = GRUB_ERR_BAD_DEVICE;
|
||||||
+ goto exit2;
|
+ goto exit2;
|
||||||
@ -723,7 +709,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL);
|
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr, _("Failed to submit PCR policy (TPM error: 0x%x).\n"),
|
+ fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR: 0x%x).\n"),
|
||||||
+ rc);
|
+ rc);
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = GRUB_ERR_BAD_DEVICE;
|
||||||
+ goto exit3;
|
+ goto exit3;
|
||||||
@ -733,7 +719,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ rc = TPM2_PolicyGetDigest (session, NULL, &policy_digest, NULL);
|
+ rc = TPM2_PolicyGetDigest (session, NULL, &policy_digest, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr, _("Failed to get policy digest (TPM error: 0x%x).\n"),
|
+ fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).\n"),
|
||||||
+ rc);
|
+ rc);
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = GRUB_ERR_BAD_DEVICE;
|
||||||
+ goto exit3;
|
+ goto exit3;
|
||||||
@ -772,26 +758,25 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ TPM2B_NAME srkName = { 0 };
|
+ TPM2B_NAME srkName = { 0 };
|
||||||
+ TPM_HANDLE srkHandle;
|
+ TPM_HANDLE srkHandle;
|
||||||
+
|
+
|
||||||
+ /* Find SRK */
|
+ if (args->tpm2_srk != 0)
|
||||||
+ rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
|
|
||||||
+ if (rc == TPM_RC_SUCCESS)
|
|
||||||
+ {
|
+ {
|
||||||
+ if (args->tpm2_persist)
|
+ /* Find SRK */
|
||||||
+ fprintf (stderr,
|
+ rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
|
||||||
+ _("Warning: --tpm2-persist was specified but the SRK already "
|
+ if (rc == TPM_RC_SUCCESS)
|
||||||
+ "exists on the TPM. Continuing anyway...\n"));
|
+ {
|
||||||
|
+ printf (_("Read SRK from 0x%x\n"), args->tpm2_srk);
|
||||||
|
+ *srk = args->tpm2_srk;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ *srk = TPM2_SRK_HANDLE;
|
+ /* The handle exists but its public area could not be read. */
|
||||||
+ return GRUB_ERR_NONE;
|
+ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
|
||||||
+ }
|
+ {
|
||||||
+
|
+ fprintf (stderr,
|
||||||
+ /* The handle exists but its public area could not be read. */
|
+ _("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic: 0x%x).\n"),
|
||||||
+ if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
|
+ args->tpm2_srk, rc);
|
||||||
+ {
|
+ return GRUB_ERR_BAD_DEVICE;
|
||||||
+ fprintf (stderr,
|
+ }
|
||||||
+ _("The SRK exists on the TPM but its public area cannot be read "
|
|
||||||
+ "(TPM error: 0x%x).\n"), rc);
|
|
||||||
+ return GRUB_ERR_BAD_DEVICE;
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Create SRK */
|
+ /* Create SRK */
|
||||||
@ -836,12 +821,12 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ &srkName, NULL);
|
+ &srkName, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr, _("Failed to create SRK (TPM error: 0x%x).\n"), rc);
|
+ fprintf (stderr, _("Failed to create SRK (TPM2_CreatePrimary: 0x%x).\n"), rc);
|
||||||
+ return GRUB_ERR_BAD_DEVICE;
|
+ return GRUB_ERR_BAD_DEVICE;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Persist SRK */
|
+ /* Persist SRK */
|
||||||
+ if (args->tpm2_persist)
|
+ if (args->tpm2_srk != 0)
|
||||||
+ {
|
+ {
|
||||||
+ rc = TPM2_EvictControl (TPM_RH_OWNER, srkHandle, &authCommand,
|
+ rc = TPM2_EvictControl (TPM_RH_OWNER, srkHandle, &authCommand,
|
||||||
+ args->tpm2_srk, NULL);
|
+ args->tpm2_srk, NULL);
|
||||||
@ -852,8 +837,8 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ }
|
+ }
|
||||||
+ else
|
+ else
|
||||||
+ fprintf (stderr,
|
+ fprintf (stderr,
|
||||||
+ _("Warning: Failed to persist SRK (TPM error: 0x%x\n). "
|
+ _("Warning: Failed to persist SRK (0x%x) (TPM2_EvictControl: 0x%x\n). "
|
||||||
+ "Continuing anyway...\n"), rc);
|
+ "Continuing anyway...\n"), args->tpm2_srk, rc);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Epilogue */
|
+ /* Epilogue */
|
||||||
@ -891,7 +876,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ &pcr_sel, &outPrivate, &outPublic, NULL, NULL, NULL, NULL);
|
+ &pcr_sel, &outPrivate, &outPublic, NULL, NULL, NULL, NULL);
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr, _("Failed to seal key (TPM error: 0x%x).\n"), rc);
|
+ fprintf (stderr, _("Failed to seal key (TPM2_Create: 0x%x).\n"), rc);
|
||||||
+ return GRUB_ERR_BAD_DEVICE;
|
+ return GRUB_ERR_BAD_DEVICE;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1202,7 +1187,7 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ if (rc != TPM_RC_SUCCESS)
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr,
|
+ fprintf (stderr,
|
||||||
+ _("Failed to evict SRK with handle 0x%x (TPM Error: 0x%x).\n"),
|
+ _("Failed to evict SRK with handle 0x%x (TPM2_EvictControl: 0x%x).\n"),
|
||||||
+ args->tpm2_srk, rc);
|
+ args->tpm2_srk, rc);
|
||||||
+ err = GRUB_ERR_BAD_DEVICE;
|
+ err = GRUB_ERR_BAD_DEVICE;
|
||||||
+ goto exit2;
|
+ goto exit2;
|
||||||
@ -1269,9 +1254,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ args->tpm2_pcr_count = 1;
|
+ args->tpm2_pcr_count = 1;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (args->tpm2_srk == 0)
|
|
||||||
+ args->tpm2_srk = TPM2_SRK_HANDLE;
|
|
||||||
+
|
|
||||||
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
|
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
|
||||||
+ {
|
+ {
|
||||||
+ args->tpm2_asymmetric = TPM_ALG_RSA;
|
+ args->tpm2_asymmetric = TPM_ALG_RSA;
|
||||||
@ -1319,19 +1301,16 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (args->args & GRUB_PROTECT_ARG_TPM2_PERSIST)
|
+ if (args->tpm2_srk == 0)
|
||||||
+ {
|
+ {
|
||||||
+ fprintf (stderr,
|
+ fprintf (stderr,
|
||||||
+ _("--tpm2-persist is invalid when --action is 'remove'.\n"));
|
+ _("--tpm2-srk is not specified when --action is 'remove'.\n"));
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (args->tpm2_device == NULL)
|
+ if (args->tpm2_device == NULL)
|
||||||
+ args->tpm2_device = "/dev/tpm0";
|
+ args->tpm2_device = "/dev/tpm0";
|
||||||
+
|
+
|
||||||
+ if (args->tpm2_srk == 0)
|
|
||||||
+ args->tpm2_srk = TPM2_SRK_HANDLE;
|
|
||||||
+
|
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ default:
|
+ default:
|
||||||
@ -1497,17 +1476,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+ args->args |= GRUB_PROTECT_ARG_TPM2_OUTFILE;
|
+ args->args |= GRUB_PROTECT_ARG_TPM2_OUTFILE;
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case GRUB_PROTECT_OPT_TPM2_PERSIST:
|
|
||||||
+ if (args->args & GRUB_PROTECT_ARG_TPM2_PERSIST)
|
|
||||||
+ {
|
|
||||||
+ fprintf (stderr, _("--tpm2-persist can only be specified once.\n"));
|
|
||||||
+ return EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ args->tpm2_persist = 1;
|
|
||||||
+ args->args |= GRUB_PROTECT_ARG_TPM2_PERSIST;
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case GRUB_PROTECT_OPT_TPM2_EVICT:
|
+ case GRUB_PROTECT_OPT_TPM2_EVICT:
|
||||||
+ if (args->args & GRUB_PROTECT_ARG_TPM2_EVICT)
|
+ if (args->args & GRUB_PROTECT_ARG_TPM2_EVICT)
|
||||||
+ {
|
+ {
|
||||||
@ -1647,3 +1615,6 @@ Index: grub-2.12~rc1/util/grub-protect.c
|
|||||||
+
|
+
|
||||||
+ return err;
|
+ return err;
|
||||||
+}
|
+}
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 16 06:39:46 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update the TPM2 patches to skip the persistent SRK handle if not
|
||||||
|
specified and improve the error messages
|
||||||
|
+ 0003-protectors-Add-TPM2-Key-Protector.patch
|
||||||
|
+ 0005-util-grub-protect-Add-new-tool.patch
|
||||||
|
+ 0004-tpm2-Support-authorized-policy.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 14 07:52:41 UTC 2023 - Michael Chang <mchang@suse.com>
|
Tue Nov 14 07:52:41 UTC 2023 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user