Accepting request 1120141 from home:michael-chang:branches:Base:System
- Fix Xen chainloding error of no matching file path found (bsc#1216081) * grub2-efi-chainload-harder.patch - Use grub-tpm2 token to unlock keyslots to make the unsealing process more efficient and secure. * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch OBS-URL: https://build.opensuse.org/request/show/1120141 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=471
This commit is contained in:
parent
e40e4a0d23
commit
8c7387ac32
142
0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
Normal file
142
0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
From 06af22d6c893b0249712e9a486e0cbae15160e5c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Mon, 23 Oct 2023 16:11:53 +0800
|
||||||
|
Subject: [PATCH] luks2: Use grub-tpm2 token for TPM2-protected volume unlock
|
||||||
|
|
||||||
|
This commit enables the use of the grub-tpm2 token for unlocking LUKS2
|
||||||
|
volumes protected by TPM2. The token tracks keyslots associated with a
|
||||||
|
sealed key, making the unsealing process more efficient and secure.
|
||||||
|
|
||||||
|
Signed-Off-by Michael Chang <mchang@suse.com>
|
||||||
|
---
|
||||||
|
grub-core/disk/luks2.c | 81 ++++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 79 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
|
||||||
|
index d5106402f..fe5ba777a 100644
|
||||||
|
--- a/grub-core/disk/luks2.c
|
||||||
|
+++ b/grub-core/disk/luks2.c
|
||||||
|
@@ -124,6 +124,14 @@ struct grub_luks2_digest
|
||||||
|
};
|
||||||
|
typedef struct grub_luks2_digest grub_luks2_digest_t;
|
||||||
|
|
||||||
|
+struct grub_luks2_token_tpm
|
||||||
|
+{
|
||||||
|
+ grub_uint64_t idx;
|
||||||
|
+ grub_uint64_t keyslots;
|
||||||
|
+ const char *timestamp;
|
||||||
|
+};
|
||||||
|
+typedef struct grub_luks2_token_tpm grub_luks2_token_tpm_t;
|
||||||
|
+
|
||||||
|
gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
|
||||||
|
grub_uint8_t * dst, grub_size_t blocksize,
|
||||||
|
grub_size_t blocknumbers);
|
||||||
|
@@ -257,6 +265,39 @@ luks2_parse_digest (grub_luks2_digest_t *out, const grub_json_t *digest)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static grub_err_t
|
||||||
|
+luks2_parse_token_tpm (grub_luks2_token_tpm_t *out, const grub_json_t *token)
|
||||||
|
+{
|
||||||
|
+ grub_json_t keyslots, o;
|
||||||
|
+ grub_size_t i, size;
|
||||||
|
+ grub_uint64_t bit;
|
||||||
|
+ const char *type;
|
||||||
|
+
|
||||||
|
+ if (grub_json_getstring (&type, token, "type"))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid token type");
|
||||||
|
+ else if (grub_strcmp (type, "grub-tpm2"))
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ if (grub_json_getvalue (&keyslots, token, "keyslots") ||
|
||||||
|
+ grub_json_getstring (&out->timestamp, token, "timestamp"))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing token parameters");
|
||||||
|
+
|
||||||
|
+ if (grub_json_getsize (&size, &keyslots))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ "Token references no keyslots");
|
||||||
|
+
|
||||||
|
+ out->keyslots = 0;
|
||||||
|
+ for (i = 0; i < size; i++)
|
||||||
|
+ {
|
||||||
|
+ if (grub_json_getchild (&o, &keyslots, i) ||
|
||||||
|
+ grub_json_getuint64 (&bit, &o, NULL))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot");
|
||||||
|
+ out->keyslots |= (1 << bit);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static grub_err_t
|
||||||
|
luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_segment_t *s,
|
||||||
|
const grub_json_t *root, grub_size_t keyslot_json_idx)
|
||||||
|
@@ -561,13 +602,14 @@ luks2_recover_key (grub_disk_t source,
|
||||||
|
{
|
||||||
|
grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
|
||||||
|
char cipher[32], *json_header = NULL, *ptr;
|
||||||
|
- grub_size_t candidate_key_len = 0, json_idx, size;
|
||||||
|
+ grub_size_t candidate_key_len = 0, json_idx, size, tsize;
|
||||||
|
grub_luks2_header_t header;
|
||||||
|
grub_luks2_keyslot_t keyslot;
|
||||||
|
grub_luks2_digest_t digest;
|
||||||
|
grub_luks2_segment_t segment;
|
||||||
|
+ grub_luks2_token_tpm_t token_tpm;
|
||||||
|
gcry_err_code_t gcry_ret;
|
||||||
|
- grub_json_t *json = NULL, keyslots;
|
||||||
|
+ grub_json_t *json = NULL, keyslots, tokens;
|
||||||
|
grub_err_t ret;
|
||||||
|
|
||||||
|
if (cargs->key_data == NULL || cargs->key_len == 0)
|
||||||
|
@@ -605,6 +647,37 @@ luks2_recover_key (grub_disk_t source,
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ token_tpm.keyslots = 0;
|
||||||
|
+ tsize = 0;
|
||||||
|
+ if (cargs->protectors)
|
||||||
|
+ {
|
||||||
|
+ int i;
|
||||||
|
+ for (i = 0; cargs->protectors[i]; i++)
|
||||||
|
+ if (grub_strcmp(cargs->protectors[i], "tpm2") == 0)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ if (!cargs->protectors[i] ||
|
||||||
|
+ cargs->key_cache[i].invalid ||
|
||||||
|
+ grub_json_getvalue (&tokens, json, "tokens") ||
|
||||||
|
+ grub_json_getsize (&tsize, &tokens))
|
||||||
|
+ grub_dprintf ("luks2", "No valid token or not a tpm2 protector\n");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (json_idx = 0; json_idx < tsize; json_idx++)
|
||||||
|
+ {
|
||||||
|
+ grub_json_t token;
|
||||||
|
+
|
||||||
|
+ if (grub_json_getchild (&token, &tokens, json_idx) ||
|
||||||
|
+ grub_json_getuint64 (&token_tpm.idx, &token, NULL) ||
|
||||||
|
+ grub_json_getchild (&token, &token, 0) ||
|
||||||
|
+ luks2_parse_token_tpm (&token_tpm, &token))
|
||||||
|
+ {
|
||||||
|
+ grub_dprintf ("luks2", "Could not parse token index %" PRIuGRUB_SIZE "\n", json_idx);
|
||||||
|
+ grub_errno = GRUB_ERR_NONE;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (grub_disk_native_sectors (source) == GRUB_DISK_SIZE_UNKNOWN)
|
||||||
|
{
|
||||||
|
/* FIXME: Allow use of source disk, and maybe cause errors in read. */
|
||||||
|
@@ -641,6 +714,10 @@ luks2_recover_key (grub_disk_t source,
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (token_tpm.keyslots &&
|
||||||
|
+ !(token_tpm.keyslots & (1 << keyslot.idx)))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n", keyslot.idx);
|
||||||
|
|
||||||
|
/* Sector size should be one of 512, 1024, 2048, or 4096. */
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
@ -2,6 +2,10 @@
|
|||||||
v2:
|
v2:
|
||||||
Use grub_efi_get_secureboot to get secure boot status
|
Use grub_efi_get_secureboot to get secure boot status
|
||||||
|
|
||||||
|
v3:
|
||||||
|
Fix null sb_context->file_path due to missing assignment of chainloaded image's
|
||||||
|
file_path (bsc#1216081)
|
||||||
|
|
||||||
---
|
---
|
||||||
grub-core/loader/efi/chainloader.c | 62 +++++++++++++++++++++----------------
|
grub-core/loader/efi/chainloader.c | 62 +++++++++++++++++++++----------------
|
||||||
1 file changed, 36 insertions(+), 26 deletions(-)
|
1 file changed, 36 insertions(+), 26 deletions(-)
|
||||||
@ -73,7 +77,7 @@ Use grub_efi_get_secureboot to get secure boot status
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void*
|
static void*
|
||||||
@@ -604,6 +605,9 @@
|
@@ -607,6 +608,9 @@
|
||||||
if (buffer)
|
if (buffer)
|
||||||
b->free_pool (buffer);
|
b->free_pool (buffer);
|
||||||
|
|
||||||
@ -83,7 +87,7 @@ Use grub_efi_get_secureboot to get secure boot status
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -821,6 +825,30 @@
|
@@ -825,6 +829,31 @@
|
||||||
status = b->load_image (0, grub_efi_image_handle, file_path,
|
status = b->load_image (0, grub_efi_image_handle, file_path,
|
||||||
boot_image, size,
|
boot_image, size,
|
||||||
&image_handle);
|
&image_handle);
|
||||||
@ -105,6 +109,7 @@ Use grub_efi_get_secureboot to get secure boot status
|
|||||||
+ sb_context->dev_handle = dev_handle;
|
+ sb_context->dev_handle = dev_handle;
|
||||||
+ sb_context->address = address;
|
+ sb_context->address = address;
|
||||||
+ sb_context->pages = pages;
|
+ sb_context->pages = pages;
|
||||||
|
+ sb_context->file_path = file_path;
|
||||||
+ grub_file_close (file);
|
+ grub_file_close (file);
|
||||||
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
|
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
|
||||||
+ grub_secureboot_chainloader_unload, sb_context, 0);
|
+ grub_secureboot_chainloader_unload, sb_context, 0);
|
||||||
|
@ -1,3 +1,16 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 25 01:56:09 UTC 2023 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix Xen chainloding error of no matching file path found (bsc#1216081)
|
||||||
|
* grub2-efi-chainload-harder.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 23 13:11:45 UTC 2023 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Use grub-tpm2 token to unlock keyslots to make the unsealing process more
|
||||||
|
efficient and secure.
|
||||||
|
* 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 16 08:05:03 UTC 2023 - Michael Chang <mchang@suse.com>
|
Mon Oct 16 08:05:03 UTC 2023 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
@ -387,6 +387,7 @@ Patch194: 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
|
|||||||
Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
|
Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
|
||||||
Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
|
Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
|
||||||
Patch197: 0006-fs-ntfs-Make-code-more-readable.patch
|
Patch197: 0006-fs-ntfs-Make-code-more-readable.patch
|
||||||
|
Patch198: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
|
||||||
|
|
||||||
Requires: gettext-runtime
|
Requires: gettext-runtime
|
||||||
%if 0%{?suse_version} >= 1140
|
%if 0%{?suse_version} >= 1140
|
||||||
|
Loading…
Reference in New Issue
Block a user