grub2/0001-tpm2-Add-extra-RSA-SRK-types.patch

From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types

Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
to support those parameters.

Signed-off-by: Gary Lin <glin@suse.com>
---
 grub-core/commands/tpm2_key_protector/args.c   | 12 ++++++++++++
 grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
 util/grub-protect.c                            |  4 ++--
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
index 48c39de01..b291793a7 100644
--- a/grub-core/commands/tpm2_key_protector/args.c
+++ b/grub-core/commands/tpm2_key_protector/args.c
@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
       srk_type->type = TPM_ALG_RSA;
       srk_type->detail.rsa_bits = 2048;
     }
+  else if (grub_strcasecmp (value, "RSA") == 0 ||
+	   grub_strcasecmp (value, "RSA3072") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 3072;
+    }
+  else if (grub_strcasecmp (value, "RSA") == 0 ||
+	   grub_strcasecmp (value, "RSA4096") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 4096;
+    }
   else
     return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
 
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index 74e79a545..ee16d7f15 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
       .arg      = NULL,
       .type     = ARG_TYPE_STRING,
       .doc      =
-	N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
-	   "(default: ECC)"),
+	N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+	  "and ECC (ECC_NIST_P256). (default: ECC)"),
     },
     /* NV Index-mode options */
     {
@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
     return "ECC_NIST_P256";
   else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
     return "RSA2048";
+  else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
+    return "RSA3072";
+  else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
+    return "RSA4096";
 
   return "Unknown";
 }
@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
       .type = TPM_ALG_ECC,
       .detail.ecc_curve = TPM_ECC_NIST_P256,
     },
+    {
+      .type = TPM_ALG_RSA,
+      .detail.rsa_bits = 4096,
+    },
+    {
+      .type = TPM_ALG_RSA,
+      .detail.rsa_bits = 3072,
+    },
     {
       .type = TPM_ALG_RSA,
       .detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 5b7e952f4..f1108f2c5 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
       .arg   = "TYPE",
       .flags = 0,
       .doc   =
-	N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
-	   "(default: ECC)"),
+	N_("Set the type of SRK: RSA (RSA2048),  RSA3072, RSA4096, "
+	   "and ECC (ECC_NIST_P256). (default: ECC)"),
       .group = 0
     },
     {
-- 
2.43.0