grub2/tpm-protector-dont-measure-sealed-key.patch

Index: grub-2.06/grub-core/tpm2/module.c
===================================================================
--- grub-2.06.orig/grub-core/tpm2/module.c
+++ grub-2.06/grub-core/tpm2/module.c
@@ -139,7 +139,9 @@ grub_tpm2_protector_srk_read_keyfile (co
   void *sealed_key_buffer;
   grub_off_t sealed_key_read;
 
-  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_NONE);
+  /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into PCR9
+   * otherwise we'll never be able to predict the value of PCR9 at unseal time */
+  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
   if (!sealed_key_file)
     {
       grub_dprintf ("tpm2", "Could not open sealed key file.\n");
Accepting request 1004537 from home:gary_lin:branches:Base:System - Add safety measure to pcr snapshot by checking platform and tpm status * safe_tpm_pcr_snapshot.patch - Fix installation failure due to unavailable nvram device on ppc64le (bsc#1201361) * 0001-grub-install-set-point-of-no-return-for-powerpc-ieee1275.patch - Add patches to dynamically allocate additional memory regions for EFI systems (bsc#1202438) * 0001-mm-Allow-dynamically-requesting-additional-memory-re.patch * 0002-kern-efi-mm-Always-request-a-fixed-number-of-pages-o.patch * 0003-kern-efi-mm-Extract-function-to-add-memory-regions.patch * 0004-kern-efi-mm-Pass-up-errors-from-add_memory_regions.patch * 0005-kern-efi-mm-Implement-runtime-addition-of-pages.patch - Enlarge the default heap size and defer the disk cache invalidation (bsc#1202438) * 0001-kern-efi-mm-Enlarge-the-default-heap-size.patch * 0002-mm-Defer-the-disk-cache-invalidation.patch - Add patches for ALP FDE support * 0001-devmapper-getroot-Have-devmapper-recognize-LUKS2.patch * 0002-devmapper-getroot-Set-up-cheated-LUKS2-cryptodisk-mo.patch * 0003-disk-cryptodisk-When-cheatmounting-use-the-sector-in.patch * 0004-normal-menu-Don-t-show-Booting-s-msg-when-auto-booti.patch * 0005-EFI-suppress-the-Welcome-to-GRUB-message-in-EFI-buil.patch * 0006-EFI-console-Do-not-set-colorstate-until-the-first-te.patch * 0007-EFI-console-Do-not-set-cursor-until-the-first-text-o.patch * 0008-linuxefi-Use-common-grub_initrd_load.patch * 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch * 0010-templates-import-etc-crypttab-to-grub.cfg.patch OBS-URL: https://build.opensuse.org/request/show/1004537 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=419 2022-09-19 08:10:23 +02:00			`Index: grub-2.06/grub-core/tpm2/module.c`
			`===================================================================`
			`--- grub-2.06.orig/grub-core/tpm2/module.c`
			`+++ grub-2.06/grub-core/tpm2/module.c`
			`@@ -139,7 +139,9 @@ grub_tpm2_protector_srk_read_keyfile (co`
			`void *sealed_key_buffer;`
			`grub_off_t sealed_key_read;`

			`- sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_NONE);`
			`+ /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into PCR9`
			`+ * otherwise we'll never be able to predict the value of PCR9 at unseal time */`
			`+ sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);`
			`if (!sealed_key_file)`
			`{`
			`grub_dprintf ("tpm2", "Could not open sealed key file.\n");`