rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity

Accepting request 1115436 from home:gary_lin:branches:Base:System

Browse Source 
- Update the TPM 2.0 patches to support more RSA and ECC algorithms
  * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
  * 0003-protectors-Add-TPM2-Key-Protector.patch
  * 0005-util-grub-protect-Add-new-tool.patch

- Remove build require for gcc-32bit, target platform didn't rely on libgcc
  function shipped with compiler but rather using functions supplied in grub
  directly.

OBS-URL: https://build.opensuse.org/request/show/1115436
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=466
This commit is contained in:
Michael Chang 2023-10-05 05:07:17 +00:00 committed by Git OBS Bridge
parent d81a5aab96
commit c4e530ea83
5 changed files with 222 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
View File

@ -1,7 +1,7 @@
From a4f5c4aa64e0484b08dcb9b7798395c55ca45ead Mon Sep 17 00:00:00 2001
From c5a42cf3340aa740132bcdb8e8cee22c23306ef5 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:54 -0800
Subject: [PATCH 2/5] tpm2: Add TPM Software Stack (TSS)
Subject: [PATCH v6 09/20] tpm2: Add TPM Software Stack (TSS)
A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose, submit, and parse TPM commands and responses.
@ -38,11 +38,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
include/grub/tpm2/buffer.h | 65 ++
include/grub/tpm2/internal/functions.h | 117 ++++
include/grub/tpm2/internal/structs.h | 675 +++++++++++++++++++++
include/grub/tpm2/internal/types.h | 372 ++++++++++++
include/grub/tpm2/internal/types.h | 370 ++++++++++++
include/grub/tpm2/mu.h | 292 +++++++++
include/grub/tpm2/tcg2.h | 34 ++
include/grub/tpm2/tpm2.h | 34 ++
11 files changed, 3445 insertions(+)
11 files changed, 3443 insertions(+)
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
@ -55,6 +55,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
diff --git a/grub-core/tpm2/buffer.c b/grub-core/tpm2/buffer.c
new file mode 100644
index 000000000..cb9f29497
--- /dev/null
+++ b/grub-core/tpm2/buffer.c
@@ -0,0 +1,145 @@
@ -203,6 +206,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ buffer->offset += sizeof (tmp);
+ *value = grub_be_to_cpu32 (tmp);
+}
diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
new file mode 100644
index 000000000..1617f37cd
--- /dev/null
+++ b/grub-core/tpm2/mu.c
@@ -0,0 +1,807 @@
@ -1013,6 +1019,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ for (grub_uint32_t i = 0; i < digest->count; i++)
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
+}
diff --git a/grub-core/tpm2/tcg2.c b/grub-core/tpm2/tcg2.c
new file mode 100644
index 000000000..9e4b7f565
--- /dev/null
+++ b/grub-core/tpm2/tcg2.c
@@ -0,0 +1,143 @@
@ -1153,12 +1162,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ return err;
+
+ status = protocol->submit_command (protocol, input_size, input,
+ output_size, output);
+ output_size, output);
+ if (status != GRUB_EFI_SUCCESS)
+ return GRUB_ERR_INVALID_COMMAND;
+
+ return GRUB_ERR_NONE;
+}
diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
new file mode 100644
index 000000000..d67699a24
--- /dev/null
+++ b/grub-core/tpm2/tpm2.c
@@ -0,0 +1,761 @@
@ -1923,6 +1935,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+
+ return TPM_RC_SUCCESS;
+}
diff --git a/include/grub/tpm2/buffer.h b/include/grub/tpm2/buffer.h
new file mode 100644
index 000000000..87dcd8d6c
--- /dev/null
+++ b/include/grub/tpm2/buffer.h
@@ -0,0 +1,65 @@
@ -1991,6 +2006,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+grub_tpm2_buffer_unpack_u32 (grub_tpm2_buffer_t buffer, grub_uint32_t* value);
+
+#endif /* ! GRUB_TPM2_BUFFER_HEADER */
diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h
new file mode 100644
index 000000000..9380f26a2
--- /dev/null
+++ b/include/grub/tpm2/internal/functions.h
@@ -0,0 +1,117 @@
@ -2111,6 +2129,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ TPMS_AUTH_RESPONSE *authResponse);
+
+#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
new file mode 100644
index 000000000..72d71eb70
--- /dev/null
+++ b/include/grub/tpm2/internal/structs.h
@@ -0,0 +1,675 @@
@ -2789,9 +2810,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
+typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
+
+#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
new file mode 100644
index 000000000..9118cad5d
--- /dev/null
+++ b/include/grub/tpm2/internal/types.h
@@ -0,0 +1,372 @@
@@ -0,0 +1,370 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -3077,8 +3101,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
+#define TPM_RH_AUTH_FF ((TPM_RH) 0x4000010F)
+#define TPM_RH_LAST ((TPM_RH) 0x4000010F)
+
+/* TPM2_ECC_CURVE Constants */
+typedef grub_uint16_t TPM2_ECC_CURVE;
+/* TPM_ECC_CURVE Constants */
+typedef grub_uint16_t TPM_ECC_CURVE;
+
+#define TPM_ECC_NONE ((TPM_ECC_CURVE) 0x0000)
+#define TPM_ECC_NIST_P192 ((TPM_ECC_CURVE) 0x0001)
@ -3153,8 +3177,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
+typedef grub_uint16_t TPM_KEY_BITS;
+
+/* TPM_ECC_CURVE Types */
+typedef grub_uint16_t TPM_ECC_CURVE;
+
+typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
+
+/* TPMI_RH_PROVISION Type */
@ -3164,6 +3186,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+typedef TPM_HANDLE TPMI_DH_PERSISTENT;
+
+#endif /* ! GRUB_TPM2_INTERNAL_TYPES_HEADER */
diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
new file mode 100644
index 000000000..c545976db
--- /dev/null
+++ b/include/grub/tpm2/mu.h
@@ -0,0 +1,292 @@
@ -3459,6 +3484,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ TPML_DIGEST* digest);
+
+#endif /* ! GRUB_TPM2_MU_HEADER */
diff --git a/include/grub/tpm2/tcg2.h b/include/grub/tpm2/tcg2.h
new file mode 100644
index 000000000..553b3fd93
--- /dev/null
+++ b/include/grub/tpm2/tcg2.h
@@ -0,0 +1,34 @@
@ -3496,6 +3524,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_uint8_t *output);
+
+#endif /* ! GRUB_TPM2_TCG2_HEADER */
diff --git a/include/grub/tpm2/tpm2.h b/include/grub/tpm2/tpm2.h
new file mode 100644
index 000000000..cfdc9edcd
--- /dev/null
+++ b/include/grub/tpm2/tpm2.h
@@ -0,0 +1,34 @@
@ -3533,3 +3564,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
+} TPM2_SEALED_KEY;
+
+#endif /* ! GRUB_TPM2_TPM2_HEADER */
--
2.35.3

147
0003-protectors-Add-TPM2-Key-Protector.patch
View File

@ -1,7 +1,7 @@
From ab730e5bc42bae528da62178680284efdd64278e Mon Sep 17 00:00:00 2001
From 0ecf5ff31a89e061aef5e40ee68f8828e7b5eb81 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:55 -0800
Subject: [PATCH 3/5] protectors: Add TPM2 Key Protector
Subject: [PATCH v6 10/20] protectors: Add TPM2 Key Protector
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
@ -77,18 +77,18 @@ command (modifications to this command are in a different patch).
For instance, to unseal the raw sealed key file:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key
cryptomount DISK1 -P tpm2
cryptomount -u <PART1_UUID> -P tpm2
tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key --pcrs=7,11
cryptomount DISK2 -P tpm2
cryptomount -u <PART2_UUID> -P tpm2
Or, to unseal the TPM 2.0 Key file:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
cryptomount DISK1 -P tpm2
cryptomount -u <PART1_UUID> -P tpm2
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm --pcrs=7,11
cryptomount DISK2 -P tpm2
cryptomount -u <PART2_UUID> -P tpm2
If a user does not initialize the key protector and attempts to use it
anyway, the protector returns an error.
@ -117,14 +117,14 @@ Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/Makefile.core.def | 13 +
grub-core/tpm2/args.c | 131 ++++
grub-core/tpm2/module.c | 1033 +++++++++++++++++++++++++++++
grub-core/tpm2/args.c | 177 +++++
grub-core/tpm2/module.c | 1040 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 31 +
grub-core/tpm2/tpm2key.c | 440 ++++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
include/grub/tpm2/internal/args.h | 39 ++
include/grub/tpm2/internal/args.h | 41 ++
include/grub/tpm2/tpm2key.h | 83 +++
8 files changed, 1811 insertions(+)
8 files changed, 1866 insertions(+)
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/tpm2key.asn
@ -133,12 +133,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/tpm2key.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 5831d4265..38571119e 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2599,6 +2599,19 @@
@@ -2553,6 +2553,19 @@ module = {
enable = efi;
};
module = {
+module = {
+ name = tpm2;
+ common = tpm2/args.c;
+ common = tpm2/buffer.c;
@ -151,13 +154,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ enable = efi;
+};
+
+module = {
module = {
name = tr;
common = commands/tr.c;
};
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
new file mode 100644
index 000000000..274f4fef0
--- /dev/null
+++ b/grub-core/tpm2/args.c
@@ -0,0 +1,131 @@
@@ -0,0 +1,177 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -237,12 +242,58 @@ Signed-off-by: Gary Lin <glin@suse.com>
+}
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value, TPM_ALG_ID *asymmetric)
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve)
+{
+ if (grub_strcasecmp (value, "ECC") == 0)
+ *asymmetric = TPM_ALG_ECC;
+ else if (grub_strcasecmp (value, "RSA") == 0)
+ *asymmetric = TPM_ALG_RSA;
+ if (grub_strcasecmp (value, "ECC") == 0 ||
+ grub_strcasecmp (value, "ECC_NIST_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P256;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA2048") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 2048;
+ }
+ else if (grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 4096;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P384;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P521;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P256;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P638;
+ }
+ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_SM2_P256;
+ }
+ else
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Value '%s' is not a valid asymmetric key type"),
@ -289,9 +340,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
+
+ return GRUB_ERR_NONE;
+}
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
new file mode 100644
index 000000000..9605ddbc7
--- /dev/null
+++ b/grub-core/tpm2/module.c
@@ -0,0 +1,1033 @@
@@ -0,0 +1,1040 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -352,6 +406,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_uint8_t pcrs[TPM_MAX_PCRS];
+ grub_uint8_t pcr_count;
+ TPM_ALG_ID asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID bank;
+ const char *tpm2key;
+ const char *keyfile;
@ -390,7 +446,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), or SHA384."),
+ "SHA1, SHA256 (default), SHA384 or SHA512."),
+ },
+ /* SRK-mode options */
+ {
@ -431,7 +487,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("In SRK mode, the type of SRK: RSA (default) or ECC."),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
+ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
+ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ },
+ /* NV Index-mode options */
+ {
@ -696,7 +755,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (ctx->asymmetric == TPM_ALG_ECC)
@ -705,7 +764,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
@ -977,10 +1036,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ /* Get the SRK to unseal the sealed key */
+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_error (err, N_("Failed to retrieve the SRK"));
+ goto exit1;
+ }
+ goto exit1;
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
@ -1148,7 +1204,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ ctx->srk = TPM2_SRK_HANDLE;
+
+ if (!ctx->asymmetric)
+ ctx->asymmetric = TPM_ALG_RSA;
+ {
+ ctx->asymmetric = TPM_ALG_RSA;
+ ctx->rsa_bits = 2048;
+ }
+ }
+
+ return GRUB_ERR_NONE;
@ -1252,7 +1311,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ if (state[OPTION_ASYMMETRIC].set) /* asymmetric */
+ {
+ err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg,
+ &grub_tpm2_protector_ctx.asymmetric);
+ &grub_tpm2_protector_ctx.asymmetric,
+ &grub_tpm2_protector_ctx.rsa_bits,
+ &grub_tpm2_protector_ctx.ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
@ -1325,6 +1386,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_unregister_extcmd (grub_tpm2_protector_clear_cmd);
+ grub_unregister_extcmd (grub_tpm2_protector_init_cmd);
+}
diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
new file mode 100644
index 000000000..e3b6a03e0
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.asn
@@ -0,0 +1,31 @@
@ -1359,6 +1423,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+}
+
+END
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
new file mode 100644
index 000000000..62f6d865b
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.c
@@ -0,0 +1,440 @@
@ -1802,6 +1869,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_free (authpol);
+ }
+}
diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c
new file mode 100644
index 000000000..551fc46ec
--- /dev/null
+++ b/grub-core/tpm2/tpm2key_asn1_tab.c
@@ -0,0 +1,41 @@
@ -1846,9 +1916,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ { "privkey", 7, NULL },
+ { NULL, 0, NULL }
+};
diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h
new file mode 100644
index 000000000..58d13e031
--- /dev/null
+++ b/include/grub/tpm2/internal/args.h
@@ -0,0 +1,39 @@
@@ -0,0 +1,41 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -1879,7 +1952,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric);
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve);
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
@ -1888,6 +1963,9 @@ Signed-off-by: Gary Lin <glin@suse.com>
+grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE *handle);
+
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h
new file mode 100644
index 000000000..df46203e3
--- /dev/null
+++ b/include/grub/tpm2/tpm2key.h
@@ -0,0 +1,83 @@
@ -1974,3 +2052,6 @@ Signed-off-by: Gary Lin <glin@suse.com>
+grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq);
+
+#endif /* GRUB_TPM2_TPM2KEY_HEADER */
--
2.35.3

74
0005-util-grub-protect-Add-new-tool.patch
View File

@ -1,7 +1,7 @@
From 38ebade1341ee99593568d97e0300f5b6aa626f3 Mon Sep 17 00:00:00 2001
From e5a1c5fe660e74d99d33d7d28914e968077ae603 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:57 -0800
Subject: [PATCH 5/5] util/grub-protect: Add new tool
Subject: [PATCH v6 12/20] util/grub-protect: Add new tool
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
@ -15,8 +15,8 @@ a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
ensures the cryptomount command is included in GRUB's boot script and
that it carries the requisite key protector (-P) parameter.
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.
Sample usage:
@ -41,14 +41,12 @@ $ sudo grub-protect --action=add \
Then, in the boot script, for TPM 2.0 Key File:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
cryptomount -u <SDB1_UUID> -P tpm2
Or, for the raw sealed key:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key
cryptomount -u b20f95d0834842bc9197bd78b36732f8 -P tpm2
where the UUID corresponds to /dev/sdb1.
cryptomount -u <SDB1_UUID> -P tpm2
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
@ -56,13 +54,15 @@ Signed-off-by: Gary Lin <glin@suse.com>
.gitignore | 2 +
Makefile.util.def | 22 +
configure.ac | 9 +
util/grub-protect.c | 1508 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 1541 insertions(+)
util/grub-protect.c | 1524 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 1557 insertions(+)
create mode 100644 util/grub-protect.c
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -208,6 +208,28 @@
Index: grub-2.12~rc1/Makefile.util.def
===================================================================
--- grub-2.12~rc1.orig/Makefile.util.def
+++ grub-2.12~rc1/Makefile.util.def
@@ -208,6 +208,28 @@ program = {
};
program = {
@ -91,9 +91,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
name = grub-mkrelpath;
mansection = 1;
--- a/configure.ac
+++ b/configure.ac
@@ -76,6 +76,7 @@
Index: grub-2.12~rc1/configure.ac
===================================================================
--- grub-2.12~rc1.orig/configure.ac
+++ grub-2.12~rc1/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
grub_TRANSFORM([grub-probe])
@ -101,7 +103,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
grub_TRANSFORM([grub-reboot])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
@@ -1992,6 +1993,14 @@
@@ -1992,6 +1993,14 @@ fi
AC_SUBST([LIBZFS])
AC_SUBST([LIBNVPAIR])
@ -116,9 +118,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
LIBS=""
AC_SUBST([FONT_SOURCE])
Index: grub-2.12~rc1/util/grub-protect.c
===================================================================
--- /dev/null
+++ b/util/grub-protect.c
@@ -0,0 +1,1508 @@
+++ grub-2.12~rc1/util/grub-protect.c
@@ -0,0 +1,1524 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -227,6 +231,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+ grub_uint8_t tpm2_pcr_count;
+ TPM_ALG_ID tpm2_asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID tpm2_bank;
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
@ -280,11 +286,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ {
+ .name = "tpm2-bank",
+ .key = GRUB_PROTECT_OPT_TPM2_BANK,
+ .arg = "SHA1|SHA256|SHA384",
+ .arg = "ALG",
+ .flags = 0,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), or SHA384."),
+ "SHA1, SHA256 (default), or SHA512."),
+ .group = 0
+ },
+ {
@ -319,10 +325,13 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ {
+ .name = "tpm2-asymmetric",
+ .key = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
+ .arg = "RSA|ECC",
+ .arg = "TYPE",
+ .flags = 0,
+ .doc =
+ N_("The type of SRK: RSA (default) or ECC."),
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
+ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ .group = 0
+ },
+ {
@ -648,6 +657,13 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA256;
+ break;
+ case TPM_ALG_SHA512:
+ pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA512;
+ break;
+ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
+ it's not supported by the built-in libgcrypt, and we won't be able to
+ calculate the PCR digest, so SHA384 is marked as unsupported. */
+ default:
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
@ -797,7 +813,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ break;
+
@ -806,7 +822,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ break;
+
@ -1257,7 +1273,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ args->tpm2_srk = TPM2_SRK_HANDLE;
+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
+ args->tpm2_asymmetric = TPM_ALG_RSA;
+ {
+ args->tpm2_asymmetric = TPM_ALG_RSA;
+ args->rsa_bits = 2048;
+ }
+
+ if (args->tpm2_bank == TPM_ALG_ERROR)
+ args->tpm2_bank = TPM_ALG_SHA256;
@ -1426,7 +1445,8 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ return EINVAL;
+ }
+
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric);
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric,
+ &args->rsa_bits, &args->ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ {
+ if (grub_errno != GRUB_ERR_NONE)

15
grub2.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Mon Oct 2 14:30:49 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update the TPM 2.0 patches to support more RSA and ECC algorithms
* 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
* 0003-protectors-Add-TPM2-Key-Protector.patch
* 0005-util-grub-protect-Add-new-tool.patch
-------------------------------------------------------------------
Mon Oct 2 08:11:56 UTC 2023 - Michael Chang <mchang@suse.com>
- Remove build require for gcc-32bit, target platform didn't rely on libgcc
function shipped with compiler but rather using functions supplied in grub
directly.
-------------------------------------------------------------------
Fri Sep 29 08:38:13 UTC 2023 - Fabian Vogt <fvogt@suse.com>

10
grub2.spec
View File

@ -28,14 +28,6 @@
%endif
Name: grub2
%ifarch x86_64 ppc64
BuildRequires: gcc-32bit
BuildRequires: glibc-32bit
BuildRequires: glibc-devel-32bit
%else
BuildRequires: gcc
BuildRequires: glibc-devel
%endif
BuildRequires: automake
BuildRequires: bison
BuildRequires: device-mapper-devel
@ -43,6 +35,8 @@ BuildRequires: fdupes
BuildRequires: flex
BuildRequires: freetype2-devel
BuildRequires: fuse-devel
BuildRequires: gcc
BuildRequires: glibc-devel
%if 0%{?suse_version} >= 1140
BuildRequires: dejavu-fonts
BuildRequires: gnu-unifont