Updates since v1: 1. One key can unlock multiple disks: It is now possible to use key protectors with cryptomount's -a and -b options.
2. No passphrase prompt on error if key protector(s) specified: cryptomount no longer prompts for a passphrase if key protectors are specified but fail to provide a working unlock key seeing as the user explicitly requested unlocking via key protectors. 3. Key protector parameterization is separate: Previously, one would parameterize a key protector via a colon-separated argument list nested within a cryptomount argument. Now, key protectors are expected to provide an initialization function, if necessary. As such, instead of: cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11... one now writes: tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ... cryptomount -k tpm2 Additionally, one may write: cryptomount -k protector_1 -k protector_2 ... where cryptomount will try each in order on failure. 4. Standard argument parsing: The TPM2 key protector now uses 'struct grub_arg_option' and the grub-protect tool uses 'struct argp_option'. Additionally, common argument parsing functionality is now shared between the module and the tool. 5. More useful messages: Both the TPM2 module and the grub-protect tool now provide more useful messages to help the user learn how to use their functionality (--help and --usage) as well as to determine what is wrong, if anything. Furthermore, the module now prints additional debug output to help diagnose problems. I forgot to mention last time that this patch series intends to address: https://bugzilla.redhat.com/show_bug.cgi?id=1854177 Previous series: https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html Thank you, Hernan Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com> Hernan Gatta (5): protectors: Add key protectors framework tpm2: Add TPM Software Stack (TSS) protectors: Add TPM2 Key Protector cryptodisk: Support key protectors util/grub-protect: Add new tool .gitignore | 1 + Makefile.util.def | 19 + configure.ac | 1 + grub-core/Makefile.am | 1 + grub-core/Makefile.core.def | 11 + grub-core/disk/cryptodisk.c | 166 +++- grub-core/kern/protectors.c | 75 ++ grub-core/tpm2/args.c | 129 ++++ grub-core/tpm2/buffer.c | 145 ++++ grub-core/tpm2/module.c | 710 +++++++++++++++++ grub-core/tpm2/mu.c | 807 ++++++++++++++++++++ grub-core/tpm2/tcg2.c | 143 ++++ grub-core/tpm2/tpm2.c | 711 +++++++++++++++++ include/grub/cryptodisk.h | 14 + include/grub/protector.h | 48 ++ include/grub/tpm2/buffer.h | 65 ++ include/grub/tpm2/internal/args.h | 39 + include/grub/tpm2/internal/functions.h | 117 +++ include/grub/tpm2/internal/structs.h | 675 ++++++++++++++++ include/grub/tpm2/internal/types.h | 372 +++++++++ include/grub/tpm2/mu.h | 292 +++++++ include/grub/tpm2/tcg2.h | 34 + include/grub/tpm2/tpm2.h | 38 + util/grub-protect.c | 1314 ++++++++++++++++++++++++++++++++ 24 files changed, 5897 insertions(+), 30 deletions(-) create mode 100644 grub-core/kern/protectors.c create mode 100644 grub-core/tpm2/args.c create mode 100644 grub-core/tpm2/buffer.c create mode 100644 grub-core/tpm2/module.c create mode 100644 grub-core/tpm2/mu.c create mode 100644 grub-core/tpm2/tcg2.c create mode 100644 grub-core/tpm2/tpm2.c create mode 100644 include/grub/protector.h create mode 100644 include/grub/tpm2/buffer.h create mode 100644 include/grub/tpm2/internal/args.h create mode 100644 include/grub/tpm2/internal/functions.h create mode 100644 include/grub/tpm2/internal/structs.h create mode 100644 include/grub/tpm2/internal/types.h create mode 100644 include/grub/tpm2/mu.h create mode 100644 include/grub/tpm2/tcg2.h create mode 100644 include/grub/tpm2/tpm2.h create mode 100644 util/grub-protect.c -- 1.8.3.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
