Hi, pardon me to top post just once, the answer below was sent in reply to v1 but seems not to have made through as I do not find it in the archives, and it is about the proposal in general.
Here goes (initially posted on Tue, 25 Jan 2022): Sorry for a newbie question (I plan to allow installing Slint on a Secure Boot enabled machine if/when I can but know almost nothing yet on this topic). Currently we allow in the "auto" mode of installation to install Slint in a fully encrypted drive (minus the ESP and the BIOS Boot partition), the user typing then a passphrase only once when politely requested by GRUB before displaying its menu (without using LVM as we store a LUKS key in the initramfs). The main purpose is to forbid access to the system when the machine is powered off, for instance in case of a laptop stolen during a travel. Would the feature you describe possibly allow to circumvent this protection? Thanks, Didier -- Didier Spaier Slint maintainer Le 01/02/2022 à 14:02, Hernan Gatta a écrit : > Updates since v1: > > 1. One key can unlock multiple disks: > It is now possible to use key protectors with cryptomount's -a and -b > options. > > 2. No passphrase prompt on error if key protector(s) specified: > cryptomount no longer prompts for a passphrase if key protectors are > specified but fail to provide a working unlock key seeing as the user > explicitly requested unlocking via key protectors. > > 3. Key protector parameterization is separate: > Previously, one would parameterize a key protector via a colon-separated > argument list nested within a cryptomount argument. Now, key protectors are > expected to provide an initialization function, if necessary. > > As such, instead of: > > cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11... > > one now writes: > > tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ... > cryptomount -k tpm2 > > Additionally, one may write: > > cryptomount -k protector_1 -k protector_2 ... > > where cryptomount will try each in order on failure. > > 4. Standard argument parsing: > The TPM2 key protector now uses 'struct grub_arg_option' and the > grub-protect > tool uses 'struct argp_option'. Additionally, common argument parsing > functionality is now shared between the module and the tool. > > 5. More useful messages: > Both the TPM2 module and the grub-protect tool now provide more useful > messages to help the user learn how to use their functionality (--help and > --usage) as well as to determine what is wrong, if anything. Furthermore, > the > module now prints additional debug output to help diagnose problems. > > I forgot to mention last time that this patch series intends to address: > https://bugzilla.redhat.com/show_bug.cgi?id=1854177 > > Previous series: > https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html > > Thank you, > Hernan > > Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com> > > Hernan Gatta (5): > protectors: Add key protectors framework > tpm2: Add TPM Software Stack (TSS) > protectors: Add TPM2 Key Protector > cryptodisk: Support key protectors > util/grub-protect: Add new tool > > .gitignore | 1 + > Makefile.util.def | 19 + > configure.ac | 1 + > grub-core/Makefile.am | 1 + > grub-core/Makefile.core.def | 11 + > grub-core/disk/cryptodisk.c | 166 +++- > grub-core/kern/protectors.c | 75 ++ > grub-core/tpm2/args.c | 129 ++++ > grub-core/tpm2/buffer.c | 145 ++++ > grub-core/tpm2/module.c | 710 +++++++++++++++++ > grub-core/tpm2/mu.c | 807 ++++++++++++++++++++ > grub-core/tpm2/tcg2.c | 143 ++++ > grub-core/tpm2/tpm2.c | 711 +++++++++++++++++ > include/grub/cryptodisk.h | 14 + > include/grub/protector.h | 48 ++ > include/grub/tpm2/buffer.h | 65 ++ > include/grub/tpm2/internal/args.h | 39 + > include/grub/tpm2/internal/functions.h | 117 +++ > include/grub/tpm2/internal/structs.h | 675 ++++++++++++++++ > include/grub/tpm2/internal/types.h | 372 +++++++++ > include/grub/tpm2/mu.h | 292 +++++++ > include/grub/tpm2/tcg2.h | 34 + > include/grub/tpm2/tpm2.h | 38 + > util/grub-protect.c | 1314 > ++++++++++++++++++++++++++++++++ > 24 files changed, 5897 insertions(+), 30 deletions(-) > create mode 100644 grub-core/kern/protectors.c > create mode 100644 grub-core/tpm2/args.c > create mode 100644 grub-core/tpm2/buffer.c > create mode 100644 grub-core/tpm2/module.c > create mode 100644 grub-core/tpm2/mu.c > create mode 100644 grub-core/tpm2/tcg2.c > create mode 100644 grub-core/tpm2/tpm2.c > create mode 100644 include/grub/protector.h > create mode 100644 include/grub/tpm2/buffer.h > create mode 100644 include/grub/tpm2/internal/args.h > create mode 100644 include/grub/tpm2/internal/functions.h > create mode 100644 include/grub/tpm2/internal/structs.h > create mode 100644 include/grub/tpm2/internal/types.h > create mode 100644 include/grub/tpm2/mu.h > create mode 100644 include/grub/tpm2/tcg2.h > create mode 100644 include/grub/tpm2/tpm2.h > create mode 100644 util/grub-protect.c > _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
