The patch series "Automatic TPM Disk Unlock" posted by Hernan Gatta introduces the key protector framework and TPM2 stack to GRUB2, and it's a useful feature for the systems to implement full disk encryption. However, it seems the development was stalled for a while, and I'd like to push it forward.
Patch 1~5 are Hernan Gatta's patch series(*) with a few modifications: - Converting 8 spaces into 1 tab - Merging the minor build fix from Michael Chang - Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf - Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def - Rebasing "cryptodisk: Support key protectors" to the git master To minimize the changes to Patch 1~5, the follow-up fixes (Patch 6~14) from my colleagues and me are committed separately. Those patches fix the problems we found while testing the original patchset. Quote from Hernan Gatta's cover letter: " Updates since v1: 1. One key can unlock multiple disks: It is now possible to use key protectors with cryptomount's -a and -b options. 2. No passphrase prompt on error if key protector(s) specified: cryptomount no longer prompts for a passphrase if key protectors are specified but fail to provide a working unlock key seeing as the user explicitly requested unlocking via key protectors. 3. Key protector parameterization is separate: Previously, one would parameterize a key protector via a colon-separated argument list nested within a cryptomount argument. Now, key protectors are expected to provide an initialization function, if necessary. As such, instead of: cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11... one now writes: tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ... cryptomount -k tpm2 Additionally, one may write: cryptomount -k protector_1 -k protector_2 ... where cryptomount will try each in order on failure. 4. Standard argument parsing: The TPM2 key protector now uses 'struct grub_arg_option' and the grub-protect tool uses 'struct argp_option'. Additionally, common argument parsing functionality is now shared between the module and the tool. 5. More useful messages: Both the TPM2 module and the grub-protect tool now provide more useful messages to help the user learn how to use their functionality (--help and --usage) as well as to determine what is wrong, if anything. Furthermore, the module now prints additional debug output to help diagnose problems. I forgot to mention last time that this patch series intends to address: https://bugzilla.redhat.com/show_bug.cgi?id=1854177 Previous series: https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html " (*) https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00006.html Gary Lin (8): tpm2: Don't measure the sealed key tpm2: adjust the input parameters of TPM2_EvictControl tpm2: declare the input arguments of TPM2 functions as const tpm2: resend the command on TPM_RC_RETRY tpm2: check the command parameters of TPM2 commands tpm2: pack the missing authorization command for TPM2_PCR_Read tpm2: allow some command parameters to be NULL tpm2: remove the unnecessary variables Hernan Gatta (5): protectors: Add key protectors framework tpm2: Add TPM Software Stack (TSS) protectors: Add TPM2 Key Protector cryptodisk: Support key protectors util/grub-protect: Add new tool Michael Chang (1): crytodisk: fix cryptodisk module looking up .gitignore | 1 + Makefile.util.def | 19 + configure.ac | 1 + grub-core/Makefile.am | 1 + grub-core/Makefile.core.def | 12 + grub-core/disk/cryptodisk.c | 176 +++- grub-core/kern/protectors.c | 75 ++ grub-core/tpm2/args.c | 129 +++ grub-core/tpm2/buffer.c | 145 +++ grub-core/tpm2/module.c | 710 +++++++++++++ grub-core/tpm2/mu.c | 807 +++++++++++++++ grub-core/tpm2/tcg2.c | 143 +++ grub-core/tpm2/tpm2.c | 761 ++++++++++++++ include/grub/cryptodisk.h | 14 + include/grub/protector.h | 48 + include/grub/tpm2/buffer.h | 65 ++ include/grub/tpm2/internal/args.h | 39 + include/grub/tpm2/internal/functions.h | 117 +++ include/grub/tpm2/internal/structs.h | 675 ++++++++++++ include/grub/tpm2/internal/types.h | 372 +++++++ include/grub/tpm2/mu.h | 292 ++++++ include/grub/tpm2/tcg2.h | 34 + include/grub/tpm2/tpm2.h | 38 + util/grub-protect.c | 1314 ++++++++++++++++++++++++ 24 files changed, 5955 insertions(+), 33 deletions(-) create mode 100644 grub-core/kern/protectors.c create mode 100644 grub-core/tpm2/args.c create mode 100644 grub-core/tpm2/buffer.c create mode 100644 grub-core/tpm2/module.c create mode 100644 grub-core/tpm2/mu.c create mode 100644 grub-core/tpm2/tcg2.c create mode 100644 grub-core/tpm2/tpm2.c create mode 100644 include/grub/protector.h create mode 100644 include/grub/tpm2/buffer.h create mode 100644 include/grub/tpm2/internal/args.h create mode 100644 include/grub/tpm2/internal/functions.h create mode 100644 include/grub/tpm2/internal/structs.h create mode 100644 include/grub/tpm2/internal/types.h create mode 100644 include/grub/tpm2/mu.h create mode 100644 include/grub/tpm2/tcg2.h create mode 100644 include/grub/tpm2/tpm2.h create mode 100644 util/grub-protect.c -- 2.35.3 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
