GIT repo for v6: https://github.com/lcp/grub2/tree/tpm2-unlock-v6
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encryption.
To support TPM 2.0 Key File format(*2), patch 1~6 are grabbed from
Daniel Axtens's "appended signature secure boot support" (*3) to import
libtasn1 into grub2. Besides, the libtasn1 version is upgraded to
4.19.0 instead of 4.16.0 in the original patch.
Patch 7 adds the document for libtasn1 and the steps to upgrade the
library.
Patch 8~12 are Hernan Gatta's patches with the follow-up fixes and
improvements:
- Converting 8 spaces into 1 tab
- Merging the minor build fix from Michael Chang
- Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf
- Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def
- Rebasing "cryptodisk: Support key protectors" to the git master
- Removing the measurement on the sealed key
- Based on the patch from Olaf Kirch <o...@suse.com>
- Adjusting the input parameters of TPM2_EvictControl to match the order
in "TCG TPM2 Part3 Commands"
- Declaring the input arguments of TPM2 functions as const
- Resending TPM2 commands on TPM_RC_RETRY
- Adding checks for the parameters of TPM2 commands
- Packing the missing authorization command for TPM2_PCR_Read
- Tweaking the TPM2 command functions to allow some parameters to be
NULL so that we don't have to declare empty variables
- Only enabling grub-protect for "efi" since the TPM2 stack currently
relies on the EFI TCG2 protocol to send TPM2 commands
- Using grub_cpu_to_be*() in the TPM2 stack instead of grub_swap_bytes*()
which may cause problems in big-indian machines
- Changing the short name of "--protector" of "cryptomount" from "-k" to
"-P" to avoid the conflict with "--key-file"
- Supporting TPM 2.0 Key File Format besides the raw sealed key
- Adding the external libtasn1 dependency to grub-protect to write the
TPM 2.0 Key files
Patch 13~16 implement the authorized policy support.
Patch 17 implements the missing NV index mode. (Thanks to Patrick Colp)
Patch 18 improves the 'cryptomount' command to fall back to the
passphrase mode when the key protector fails to unlock the encrypted
partition. (Another patch from Patrick Colp)
Patch 19~20 fixes the potential security issues spotted by Fabian Vogt.
To utilize the TPM2 key protector to unlock the encrypted partition
(sdb1), here are the sample steps:
1. Add an extra random key for LUKS (luks-key)
$ dd if=/dev/urandom of=luks-key bs=1 count=32
$ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2
2. Seal the key
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2key \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm
3. Unseal the key with the proper commands in grub.cfg:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <SDB1_UUID> -P tpm2
(*1) https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00006.html
(*2) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
(*3) https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00044.html
v6:
- Supporting more SRK types than RSA2048 and ECC_NIST_P256
- Documenting SHA512 as the supported PCR bank type in the tpm2
protector
- Removing the redundant error message for grub_tpm2_protector_srk_get()
since it may overwrite the real error message.
- Updating the supported SRK types and PCR bank types in grub-protect
- Removing the unused type: TPM2_ECC_CURVE
v5:
- https://lists.gnu.org/archive/html/grub-devel/2023-08/msg00113.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v5
- Rebasing to the latest git HEAD and improving the commit messages
- Implementing authorized poilcy support
- Implementing NV index mode
- Improving the 'cryptomount' command to fall back to the passphrase
mode when the key protector fails to unlock the encrypted partition
- Fixing the potential security issues
v4:
- https://lists.gnu.org/archive/html/grub-devel/2023-04/msg00104.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v4
- Improving the error condition checks in cryptodisk.c
- Moving the code to unseal with the standalone policy sequence below
the code for authpolicy sequence
- The standalone policy sequence was mistakenly prepended to to the
authpolicy sequence with grub_list_push() while it should be
appended.
- Pushing the error messages from the authpolicy sequence into the
grub_error stack so that we can list all errors from the sequence
- Improving the error messages in the TPM2 protector
- Amending the calculation of the max string lengths of 'Policy',
'CommandCode' and 'CommandPolicy'
- Skipping the error path in grub_tpm2key_get_authpolicy_seq() on
success to avoid freeing the authpolicy sequence
v3:
- https://lists.gnu.org/archive/html/grub-devel/2023-04/msg00055.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v3
- Adding the document for libtasn1
- Improving the error condition checks
ex: "if (!ptr)" ==> "if (ptr == NULL)"
"if (err)" ==> "if (err != GRUB_ERR_NONE)"
"if (rc)" ==> "if (rc != TPM_RC_SUCCESS)"
- Supporting the "TPMPolicy" and "TPMAuthPolicy" sequence in the TPM 2.0
key File
- Refactoring the key recover function to support "TPMPolicy" and
"TPMAuthPolicy" sequence
- Using TPMS_PCR_SELECTION_SelectPCR() to set the PCR bit mask
- Also dropping TPM2_PCR_TO_SELECT() and TPM2_PCR_TO_BIT() which are
not necessary anymore
- Removing the redundant variable, 'crd', from
grub_cryptodisk_scan_device_real()
- Fixing the spaces/tabs in cryptodisk.c
- Fixing the comment format in cryptodisk.h
- Adding the defensive check for "cargs->protectors" in
grub_cryptodisk_scan_device()
- Improving 'grub-protect' for the better support of TPM 2.0 Key File
- Adding more comments
v2:
- https://lists.gnu.org/archive/html/grub-devel/2023-03/msg00094.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v2
v1:
- https://lists.gnu.org/archive/html/grub-devel/2023-02/msg00130.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock
Daniel Axtens (6):
posix_wrap: tweaks in preparation for libtasn1
libtasn1: import libtasn1-4.19.0
libtasn1: disable code not needed in grub
libtasn1: changes for grub compatibility
libtasn1: compile into asn1 module
test_asn1: test module for libtasn1
Gary Lin (7):
libtasn1: Add the documentation
tpm2: Add TPM2 types, structures, and command constants
tpm2: Add more marshal/unmarshal functions
tpm2: Implement more TPM2 commands
tpm2: Support authorized policy
cryptodisk: wipe out the cached keys from protectors
diskfilter: look up cryptodisk devices first
Hernan Gatta (5):
protectors: Add key protectors framework
tpm2: Add TPM Software Stack (TSS)
protectors: Add TPM2 Key Protector
cryptodisk: Support key protectors
util/grub-protect: Add new tool
Patrick Colp (2):
protectors: Implement NV index
cryptodisk: Fallback to passphrase
.gitignore | 2 +
Makefile.util.def | 29 +
configure.ac | 9 +
docs/grub-dev.texi | 27 +
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 42 +
grub-core/disk/cryptodisk.c | 183 +-
grub-core/disk/diskfilter.c | 35 +-
grub-core/kern/protectors.c | 75 +
...asn1-disable-code-not-needed-in-grub.patch | 311 ++
...tasn1-changes-for-grub-compatibility.patch | 209 ++
grub-core/lib/libtasn1/COPYING | 16 +
grub-core/lib/libtasn1/README.md | 98 +
grub-core/lib/libtasn1/lib/coding.c | 1433 ++++++++++
grub-core/lib/libtasn1/lib/decoding.c | 2504 +++++++++++++++++
grub-core/lib/libtasn1/lib/element.c | 1110 ++++++++
grub-core/lib/libtasn1/lib/element.h | 42 +
grub-core/lib/libtasn1/lib/errors.c | 103 +
grub-core/lib/libtasn1/lib/gstr.c | 74 +
grub-core/lib/libtasn1/lib/gstr.h | 50 +
grub-core/lib/libtasn1/lib/int.h | 221 ++
grub-core/lib/libtasn1/lib/parser_aux.c | 1179 ++++++++
grub-core/lib/libtasn1/lib/parser_aux.h | 172 ++
grub-core/lib/libtasn1/lib/structure.c | 1227 ++++++++
grub-core/lib/libtasn1/lib/structure.h | 46 +
.../tests/CVE-2018-1000654-1_asn1_tab.h | 32 +
.../tests/CVE-2018-1000654-2_asn1_tab.h | 36 +
.../libtasn1_wrap/tests/CVE-2018-1000654.c | 61 +
.../lib/libtasn1_wrap/tests/Test_overflow.c | 138 +
.../lib/libtasn1_wrap/tests/Test_simple.c | 207 ++
.../lib/libtasn1_wrap/tests/Test_strings.c | 150 +
.../libtasn1_wrap/tests/object-id-decoding.c | 116 +
.../libtasn1_wrap/tests/object-id-encoding.c | 120 +
.../lib/libtasn1_wrap/tests/octet-string.c | 211 ++
.../lib/libtasn1_wrap/tests/reproducers.c | 81 +
grub-core/lib/libtasn1_wrap/wrap.c | 26 +
grub-core/lib/libtasn1_wrap/wrap_tests.c | 75 +
grub-core/lib/libtasn1_wrap/wrap_tests.h | 38 +
grub-core/lib/posix_wrap/limits.h | 1 +
grub-core/lib/posix_wrap/stdlib.h | 8 +
grub-core/lib/posix_wrap/sys/types.h | 1 +
grub-core/tpm2/args.c | 177 ++
grub-core/tpm2/buffer.c | 145 +
grub-core/tpm2/module.c | 1153 ++++++++
grub-core/tpm2/mu.c | 1069 +++++++
grub-core/tpm2/tcg2.c | 143 +
grub-core/tpm2/tpm2.c | 1185 ++++++++
grub-core/tpm2/tpm2key.asn | 31 +
grub-core/tpm2/tpm2key.c | 440 +++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 +
include/grub/cryptodisk.h | 16 +
include/grub/libtasn1.h | 645 +++++
include/grub/protector.h | 48 +
include/grub/tpm2/buffer.h | 65 +
include/grub/tpm2/internal/args.h | 41 +
include/grub/tpm2/internal/functions.h | 174 ++
include/grub/tpm2/internal/structs.h | 761 +++++
include/grub/tpm2/internal/types.h | 384 +++
include/grub/tpm2/mu.h | 367 +++
include/grub/tpm2/tcg2.h | 34 +
include/grub/tpm2/tpm2.h | 34 +
include/grub/tpm2/tpm2key.h | 83 +
tests/test_asn1.in | 12 +
util/grub-protect.c | 1524 ++++++++++
64 files changed, 19030 insertions(+), 41 deletions(-)
create mode 100644 grub-core/kern/protectors.c
create mode 100644
grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
create mode 100644
grub-core/lib/libtasn1-patches/0002-libtasn1-changes-for-grub-compatibility.patch
create mode 100644 grub-core/lib/libtasn1/COPYING
create mode 100644 grub-core/lib/libtasn1/README.md
create mode 100644 grub-core/lib/libtasn1/lib/coding.c
create mode 100644 grub-core/lib/libtasn1/lib/decoding.c
create mode 100644 grub-core/lib/libtasn1/lib/element.c
create mode 100644 grub-core/lib/libtasn1/lib/element.h
create mode 100644 grub-core/lib/libtasn1/lib/errors.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.c
create mode 100644 grub-core/lib/libtasn1/lib/gstr.h
create mode 100644 grub-core/lib/libtasn1/lib/int.h
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.c
create mode 100644 grub-core/lib/libtasn1/lib/parser_aux.h
create mode 100644 grub-core/lib/libtasn1/lib/structure.c
create mode 100644 grub-core/lib/libtasn1/lib/structure.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-1_asn1_tab.h
create mode 100644
grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654-2_asn1_tab.h
create mode 100644 grub-core/lib/libtasn1_wrap/tests/CVE-2018-1000654.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_overflow.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_simple.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/Test_strings.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-decoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/object-id-encoding.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/octet-string.c
create mode 100644 grub-core/lib/libtasn1_wrap/tests/reproducers.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.c
create mode 100644 grub-core/lib/libtasn1_wrap/wrap_tests.h
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
create mode 100644 grub-core/tpm2/tpm2.c
create mode 100644 grub-core/tpm2/tpm2key.asn
create mode 100644 grub-core/tpm2/tpm2key.c
create mode 100644 grub-core/tpm2/tpm2key_asn1_tab.c
create mode 100644 include/grub/libtasn1.h
create mode 100644 include/grub/protector.h
create mode 100644 include/grub/tpm2/buffer.h
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/internal/functions.h
create mode 100644 include/grub/tpm2/internal/structs.h
create mode 100644 include/grub/tpm2/internal/types.h
create mode 100644 include/grub/tpm2/mu.h
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
create mode 100644 include/grub/tpm2/tpm2key.h
create mode 100644 tests/test_asn1.in
create mode 100644 util/grub-protect.c
Range-diff against v5:
1: 4abbfb9b9 = 1: ce1046fdf posix_wrap: tweaks in preparation for libtasn1
2: 032237404 = 2: 220080a05 libtasn1: import libtasn1-4.19.0
3: c8ef29db6 = 3: 864377f07 libtasn1: disable code not needed in grub
4: 8ec6f5492 = 4: 3cfb8ddae libtasn1: changes for grub compatibility
5: 8d1a2c5cf = 5: 60ab496c6 libtasn1: compile into asn1 module
6: ab12479d6 = 6: faf04ebc4 test_asn1: test module for libtasn1
7: e99338e18 = 7: 47f892593 libtasn1: Add the documentation
8: 0e699ac18 = 8: 5288c347f protectors: Add key protectors framework
9: c806992eb ! 9: c5a42cf33 tpm2: Add TPM Software Stack (TSS)
@@ include/grub/tpm2/internal/types.h (new)
+#define TPM_RH_AUTH_FF ((TPM_RH) 0x4000010F)
+#define TPM_RH_LAST ((TPM_RH) 0x4000010F)
+
-+/* TPM2_ECC_CURVE Constants */
-+typedef grub_uint16_t TPM2_ECC_CURVE;
++/* TPM_ECC_CURVE Constants */
++typedef grub_uint16_t TPM_ECC_CURVE;
+
+#define TPM_ECC_NONE ((TPM_ECC_CURVE) 0x0000)
+#define TPM_ECC_NIST_P192 ((TPM_ECC_CURVE) 0x0001)
@@ include/grub/tpm2/internal/types.h (new)
+typedef grub_uint16_t TPM_KEY_BITS;
+
+/* TPM_ECC_CURVE Types */
-+typedef grub_uint16_t TPM_ECC_CURVE;
-+
+typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
+
+/* TPMI_RH_PROVISION Type */
10: 7c08cc056 ! 10: b2c850be3 protectors: Add TPM2 Key Protector
@@ Commit message
Currently, there is only one supported policy command: TPM2_PolicyPCR.
The command set can be extended to support advanced features, such as
- as authorized policy, in the future.
+ authorized policy, in the future.
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
@@ grub-core/tpm2/args.c (new)
+}
+
+grub_err_t
-+grub_tpm2_protector_parse_asymmetric (const char *value, TPM_ALG_ID
*asymmetric)
++grub_tpm2_protector_parse_asymmetric (const char *value,
++ TPM_ALG_ID *asymmetric,
++ TPM_KEY_BITS *rsa_bits,
++ TPM_ECC_CURVE *ecc_curve)
+{
-+ if (grub_strcasecmp (value, "ECC") == 0)
-+ *asymmetric = TPM_ALG_ECC;
-+ else if (grub_strcasecmp (value, "RSA") == 0)
-+ *asymmetric = TPM_ALG_RSA;
++ if (grub_strcasecmp (value, "ECC") == 0 ||
++ grub_strcasecmp (value, "ECC_NIST_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P256;
++ }
++ else if (grub_strcasecmp (value, "RSA") == 0 ||
++ grub_strcasecmp (value, "RSA2048") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 2048;
++ }
++ else if (grub_strcasecmp (value, "RSA3072") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 3072;
++ }
++ else if (grub_strcasecmp (value, "RSA4096") == 0)
++ {
++ *asymmetric = TPM_ALG_RSA;
++ *rsa_bits = 4096;
++ }
++ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P384;
++ }
++ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_NIST_P521;
++ }
++ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_BN_P256;
++ }
++ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_BN_P638;
++ }
++ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
++ {
++ *asymmetric = TPM_ALG_ECC;
++ *ecc_curve = TPM_ECC_SM2_P256;
++ }
+ else
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Value '%s' is not a valid asymmetric key type"),
@@ grub-core/tpm2/module.c (new)
+ grub_uint8_t pcrs[TPM_MAX_PCRS];
+ grub_uint8_t pcr_count;
+ TPM_ALG_ID asymmetric;
++ TPM_KEY_BITS rsa_bits;
++ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID bank;
+ const char *tpm2key;
+ const char *keyfile;
@@ grub-core/tpm2/module.c (new)
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
-+ "SHA1, SHA256 (default), or SHA384."),
++ "SHA1, SHA256 (default), SHA384 or SHA512."),
+ },
+ /* SRK-mode options */
+ {
@@ grub-core/tpm2/module.c (new)
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
-+ N_("In SRK mode, the type of SRK: RSA (default) or ECC."),
++ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
++ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
++ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
++ "(default is RSA2048)"),
+ },
+ /* NV Index-mode options */
+ {
@@ grub-core/tpm2/module.c (new)
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes =
128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme =
TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
++ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (ctx->asymmetric == TPM_ALG_ECC)
@@ grub-core/tpm2/module.c (new)
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes =
128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme =
TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.eccDetail.curveID =
TPM_ECC_NIST_P256;
++ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
@@ grub-core/tpm2/module.c (new)
+ /* Get the SRK to unseal the sealed key */
+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
+ if (err != GRUB_ERR_NONE)
-+ {
-+ grub_error (err, N_("Failed to retrieve the SRK"));
-+ goto exit1;
-+ }
++ goto exit1;
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
@@ grub-core/tpm2/module.c (new)
+ ctx->srk = TPM2_SRK_HANDLE;
+
+ if (!ctx->asymmetric)
-+ ctx->asymmetric = TPM_ALG_RSA;
++ {
++ ctx->asymmetric = TPM_ALG_RSA;
++ ctx->rsa_bits = 2048;
++ }
+ }
+
+ return GRUB_ERR_NONE;
@@ grub-core/tpm2/module.c (new)
+ if (state[OPTION_ASYMMETRIC].set) /* asymmetric */
+ {
+ err = grub_tpm2_protector_parse_asymmetric
(state[OPTION_ASYMMETRIC].arg,
-+
&grub_tpm2_protector_ctx.asymmetric);
++
&grub_tpm2_protector_ctx.asymmetric,
++
&grub_tpm2_protector_ctx.rsa_bits,
++
&grub_tpm2_protector_ctx.ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
@@ include/grub/tpm2/internal/args.h (new)
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
-+ TPM_ALG_ID *asymmetric);
++ TPM_ALG_ID *asymmetric,
++ TPM_KEY_BITS *rsa_bits,
++ TPM_ECC_CURVE *ecc_curve);
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
11: aab155530 = 11: 2b7018865 cryptodisk: Support key protectors
12: 3e175a1e8 ! 12: e5a1c5fe6 util/grub-protect: Add new tool
@@ util/grub-protect.c (new)
+ grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+ grub_uint8_t tpm2_pcr_count;
+ TPM_ALG_ID tpm2_asymmetric;
++ TPM_KEY_BITS rsa_bits;
++ TPM_ECC_CURVE ecc_curve;
+ TPM_ALG_ID tpm2_bank;
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
@@ util/grub-protect.c (new)
+ {
+ .name = "tpm2-bank",
+ .key = GRUB_PROTECT_OPT_TPM2_BANK,
-+ .arg = "SHA1|SHA256|SHA384",
++ .arg = "ALG",
+ .flags = 0,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
-+ "SHA1, SHA256 (default), or SHA384."),
++ "SHA1, SHA256 (default), or SHA512."),
+ .group = 0
+ },
+ {
@@ util/grub-protect.c (new)
+ {
+ .name = "tpm2-asymmetric",
+ .key = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
-+ .arg = "RSA|ECC",
++ .arg = "TYPE",
+ .flags = 0,
+ .doc =
-+ N_("The type of SRK: RSA (default) or ECC."),
++ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
++ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
++ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
++ "(default is RSA2048)"),
+ .group = 0
+ },
+ {
@@ util/grub-protect.c (new)
+ pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA256;
+ break;
++ case TPM_ALG_SHA512:
++ pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
++ hash_spec = GRUB_MD_SHA512;
++ break;
++ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
++ it's not supported by the built-in libgcrypt, and we won't be able
to
++ calculate the PCR digest, so SHA384 is marked as unsupported. */
+ default:
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
@@ util/grub-protect.c (new)
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes =
128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme =
TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
++ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ break;
+
@@ util/grub-protect.c (new)
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes =
128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme =
TPM_ALG_NULL;
-+ inPublic.publicArea.parameters.eccDetail.curveID =
TPM_ECC_NIST_P256;
++ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ break;
+
@@ util/grub-protect.c (new)
+ args->tpm2_srk = TPM2_SRK_HANDLE;
+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
-+ args->tpm2_asymmetric = TPM_ALG_RSA;
++ {
++ args->tpm2_asymmetric = TPM_ALG_RSA;
++ args->rsa_bits = 2048;
++ }
+
+ if (args->tpm2_bank == TPM_ALG_ERROR)
+ args->tpm2_bank = TPM_ALG_SHA256;
@@ util/grub-protect.c (new)
+ return EINVAL;
+ }
+
-+ err = grub_tpm2_protector_parse_asymmetric (arg,
&args->tpm2_asymmetric);
++ err = grub_tpm2_protector_parse_asymmetric (arg,
&args->tpm2_asymmetric,
++ &args->rsa_bits,
&args->ecc_curve);
+ if (err != GRUB_ERR_NONE)
+ {
+ if (grub_errno != GRUB_ERR_NONE)
13: 110e46ce2 ! 13: 9e8be3913 tpm2: Add TPM2 types, structures, and command
constants
@@ include/grub/tpm2/internal/types.h: typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012)
#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013)
#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025)
-@@ include/grub/tpm2/internal/types.h: typedef grub_uint16_t
TPM2_ECC_CURVE;
+@@ include/grub/tpm2/internal/types.h: typedef grub_uint16_t TPM_ECC_CURVE;
/* TPM_CC Constants */
typedef grub_uint32_t TPM_CC;
14: 6a510e6bb = 14: edd137be2 tpm2: Add more marshal/unmarshal functions
15: 500e6f081 = 15: 7b2f93b23 tpm2: Implement more TPM2 commands
16: 350089cdd = 16: effc0933b tpm2: Support authorized policy
17: 8047e574a = 17: 94dd8146c protectors: Implement NV index
18: 26510a9ba = 18: 5700a35fb cryptodisk: Fallback to passphrase
19: fb1a22e16 = 19: 0aed42f83 cryptodisk: wipe out the cached keys from
protectors
20: 11a0350ab = 20: b7157d893 diskfilter: look up cryptodisk devices first
--
2.35.3
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
