On Mon, Apr 15, 2024 at 10:26:32AM -0400, Stefan Berger wrote: > > > On 4/15/24 05:45, Gary Lin wrote: > > On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote: > > > > > > > > > On 4/12/24 04:39, Gary Lin via Grub-devel wrote: > > > > GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11 > > > > > > > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by > > > > Hernan Gatta to introduce the key protector framework and TPM2 stack > > > > to GRUB2, and this could be a useful feature for the systems to > > > > implement full disk encryption. > > > > > > You also need to extend the documentation with the command line steps and > > > a > > > IMO there has to be a warning for VM users that sealing to PCRs inside a > > > VM > > > is dangerous since the next packages update may bring an update to > > > TianoCore > > > UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not > > > work then. > > > > > For baremetal users, it still could happen after upgrading the firmware. > > Right but this is much rarer. > > > We surely need a place to notice users this situation when using PCR > > 0~7. > > PCRs 8-9 probably have to be all zeros at the time of sealing (running the > user space application for seting this up) so they have the values at the > time before grub measures kernel and initramfs, right? > For grub-protect, yes. On the other hand, pcr-oracle can predict PCR 9 based on the current grub.cfg and the eventlog. PCR 8 is tricky because grub measures the command with the expanded variables, and pcr-oracle has to be improved to parse all grub config files to make the prediction.
Gary Lin _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
