On Mon, Aug 26, 2024 at 04:37:33PM +0200, Daniel Kiper wrote: > On Fri, Jun 28, 2024 at 04:18:43PM +0800, Gary Lin via Grub-devel wrote: > > GIT repo for v18: https://github.com/lcp/grub2/tree/tpm2-unlock-v18 > > > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by > > Hernan Gatta to introduce the key protector framework and TPM2 stack > > to GRUB2, and this could be a useful feature for the systems to > > implement full disk encryption. > > > > To support TPM 2.0 Key File format(*2), patch 1~6,8-10 are grabbed from > > Daniel Axtens's "appended signature secure boot support" (*3) to import > > libtasn1 into grub2. Besides, the libtasn1 version is upgraded to > > 4.19.0 instead of 4.16.0 in the original patch. > > > > Patch 7 fixes a potential buffer overrun in libtasn1. > > (https://gitlab.com/gnutls/libtasn1/-/issues/49) > > > > Patch 11 adds the document for libtasn1 and the steps to upgrade the > > library. > > > > Patch 12~18 are based on Hernan Gatta's patches with the follow-up fixes > > and improvements: > > - Converting 8 spaces into 1 tab > > - Merging the minor build fix from Michael Chang > > - Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf > > - Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def > > - Rebasing "cryptodisk: Support key protectors" to the git master > > - Removing the measurement on the sealed key > > - Based on the patch from Olaf Kirch <o...@suse.com> > > - Adjusting the input parameters of TPM2_EvictControl to match the order > > in "TCG TPM2 Part3 Commands" > > - Declaring the input arguments of TPM2 functions as const > > - Resending TPM2 commands on TPM_RC_RETRY > > - Adding checks for the parameters of TPM2 commands > > - Packing the missing authorization command for TPM2_PCR_Read > > - Tweaking the TPM2 command functions to allow some parameters to be > > NULL so that we don't have to declare empty variables > > - Using grub_cpu_to_be*() in the TPM2 stack instead of grub_swap_bytes*() > > which may cause problems in big-indian machines > > - Changing the short name of "--protector" of "cryptomount" from "-k" to > > "-P" to avoid the conflict with "--key-file" > > - Supporting TPM 2.0 Key File Format besides the raw sealed key > > - Adding the external libtasn1 dependency to grub-protect to write the > > TPM 2.0 Key files > > - Extending the TPM2 TSS stack to support authorized policy > > > > Patch 19 implements the authorized policy support. > > > > Patch 20 implements the missing NV index mode. (Thanks to Patrick Colp) > > > > Patch 21 improves the 'cryptomount' command to fall back to the > > passphrase mode when the key protector fails to unlock the encrypted > > partition. (Another patch from Patrick Colp) > > > > Patch 22 and 23 fix the potential security issues spotted by Fabian Vogt. > > > > Patch 24 and 25 implement the TPM2 key unsealing testcases. > > It seems to me this patch set misses usage documentation with examples. > Could you add it to the docs/grub.texi? > Ok. I can add a few examples including how to set up swtpm instance for grub-emu.
Gary Lin _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
