On Fri, Jun 28, 2024 at 04:19:02PM +0800, Gary Lin via Grub-devel wrote: > This commit handles the TPM2_PolicyAuthorize command from the key file > in TPM 2.0 Key File format. > > TPM2_PolicyAuthorize is the essential command to support authorized > policy which allows the users to sign TPM policies with their own keys. > Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize > comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and > 'TPMT_SIGNATURE signature'. To verify the signature, the current policy > digest is hashed with the hash algorithm written in 'signature', and then > 'signature' is verified with the hashed policy digest and 'pubkey'. Once > TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the > signed policy. > > To create the key file with authorized policy, here are the pcr-oracle(*2) > commands: > > # Generate the RSA key and create the authorized policy file > $ pcr-oracle \ > --rsa-generate-key \ > --private-key policy-key.pem \ > --auth authorized.policy \ > create-authorized-policy 0,2,4,7,9 > > # Seal the secret with the authorized policy > $ pcr-oracle \ > --key-format tpm2.0 \ > --auth authorized.policy \ > --input disk-secret.txt \ > --output sealed.key \ > seal-secret > > # Sign the predicted PCR policy > $ pcr-oracle \ > --key-format tpm2.0 \ > --private-key policy-key.pem \ > --from eventlog \ > --stop-event "grub-file=grub.cfg" \ > --after \ > --input sealed.key \ > --output sealed.tpm \ > sign 0,2,4,7,9 > > Then specify the key file and the key protector to grub.cfg in the EFI > system partition: > > tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm > cryptomount -u <PART_UUID> -P tpm2 > > For any change in the boot components, just run the 'sign' command again > to update the signature in sealed.tpm, and TPM can unseal the key file > with the updated PCR policy.
Again, this should land in the GRUB docs as well... > (*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > (*2) https://github.com/okirch/pcr-oracle > > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > --- > .../commands/tpm2_key_protector/module.c | 72 +++++++++++++++++++ > 1 file changed, 72 insertions(+) > > diff --git a/grub-core/commands/tpm2_key_protector/module.c > b/grub-core/commands/tpm2_key_protector/module.c > index 79440474b..a98109c43 100644 > --- a/grub-core/commands/tpm2_key_protector/module.c > +++ b/grub-core/commands/tpm2_key_protector/module.c > @@ -618,6 +618,75 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION > session, > return GRUB_ERR_NONE; > } > > +static grub_err_t > +grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session, > + struct grub_tpm2_buffer *cmd_buf) > +{ > + TPM2B_PUBLIC pubkey; > + TPM2B_DIGEST policy_ref; > + TPMT_SIGNATURE signature; > + TPM2B_DIGEST pcr_policy; > + TPM2B_DIGEST pcr_policy_hash; > + TPMI_ALG_HASH sig_hash; > + TPMT_TK_VERIFIED verification_ticket; > + TPM_HANDLE pubkey_handle = 0; > + TPM2B_NAME pubname; > + TPM_RC rc; > + grub_err_t err; > + > + grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey); > + grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref); > + grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature); > + if (cmd_buf->error != 0) > + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Failed to unmarshal the > buffer for TPM2_PolicyAuthorize")); > + > + /* Retrieve Policy Digest */ > + rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL); > + if (rc != TPM_RC_SUCCESS) > + return grub_error (GRUB_ERR_BAD_DEVICE, N_("Failed to get policy digest > (TPM2_PolicyGetDigest: 0x%x)."), rc); > + > + /* Calculate the digest of the polcy for VerifySignature */ > + sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature); > + if (sig_hash == TPM_ALG_NULL) > + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Failed to get the hash > algorithm of the signature")); > + > + rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash, A nit, wrong cast coding style... Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
