On Fri, Jun 28, 2024 at 04:19:08PM +0800, Gary Lin via Grub-devel wrote: > For the tpm2_key_protector module, the TCG2 command submission function > is the only difference between a QEMU instance and grub-emu. To test > TPM2 key unsealing with a QEMU instance, it requires an extra OS image > to invoke grub-protect to seal the LUKS key, rather than a simple > grub-shell rescue CD image. On the other hand, grub-emu can share the > emulated TPM2 device with the host, so that we can seal the LUKS key on > host and test key unsealing with grub-emu. > > This test script firstly creates a simple LUKS image to be loaded as a > loopback device in grub-emu. Then an emulated TPM2 device is created by > "swtpm chardev" and PCR 0 and 1 are extended. > > There are several test cases in the script to test various settings. Each > test case uses grub-protect or tpm2-tools to seal the LUKS password > with PCR 0 and PCR 1. Then grub-emu is launched to load the LUKS image, > try to mount the image with tpm2_key_protector_init and cryptomount, and > verify the result. > > Based on the idea from Michael Chang. > > Cc: Michael Chang <mch...@suse.com> > Cc: Stefan Berger <stef...@linux.ibm.com> > Cc: Glenn Washburn <developm...@efficientek.com> > Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
