On Fri, Sep 06, 2024 at 05:11:17PM +0800, Gary Lin via Grub-devel wrote: > This commit handles the TPM2_PolicyAuthorize command from the key file > in TPM 2.0 Key File format. > > TPM2_PolicyAuthorize is the essential command to support authorized > policy which allows the users to sign TPM policies with their own keys. > Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize > comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and > 'TPMT_SIGNATURE signature'. To verify the signature, the current policy > digest is hashed with the hash algorithm written in 'signature', and then > 'signature' is verified with the hashed policy digest and 'pubkey'. Once > TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the > signed policy. > > To create the key file with authorized policy, here are the pcr-oracle(*2) > commands: > > # Generate the RSA key and create the authorized policy file > $ pcr-oracle \ > --rsa-generate-key \ > --private-key policy-key.pem \ > --auth authorized.policy \ > create-authorized-policy 0,2,4,7,9 > > # Seal the secret with the authorized policy > $ pcr-oracle \ > --key-format tpm2.0 \ > --auth authorized.policy \ > --input disk-secret.txt \ > --output sealed.key \ > seal-secret > > # Sign the predicted PCR policy > $ pcr-oracle \ > --key-format tpm2.0 \ > --private-key policy-key.pem \ > --from eventlog \ > --stop-event "grub-file=grub.cfg" \ > --after \ > --input sealed.key \ > --output sealed.tpm \ > sign 0,2,4,7,9 > > Then specify the key file and the key protector to grub.cfg in the EFI > system partition: > > tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm > cryptomount -u <PART_UUID> -P tpm2 > > For any change in the boot components, just run the 'sign' command again > to update the signature in sealed.tpm, and TPM can unseal the key file > with the updated PCR policy. > > (*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html > (*2) https://github.com/okirch/pcr-oracle > > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
