On Fri, Sep 06, 2024 at 05:11:18PM +0800, Gary Lin via Grub-devel wrote: > From: Patrick Colp <patrick.c...@oracle.com> > > Currently with the TPM2 protector, only SRK mode is supported and > NV index support is just a stub. Implement the NV index option. > > Note: This only extends support on the unseal path. grub2_protect
s/grub2_protect/grub-protect/? > has not been updated. tpm2-tools can be used to insert a key into > the NV index. > > An example of inserting a key using tpm2-tools: > > # Get random key. > tpm2_getrandom 32 > key.dat > > # Create primary object. > tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx > > # Create policy object. `pcrs.dat` contains the PCR values to seal against. > tpm2_startauthsession -S session.dat > tpm2_policypcr -S session.dat -l sha256:7,11 -f pcrs.dat -L policy.dat > tpm2_flushcontext session.dat > > # Seal key into TPM. > cat key.dat | tpm2_create -C primary.ctx -u key.pub -r key.priv -L > policy.dat -i- > tpm2_load -C primary.ctx -u key.pub -r key.priv -n sealing.name -c > sealing.ctx > tpm2_evictcontrol -C o -c sealing.ctx 0x81000000 > > Then to unseal the key in grub, add this to grub.cfg: > > tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=7,11 > cryptomount -u <UUID> --protector tpm2 > > Signed-off-by: Patrick Colp <patrick.c...@oracle.com> > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> Otherwise Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>... Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
