On Wed, Oct 16, 2024 at 06:11:49PM +0200, Daniel Kiper wrote: > On Fri, Sep 06, 2024 at 05:11:18PM +0800, Gary Lin via Grub-devel wrote: > > From: Patrick Colp <patrick.c...@oracle.com> > > > > Currently with the TPM2 protector, only SRK mode is supported and > > NV index support is just a stub. Implement the NV index option. > > > > Note: This only extends support on the unseal path. grub2_protect > > s/grub2_protect/grub-protect/? > Yes, it's grub-protect. Will fix it in the next version.
Gary Lin > > has not been updated. tpm2-tools can be used to insert a key into > > the NV index. > > > > An example of inserting a key using tpm2-tools: > > > > # Get random key. > > tpm2_getrandom 32 > key.dat > > > > # Create primary object. > > tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx > > > > # Create policy object. `pcrs.dat` contains the PCR values to seal > > against. > > tpm2_startauthsession -S session.dat > > tpm2_policypcr -S session.dat -l sha256:7,11 -f pcrs.dat -L policy.dat > > tpm2_flushcontext session.dat > > > > # Seal key into TPM. > > cat key.dat | tpm2_create -C primary.ctx -u key.pub -r key.priv -L > > policy.dat -i- > > tpm2_load -C primary.ctx -u key.pub -r key.priv -n sealing.name -c > > sealing.ctx > > tpm2_evictcontrol -C o -c sealing.ctx 0x81000000 > > > > Then to unseal the key in grub, add this to grub.cfg: > > > > tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=7,11 > > cryptomount -u <UUID> --protector tpm2 > > > > Signed-off-by: Patrick Colp <patrick.c...@oracle.com> > > Signed-off-by: Gary Lin <g...@suse.com> > > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > > Otherwise Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>... > > Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
