Re: [PATCH v21 33/33] docs: Document TPM2 key protector

Fri, 08 Nov 2024 01:08:58 -0800 

On Thu, Nov 07, 2024 at 12:11:15PM -0500, James Bottomley wrote:
> On Wed, 2024-11-06 at 18:48 -0500, Stefan Berger wrote:
> > 
> > 
> > On 11/4/24 2:32 AM, Gary Lin via Grub-devel wrote:
> > > Update the user manual to address TPM2 key protector including the
> > > two
> > > related commands, tpm2_key_protector_init and
> > > tpm2_key_protector_clear,
> > > and the user-space utility: grub-protect.
> > > 
> > > Signed-off-by: Gary Lin <g...@suse.com>
> > > ---
> > 
> > > +@example
> > > +# @kbd{dd if=/dev/urandom of=luks.key bs=1 count=128}
> > > +# @kbd{cryptsetup luksAddKey /dev/sda2 luks.key --pbkdf=pbkdf2 --
> > > hash=sha512}
> > > +@end example
> > > +
> > > +@subsection SRK mode
> > > +
> > > +To unlock the partition with SRK mode, assume that the sealed key
> > > is in
> > > +@file{(hd0,gpt1)/efi/grub/sealed.tpm}, the following GRUB commands
> > > +unseal the disk key with SRK mode and supply it to
> > > @command{cryptomount}.
> > > +
> > > +@example
> > > +grub> @kbd{tpm2_key_protector_init --
> > > keyfile=(hd0,gpt1)/efi/grub/sealed.tpm}
> > > +grub> @kbd{cryptomount -u <UUID> -P tpm2}
> > > +@end example
> > 
> > You may also want to give an example with --tpm2key= because it will
> > go 
> > along with the grub-protect --tpm2key option that you show. And you
> > may 
> > want to point that out to the user one when showing grub-protect with
> > --tpm2key, because otherwise the key created by grub-protect --
> > tpm2key 
> > cannot be read since the key formats (there are 2 key formats) do not
> > match and you'd need some sort of trouble shooting section...
> 
> I've said previously since nothing seems to use the non-standard keys,
> there's no real reason to code them in a release.
There are some running systems using the old '-k' options (raw format)
and some using '-T' (TPM 2.0 Key File), so I tend to keep both options.

> However, even if you
> have them, the standard TPM key format is designed to be completely
> recognizable, since they should always begin 0x30 have the hex string
> 06066781050a (that's OBJECT :2.23.133.10.1.5) embedded at offset 2 or 3
> (depending on how long the initial SEQUENCE is), so you should be able
> to scan the file and recognize that it's a standard TPM key.
> 
Thanks for the hint. This is certainly a nice improvement for the key file
options.

Gary Lin

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to