On Mon, Jan 13, 2025 at 11:07:04AM +0800, Gary Lin via Grub-devel wrote: > PCR mismatching is one common cause of TPM key unsealing fail. Since the > system may be compromised, it is not safe to boot into OS to get the PCR > values and TPM eventlog for the further investigation. > > To provide some hints, GRUB now dumps PCRs on policy fail, so the user > can check the current PCR values. PCR 0~15 are chosen to cover the > firmware, bootloader, and OS. > > The sample output: > > PCR Mismatching! Check firmware and bootloader before typing passphrase!
s/Mismatching/Mismatch/ This suggests that this dump may not be produced by the code below. Please fix it as needed. > TPM PCR [sha256]: > 00: 115c89bfa0e59e050cda5d2664031d225305f3582cf0c2afcb7c1f1ac2a7cf8d > 01: 079b3eadca25e10248daea4b1d508e5cfb703db28386be809a0b375c0a0a80a5 > 02: 2cd8ec3de6a07e1fd39676100db57ba62372e820c19812fee55899f65746e192 > 03: 9423b585d4eac05c97a0c06bca8898ad0ca519a6b810dcb91129bcdc10f4b112 > 04: fa36bf5c9110d3891f040e2146d157484cd41123fa8faf4bc6b91db3d12b70ca > 05: 13e9ea9e38e5258e6ee2b6ae94a3cece0137490ef95c65caaac10cdf5e1bc40d > 06: 3ac10d749054a818806788f4e4eaa2fb4dd7d13ce0e99dc175145b63c34bb71c > 07: a6657a60f77928cad614a7ad153ab9ae0bed48e33b70348ae11a26762002b3bc > 08: 42e04f5bac1965535cb6bdb30c62bb199b1ba21d1ec6b22d0da159dfc925b8bb > 09: 5c83e8be79d4a432e6d409610de389ee6f1ac0c193f38d84a9ff94f360bd458b > 10: 0000000000000000000000000000000000000000000000000000000000000000 > 11: 0000000000000000000000000000000000000000000000000000000000000000 > 12: 0000000000000000000000000000000000000000000000000000000000000000 > 13: 0000000000000000000000000000000000000000000000000000000000000000 > 14: 894dd8e4ca1bb62e055f674f9390a39c4643ebdd1014702feef000c47e36a003 > 15: 0000000000000000000000000000000000000000000000000000000000000000 > 16: 0000000000000000000000000000000000000000000000000000000000000000 > 17: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 18: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 19: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 20: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 21: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 22: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > 23: 0000000000000000000000000000000000000000000000000000000000000000 > error: failed to unseal sealed key (TPM2_Unseal: 0x99d). > error: no key protector provided a usable key for luks > (af16e48f-746b-4a12-aae1-c14dcee429e0). > > If the user happens to have the PCR values for key sealing, the PCR dump > can be used to identify the changed PCRs and narrow down the scope for > closer inspection. > > Please note that the PCR dump is trustworthy only if the GRUB binary is > authentic, so the user has to check the GRUB binary thoroughly before > using the PCR dump. > > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> If you fix the nit mentioned above you can add my RB to this patch. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
