On Mon, Jan 13, 2025 at 11:07:10AM +0800, Gary Lin via Grub-devel wrote: > Previously, NV index mode only supported persistent handles which are > only for TPM objects. > > On the other hand, the "NV index" handle allows the user-defined data, > so it can be an alternative to the key file and support TPM 2.0 Key > File format immediately. > > The following tpm2-tools commands store the given key file, sealed.tpm, > in either TPM 2.0 Key File format or the raw format into the NV index > handle 0x1000000. > > # tpm2_nvdefine -C o \ > -a "ownerread|ownerwrite" \ > -s $(stat -c %s sealed.tpm) \ > 0x1000000 > # tpm2_nvwrite -C o -i sealed.tpm 0x1000000 > > To unseal the key in GRUB, add the 'tpm2_key_protector_init' command to > grub.cfg: > > tpm2_key_protector_init --mode=nv --nvindex=0x1000000 > cryptomount -u <UUID> --protector tpm2 > > To remove the NV index handle: > > # tpm2_nvundefine -C o 0x1000000 > > Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
