Re: [PATCH v3 10/10] docs: Update NV index mode of TPM2 key protector

Thu, 13 Mar 2025 07:28:50 -0700 

On Mon, Jan 13, 2025 at 11:07:13AM +0800, Gary Lin via Grub-devel wrote:
> This commit updates the NV index mode section and the grub-protect
> section to reflect the recent changes in TPM2 key protector and
> grub-protect.
>
> Signed-off-by: Gary Lin <g...@suse.com>
> ---
>  docs/grub.texi | 189 +++++++++++++++++++++++++++++++++++++++++++------
>  1 file changed, 167 insertions(+), 22 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index aba43e35e..8a8a23e44 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -9044,46 +9044,121 @@ When/After the shim or GRUB are updated, it only 
> requires to run the last
>  @subsection NV index mode
>
>  Instead of storing the sealed key in a file, NV index mode uses the TPM
> -non-volatile memory to store the sealed key.
> +non-volatile memory to store the sealed key and could be useful when 
> accessing
> +the file is not possible.
>
> -The following sample commands use tpm2-tools 
> (@url{https://github.com/tpm2-software/tpm2-tools})
> -commands to seal @file{luks.key} into the specific NV index: 
> @kbd{0x81000000}.
> +However, the Linux root user must be careful who she/he gives access to the
> +TPM (tss group) since those users will also be able to modify the NV index
> +that's holding the key.
>
> -First, we need to create the object file for the primary key, i.e. storage
> -root key (SRK) with the default key settings in GRUB: SHA256 hash algorithm
> -and ECC key algorithm.
> +There are two types of TPM handles supported by NV index mode: persistent
> +handle and NV index handle.
> +
> +@subsubsection Persistent handle
> +
> +The range of persistent handles is from @kbd{0x81000000} to @kbd{0x81FFFFFF}.
> +The persistent handle is designed to make TPM objects persistent through
> +power cycles, and only TPM objects, such as RSA or EC keys, are accepted.
> +Thus, TPM 2.0 Key File format is not supported by persistent handles. The
> +following shows the @command{grub-protect} command to seal the disk key
> +@file{luks.key} into the persistent handle @kbd{0x81000000} with the PCRs
> +@kbd{0,2,4,7}.

Again, this paragraph seems to contain contradicting sentences. I think
the missing part is explanation what kind of format is used to store
luks.key if the "TPM 2.0 Key File format is not supported".

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to