On Thu, Mar 13, 2025 at 02:42:15PM +0100, Daniel Kiper wrote: > On Mon, Jan 13, 2025 at 11:07:04AM +0800, Gary Lin via Grub-devel wrote: > > PCR mismatching is one common cause of TPM key unsealing fail. Since the > > system may be compromised, it is not safe to boot into OS to get the PCR > > values and TPM eventlog for the further investigation. > > > > To provide some hints, GRUB now dumps PCRs on policy fail, so the user > > can check the current PCR values. PCR 0~15 are chosen to cover the > > firmware, bootloader, and OS. > > > > The sample output: > > > > PCR Mismatching! Check firmware and bootloader before typing passphrase! > > s/Mismatching/Mismatch/ > > This suggests that this dump may not be produced by the code below. > Please fix it as needed. > Urgh, I forgot to update the commit message.
> > TPM PCR [sha256]: > > 00: 115c89bfa0e59e050cda5d2664031d225305f3582cf0c2afcb7c1f1ac2a7cf8d > > 01: 079b3eadca25e10248daea4b1d508e5cfb703db28386be809a0b375c0a0a80a5 > > 02: 2cd8ec3de6a07e1fd39676100db57ba62372e820c19812fee55899f65746e192 > > 03: 9423b585d4eac05c97a0c06bca8898ad0ca519a6b810dcb91129bcdc10f4b112 > > 04: fa36bf5c9110d3891f040e2146d157484cd41123fa8faf4bc6b91db3d12b70ca > > 05: 13e9ea9e38e5258e6ee2b6ae94a3cece0137490ef95c65caaac10cdf5e1bc40d > > 06: 3ac10d749054a818806788f4e4eaa2fb4dd7d13ce0e99dc175145b63c34bb71c > > 07: a6657a60f77928cad614a7ad153ab9ae0bed48e33b70348ae11a26762002b3bc > > 08: 42e04f5bac1965535cb6bdb30c62bb199b1ba21d1ec6b22d0da159dfc925b8bb > > 09: 5c83e8be79d4a432e6d409610de389ee6f1ac0c193f38d84a9ff94f360bd458b > > 10: 0000000000000000000000000000000000000000000000000000000000000000 > > 11: 0000000000000000000000000000000000000000000000000000000000000000 > > 12: 0000000000000000000000000000000000000000000000000000000000000000 > > 13: 0000000000000000000000000000000000000000000000000000000000000000 > > 14: 894dd8e4ca1bb62e055f674f9390a39c4643ebdd1014702feef000c47e36a003 > > 15: 0000000000000000000000000000000000000000000000000000000000000000 > > 16: 0000000000000000000000000000000000000000000000000000000000000000 > > 17: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 18: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 19: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 20: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 21: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 22: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff > > 23: 0000000000000000000000000000000000000000000000000000000000000000 > > error: failed to unseal sealed key (TPM2_Unseal: 0x99d). > > error: no key protector provided a usable key for luks > > (af16e48f-746b-4a12-aae1-c14dcee429e0). > > > > If the user happens to have the PCR values for key sealing, the PCR dump > > can be used to identify the changed PCRs and narrow down the scope for > > closer inspection. > > > > Please note that the PCR dump is trustworthy only if the GRUB binary is > > authentic, so the user has to check the GRUB binary thoroughly before > > using the PCR dump. > > > > Signed-off-by: Gary Lin <g...@suse.com> > > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > > If you fix the nit mentioned above you can add my RB to this patch. > I'll update the commit message and add your RB. Thanks, Gary Lin _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
