On Thu, Mar 13, 2025 at 03:17:24PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:11AM +0800, Gary Lin via Grub-devel wrote:
> > This commit implements the missing NV index mode support in
> > 'grub-protect'. NV index mode stores the sealed key in the TPM
> > non-volatile memory (NVRAM) instead of a file. There are two supported
> > types of TPM handles.
> >
> > 1. Persistent handle (0x81000000~0x81FFFFFF)
> > TPM 2.0 Key File format (--tpm2key) is not supported due to the
> > limitation of persistent handles. This 'grub-protect' command
> > seals the key into the persistent handle 0x81000000.
>
> It seems to me these two sentences are contradicting one another.
> I think at least one of them should be expanded or rephrased.
>
I'll rephrase it like:
"Only the raw format is supported due to the limitation of persistent
handles"
> > # grub-protect \
> > --protector=tpm2 \
> > --action=add \
> > --tpm2-bank=sha256 \
> > --tpm2-pcrs=7,11 \
> > --tpm2-keyfile=luks-key \
> > --tpm2-nvindex=0x81000000
> >
> > 2. NV index handle (0x1000000~0x1FFFFFF)
> > Both TPM 2.0 Key File format and the raw format are supported by NV
> > index handles. Here is the 'grub-protect' command to seal the key in
> > TPM 2.0 Key File format into the NV index handle 0x1000000.
> >
> > # grub-protect \
> > --protector=tpm2 \
> > --action=add \
> > --tpm2key \
> > --tpm2-bank=sha256 \
> > --tpm2-pcrs=7,11 \
> > --tpm2-keyfile=luks-key \
> > --tpm2-nvindex=0x1000000
> >
> > Besides the 'add' action, the corresponding 'remove' action is also
> > introduced. To remove the data from a persistent or NV index handle,
> > just use '--tpm2-nvindex=HANDLE' combining with '--tpm2-evict'. This
> > sample command removes the data from the NV index handle 0x1000000.
> >
> > # grub-protect \
> > --protector=tpm2 \
> > --action=remove \
> > --tpm2-evict \
> > --tpm2-nvindex=0x1000000
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> > ---
> > util/grub-protect.c | 343 ++++++++++++++++++++++++++++++++++++--------
> > 1 file changed, 287 insertions(+), 56 deletions(-)
> >
> > diff --git a/util/grub-protect.c b/util/grub-protect.c
> > index 5b7e952f4..40d4a3fc5 100644
> > --- a/util/grub-protect.c
> > +++ b/util/grub-protect.c
>
> [...]
>
> > +static grub_err_t
> > +protect_tpm2_remove (protect_args_t *args)
> > +{
> > grub_err_t err;
> >
> > - if (args->tpm2_evict == 0)
> > + if (args->tpm2_evict == false)
>
> I am OK with changes like this one but they should be documented in the
> commit message.
>
Sure, I'll address such changes in the commit message.
Gary Lin
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
