On Thu, Mar 13, 2025 at 03:27:47PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:13AM +0800, Gary Lin via Grub-devel wrote:
> > This commit updates the NV index mode section and the grub-protect
> > section to reflect the recent changes in TPM2 key protector and
> > grub-protect.
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > ---
> > docs/grub.texi | 189 +++++++++++++++++++++++++++++++++++++++++++------
> > 1 file changed, 167 insertions(+), 22 deletions(-)
> >
> > diff --git a/docs/grub.texi b/docs/grub.texi
> > index aba43e35e..8a8a23e44 100644
> > --- a/docs/grub.texi
> > +++ b/docs/grub.texi
> > @@ -9044,46 +9044,121 @@ When/After the shim or GRUB are updated, it only
> > requires to run the last
> > @subsection NV index mode
> >
> > Instead of storing the sealed key in a file, NV index mode uses the TPM
> > -non-volatile memory to store the sealed key.
> > +non-volatile memory to store the sealed key and could be useful when
> > accessing
> > +the file is not possible.
> >
> > -The following sample commands use tpm2-tools
> > (@url{https://github.com/tpm2-software/tpm2-tools})
> > -commands to seal @file{luks.key} into the specific NV index:
> > @kbd{0x81000000}.
> > +However, the Linux root user must be careful who she/he gives access to the
> > +TPM (tss group) since those users will also be able to modify the NV index
> > +that's holding the key.
> >
> > -First, we need to create the object file for the primary key, i.e. storage
> > -root key (SRK) with the default key settings in GRUB: SHA256 hash algorithm
> > -and ECC key algorithm.
> > +There are two types of TPM handles supported by NV index mode: persistent
> > +handle and NV index handle.
> > +
> > +@subsubsection Persistent handle
> > +
> > +The range of persistent handles is from @kbd{0x81000000} to
> > @kbd{0x81FFFFFF}.
> > +The persistent handle is designed to make TPM objects persistent through
> > +power cycles, and only TPM objects, such as RSA or EC keys, are accepted.
> > +Thus, TPM 2.0 Key File format is not supported by persistent handles. The
> > +following shows the @command{grub-protect} command to seal the disk key
> > +@file{luks.key} into the persistent handle @kbd{0x81000000} with the PCRs
> > +@kbd{0,2,4,7}.
>
> Again, this paragraph seems to contain contradicting sentences. I think
> the missing part is explanation what kind of format is used to store
> luks.key if the "TPM 2.0 Key File format is not supported".
>
I'll change it to "only the raw format is supported".
Gary Lin
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
