On Fri, Mar 21, 2025 at 03:59:03PM +0800, Gary Lin wrote: > This commit implements the missing NV index mode support in > 'grub-protect'. NV index mode stores the sealed key in the TPM > non-volatile memory (NVRAM) instead of a file. There are two supported > types of TPM handles. > > 1. Persistent handle (0x81000000~0x81FFFFFF) > Only the raw format is supported due to the limitation of persistent > handles. This 'grub-protect' command seals the key into the > persistent handle 0x81000000. > > # grub-protect \ > --protector=tpm2 \ > --action=add \ > --tpm2-bank=sha256 \ > --tpm2-pcrs=7,11 \ > --tpm2-keyfile=luks-key \ > --tpm2-nvindex=0x81000000 > > 2. NV index handle (0x1000000~0x1FFFFFF) > Both TPM 2.0 Key File format and the raw format are supported by NV > index handles. Here is the 'grub-protect' command to seal the key in > TPM 2.0 Key File format into the NV index handle 0x1000000. > > # grub-protect \ > --protector=tpm2 \ > --action=add \ > --tpm2key \ > --tpm2-bank=sha256 \ > --tpm2-pcrs=7,11 \ > --tpm2-keyfile=luks-key \ > --tpm2-nvindex=0x1000000 > > Besides the 'add' action, the corresponding 'remove' action is also > introduced. To remove the data from a persistent or NV index handle, > just use '--tpm2-nvindex=HANDLE' combining with '--tpm2-evict'. This > sample command removes the data from the NV index handle 0x1000000. > > # grub-protect \ > --protector=tpm2 \ > --action=remove \ > --tpm2-evict \ > --tpm2-nvindex=0x1000000 > > Also set and check the boolean variables with true/false instead of 1/0. > > Signed-off-by: Gary Lin <g...@suse.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
