git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v5
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2 adds the new command to dump PCRs in GRUB shell and the
* documentation of the command.
* Patch 3 fixes a minor issue in tss2.
* Patch 4~7 extend the NV index mode to support 'NV index' handles
and TPM 2.0 Key File format.
- Thanks to James Bottomley for how to detect TPM 2.0 Key File format.
https://lists.gnu.org/archive/html/grub-devel/2024-11/msg00078.html
* Patch 8~11 update the test cases and the documentation for NV index
mode.
* Patch 12 documents the external packages needed for TPM2 key protector
tests.
* Patch 13 addresses the long options for tpm2_key_protector_init.
v5:
- Updating the TPM2 test script to exit with 1 when a test case fails
- Fixing the string matching in the TPM2 test script
- Adding the long options for tpm2_key_protector_init in the document
v4:
- Updating the commit messages and the documentation
- Merging the tpm2_dump_pcr documentation patch
- Splitting the testcase patch into 3 smaller patches
- Documenting the extern packages needed for TPM2 key protector tests
v3:
- Amending the function names to make them more comprehensive
- Fixing a few more typos and the indentations
- Improving the document
v2:
- Amending the commit messages and the error messages
- Fixing the return values and the checks for 'bool'
- Removing 'policywrite' when defining the NV index handle
- Fixing the typo and the stray whitespace
- Removing grub_tpm2_flushcontext() from the functions to remove
the persistent handle and the NV index handle
- Avoiding one failure test case to stop the whole test
- Improving the document
Gary Lin (13):
tpm2_key_protector: dump PCRs on policy fail
tpm2_key_protector: Add 'tpm2_dump_pcr' command
tss2: Fix the missing authCommand
tss2: Add TPM 2.0 NV index commands
tpm2_key_protector: Unseal key from a buffer
tpm2_key_protector: Support NV index handles
util/grub-protect: Support NV index mode
tests/tpm2_key_protector_test: Simplify the NV index mode test
tests/tpm2_key_protector_test: Reset 'ret' on fail
tests/tpm2_key_protector_test: Add more NV index mode tests
docs: Update NV index mode of TPM2 key protector
INSTALL: Document the packages needed for TPM2 key protector tests
docs: Document the long options of tpm2_key_protect_init
INSTALL | 1 +
docs/grub.texi | 216 +++++++++--
.../commands/tpm2_key_protector/module.c | 345 +++++++++++++++---
grub-core/lib/tss2/tpm2_cmd.c | 211 ++++++++++-
grub-core/lib/tss2/tpm2_cmd.h | 32 ++
grub-core/lib/tss2/tss2_mu.c | 39 ++
grub-core/lib/tss2/tss2_mu.h | 12 +
grub-core/lib/tss2/tss2_types.h | 6 +
tests/tpm2_key_protector_test.in | 161 +++-----
util/grub-protect.c | 343 ++++++++++++++---
10 files changed, 1126 insertions(+), 240 deletions(-)
Range-diff against v4:
-: --------- > 1: bbd534f6b tpm2_key_protector: dump PCRs on policy fail
-: --------- > 2: a0c949ba8 tpm2_key_protector: Add 'tpm2_dump_pcr' command
-: --------- > 3: bbd4ad377 tss2: Fix the missing authCommand
1: d2fba3963 ! 4: b7204597d tss2: Add TPM 2.0 NV index commands
@@ Commit message
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
+ Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
## grub-core/lib/tss2/tpm2_cmd.c ##
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_testparms (const
TPMT_PUBLIC_PARMS_t *parms,
2: 9b7ebc818 ! 5: 13d22cfbf tpm2_key_protector: Unseal key from a buffer
@@ Commit message
Besides this, to avoid introducing more options for the NV index mode,
the file format is detected automatically before unmarshalling the
data,
so there is no need to use the command option to specify the file
format
- anymore. In other words, '--tpm2key' and '--keyfile' are the same now.
+ anymore. In other words, '-T' and '-k' are the same now.
Also update grub.text to address the change.
3: c78c78763 = 6: a5da556bf tpm2_key_protector: Support NV index handles
4: 10eb6a6b0 ! 7: 93262aafe util/grub-protect: Support NV index mode
@@ Commit message
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
+ Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
## util/grub-protect.c ##
@@ util/grub-protect.c: typedef enum protect_opt
5: 3d5836268 ! 8: f3d54722f tests/tpm2_key_protector_test: Simplify the NV
index mode test
@@ Commit message
'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
Signed-off-by: Gary Lin <g...@suse.com>
+ Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
+ Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
## tests/tpm2_key_protector_test.in ##
@@ tests/tpm2_key_protector_test.in: EOF
6: b835df89e < -: --------- tests/tpm2_key_protector_test: Reset 'ret' on
fail
-: --------- > 9: 717d11f22 tests/tpm2_key_protector_test: Reset 'ret' on
fail
7: 4c0cc50a5 ! 10: a37b136a7 tests/tpm2_key_protector_test: Add more NV
index mode tests
@@ Commit message
unsealing with the NV index handle 0x1000000.
Signed-off-by: Gary Lin <g...@suse.com>
+ Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
## tests/tpm2_key_protector_test.in ##
@@ tests/tpm2_key_protector_test.in: EOF
@@ tests/tpm2_key_protector_test.in: EOF
+ extra_opt=""
+ extra_grub_opt=""
+
-+ if [ "$handle_type" == "nvindex" ]; then
++ if [ "$handle_type" = "nvindex" ]; then
+ nv_index="0x1000000"
+ else
+ nv_index="0x81000000"
+ fi
+
-+ if [ "$key_type" == "tpm2key" ]; then
++ if [ "$key_type" = "tpm2key" ]; then
+ extra_opt="--tpm2key"
+ else
+ extra_grub_opt="--pcrs=0,1"
@@ tests/tpm2_key_protector_test.in: tpm2_seal_unseal_nv() {
if cryptomount -a --protector tpm2; then
cat (crypto0)+1
fi
-@@ tests/tpm2_key_protector_test.in: srktests+=("ECC transient
fallback_srk")
+@@ tests/tpm2_key_protector_test.in: exit_status=0
for i in "${!srktests[@]}"; do
tpm2_seal_unseal ${srktests[$i]} || ret=$?
if [ "${ret}" -eq 0 ]; then
@@ tests/tpm2_key_protector_test.in: srktests+=("ECC transient
fallback_srk")
- echo "TPM2 [${srktests[$i]}]: FAIL"
+ echo "TPM2 [SRK][${srktests[$i]}]: FAIL"
ret=0
+ exit_status=1
else
- echo "Unexpected failure [${srktests[$i]}]" >&2
+ echo "Unexpected failure [SRK][${srktests[$i]}]" >&2
@@ tests/tpm2_key_protector_test.in: srktests+=("ECC transient
fallback_srk")
-elif [ "${ret}" -eq 1 ]; then
- echo "TPM2 [NV Index]: FAIL"
- ret=0
+- exit_status=1
-else
- echo "Unexpected failure [NV index]" >&2
- exit ${ret}
@@ tests/tpm2_key_protector_test.in: srktests+=("ECC transient
fallback_srk")
+ elif [ "${ret}" -eq 1 ]; then
+ echo "TPM2 [NV Index][${nvtests[$i]}]: FAIL"
+ ret=0
++ exit_status=1
+ else
+ echo "Unexpected failure [NV index][${nvtests[$i]}]" >&2
+ exit ${ret}
+ fi
+done
- exit 0
+ exit ${exit_status}
8: 156c81422 = 11: 116f052d0 docs: Update NV index mode of TPM2 key protector
9: f47758510 ! 12: a648c09a2 INSTALL: Document the packages needed for TPM2
key protector tests
@@ Commit message
tests.
Signed-off-by: Gary Lin <g...@suse.com>
+ Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
## INSTALL ##
@@ INSTALL: Prerequisites for make-check:
-: --------- > 13: 0c36afc66 docs: Document the long options of
tpm2_key_protect_init
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
