On 7/8/25 4:31 AM, Gary Lin wrote:
This commit introduces the definition of grub_tcg2_cap_pcr(), a new
function designed to enhance the security of sealed keys. Its primary
purpose is to "cap" a specific PCR by extending it with a SEPARATOR
event. This action cryptographically alters the PCR value, making it
impossible to unseal any key that was previously sealed to the original
PCR state. Consequently, the sealed key remains protected against
unauthorized unsealing attempts until the associated PCRs are reset to
their initial configuration, typically occurring during a subsequent
system boot.
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/lib/tss2/tcg2.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h
index 3d26373dd..c7e80d355 100644
--- a/grub-core/lib/tss2/tcg2.h
+++ b/grub-core/lib/tss2/tcg2.h
@@ -23,6 +23,8 @@
#include <grub/err.h>
#include <grub/types.h>
+#define EV_SEPARATOR 0x04
+
extern grub_err_t
grub_tcg2_get_max_output_size (grub_size_t *size);
@@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size,
grub_size_t output_size,
grub_uint8_t *output);
+extern grub_err_t
+grub_tcg2_cap_pcr (grub_uint8_t pcr);
+
#endif /* ! GRUB_TPM2_TCG2_HEADER */
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
