For users who require a sealed key to be unsealable only once per boot process, a straightforward technique involves "capping" the key by extending the associated PCRs. This patch set introduces PCR capping support for the TPM2 key protector, allowing users to select specific PCRs to extend immediately after the key is unsealed.
Gary Lin (7): tss2: Add TPM2_PCR_Event command tss2: Introduce grub_tcg2_cap_pcr() tss2: Implement grub_tcg2_cap_pcr() for EFI tss2: Implement grub_tcg2_cap_pcr() for ieee1275 tss2: Implement grub_tcg2_cap_pcr() for EMU tpm2_key_protector: Support PCR capping tests/tpm2_key_protector_test: Add a test for PCR Capping docs/grub.texi | 20 +++++- grub-core/commands/ieee1275/ibmvtpm.c | 52 +-------------- .../commands/tpm2_key_protector/module.c | 56 +++++++++++++++- grub-core/lib/efi/tcg2.c | 41 ++++++++++++ grub-core/lib/ieee1275/tcg2.c | 66 +++++++++++++++++++ grub-core/lib/tss2/tcg2.h | 5 ++ grub-core/lib/tss2/tcg2_emu.c | 19 ++++++ grub-core/lib/tss2/tpm2_cmd.c | 51 ++++++++++++++ grub-core/lib/tss2/tpm2_cmd.h | 7 ++ grub-core/lib/tss2/tss2_mu.c | 18 +++++ grub-core/lib/tss2/tss2_mu.h | 4 ++ grub-core/lib/tss2/tss2_structs.h | 7 ++ grub-core/lib/tss2/tss2_types.h | 1 + grub-core/normal/main.c | 2 +- include/grub/ieee1275/tpm.h | 5 ++ tests/tpm2_key_protector_test.in | 65 ++++++++++++++++++ 16 files changed, 365 insertions(+), 54 deletions(-) -- 2.43.0 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
