> On 8 Jul 2025, at 2:01 PM, Gary Lin via Grub-devel <grub-devel@gnu.org> wrote: > > This commit introduces the definition of grub_tcg2_cap_pcr(), a new > function designed to enhance the security of sealed keys. Its primary > purpose is to "cap" a specific PCR by extending it with a SEPARATOR > event. This action cryptographically alters the PCR value, making it > impossible to unseal any key that was previously sealed to the original > PCR state. Consequently, the sealed key remains protected against > unauthorized unsealing attempts until the associated PCRs are reset to > their initial configuration, typically occurring during a subsequent > system boot. > > Signed-off-by: Gary Lin <g...@suse.com> > --- > grub-core/lib/tss2/tcg2.h | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h > index 3d26373dd..c7e80d355 100644 > --- a/grub-core/lib/tss2/tcg2.h > +++ b/grub-core/lib/tss2/tcg2.h > @@ -23,6 +23,8 @@ > #include <grub/err.h> > #include <grub/types.h> > > +#define EV_SEPARATOR 0x04 > + > extern grub_err_t > grub_tcg2_get_max_output_size (grub_size_t *size); > > @@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size, > grub_size_t output_size, > grub_uint8_t *output); > > +extern grub_err_t > +grub_tcg2_cap_pcr (grub_uint8_t pcr); > +
I think this patch should be merged with patch which define this functions. Thanks, Sudhakar > #endif /* ! GRUB_TPM2_TCG2_HEADER */ > -- > 2.43.0 > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
