On Thu, Jul 10, 2025 at 08:39:11PM +0530, Sudhakar Kuppusamy wrote: > > > > On 8 Jul 2025, at 2:01 PM, Gary Lin via Grub-devel <grub-devel@gnu.org> > > wrote: > > > > This commit introduces the definition of grub_tcg2_cap_pcr(), a new > > function designed to enhance the security of sealed keys. Its primary > > purpose is to "cap" a specific PCR by extending it with a SEPARATOR > > event. This action cryptographically alters the PCR value, making it > > impossible to unseal any key that was previously sealed to the original > > PCR state. Consequently, the sealed key remains protected against > > unauthorized unsealing attempts until the associated PCRs are reset to > > their initial configuration, typically occurring during a subsequent > > system boot. > > > > Signed-off-by: Gary Lin <g...@suse.com> > > --- > > grub-core/lib/tss2/tcg2.h | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h > > index 3d26373dd..c7e80d355 100644 > > --- a/grub-core/lib/tss2/tcg2.h > > +++ b/grub-core/lib/tss2/tcg2.h > > @@ -23,6 +23,8 @@ > > #include <grub/err.h> > > #include <grub/types.h> > > > > +#define EV_SEPARATOR 0x04 > > + > > extern grub_err_t > > grub_tcg2_get_max_output_size (grub_size_t *size); > > > > @@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size, > > grub_size_t output_size, > > grub_uint8_t *output); > > > > +extern grub_err_t > > +grub_tcg2_cap_pcr (grub_uint8_t pcr); > > + > > I think this patch should be merged with patch which define this functions. > It's platform-specific and I prefer separate patches with implementation details for each platform.
Gary Lin > Thanks, > Sudhakar > > > #endif /* ! GRUB_TPM2_TCG2_HEADER */ > > -- > > 2.43.0 > > > > > > _______________________________________________ > > Grub-devel mailing list > > Grub-devel@gnu.org > > https://lists.gnu.org/mailman/listinfo/grub-devel > _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
