[PATCH v2 07/10] tpm2_key_protector: Support NV index handles

Previously, NV index mode only supported persistent handles which are only for TPM objects. On the other hand, the "NV index" handle allows the user-defined data, so it can be an alternative to the key file and support TPM 2.0 Key File format immediately. The following tpm2-tools commands store t

[PATCH v2 00/10] TPM2 key protector follow-up patches

git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v2 This patchset is the collection of several enhancements for TPM2 key protector. * Patch 1 introduces the PCR dump to help debugging policy fail. * Patch 2~3 adds the new command to dump PCRs in GRUB shell and the * documentation of the comm

[PATCH v2 10/10] docs: Update NV index mode of TPM2 key protector

This commit updates the NV index mode section and the grub-protect section to reflect the recent changes in TPM2 key protector and grub-protect. Signed-off-by: Gary Lin --- docs/grub.texi | 188 +++-- 1 file changed, 166 insertions(+), 22 deletions(-)

[PATCH v2 02/10] tpm2_key_protector: Add 'tpm2_dump_pcr' command

The user may need to inspect the TPM 2.0 PCR values with the GRUB shell, so the new 'tpm2_dump_pcr' command is added to print all PCRs of the specified bank. Signed-off-by: Gary Lin Tested-by: Stefan Berger --- .../commands/tpm2_key_protector/module.c | 35 +++ 1 file chang

[PATCH v2 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test

Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is replaced with one 'grub-protect' command to simplify the test script. Two more NV index test cases are also added to test key sealing and unsealing with the NV index handle 0x100. Also, there is a minor fix to reset 'ret'

[PATCH v2 04/10] tss2: Fix the missing authCommand

grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check 'authCommand' when marshaling the input data buffer. Currently, there is no caller using non-NULL 'authCommand'. However, to avoid the potential issue, the conditional check is added to insert 'authCommand' into the input buffer if neces

[PATCH v2 03/10] docs: Document tpm2_dump_pcr

Update the documentation to address tpm2_dump_pcr. Signed-off-by: Gary Lin Reviewed-by: Stefan Berger --- docs/grub.texi | 13 + 1 file changed, 13 insertions(+) diff --git a/docs/grub.texi b/docs/grub.texi index 200e747af..aba43e35e 100644 --- a/docs/grub.texi +++ b/docs/grub.texi

[PATCH v2 06/10] tpm2_key_protector: Unseal key from a buffer

Extract the logic to handle the file buffer from the SRK recover function to prepare to load the sealed key from the NV index handle. The SRK recover function now only reads the file and sends the file buffer to the new function. Besides this, the file format is detected automatically before unmars

[PATCH v2 08/10] util/grub-protect: Support NV index mode

This commit implements the missing NV index mode support in 'grub-protect'. NV index mode stores the sealed key in the TPM non-volatile memory (NVRAM) instead of a file. There are two supported types of TPM handles. 1. Persistent handle (0x8100~0x81FF) TPM 2.0 Key File format (--tpm2key

[PATCH v2 05/10] tss2: Add TPM 2.0 NV index commands

The following TPM 2.0 commands are introduced to tss2 to access the TPM non-volatile memory associated with the NV index handles. - TPM2_NV_DefineSpace - TPM2_NV_UndefineSpace - TPM2_NV_ReadPublic - TPM2_NV_Read - TPM2_NV_Write The related marshal/unmarshal functions are also introduced. Signed-

[PATCH v2 01/10] tpm2_key_protector: dump PCRs on policy fail

PCR mismatching is one common cause of TPM key unsealing fail. Since the system may be compromised, it is not safe to boot into OS to get the PCR values and TPM eventlog for the further investigation. To provide some hints, GRUB now dumps PCRs on policy fail, so the user can check the current PCR