Re: [PATCH v3 01/10] tpm2_key_protector: dump PCRs on policy fail

On Thu, Mar 13, 2025 at 02:42:15PM +0100, Daniel Kiper wrote: > On Mon, Jan 13, 2025 at 11:07:04AM +0800, Gary Lin via Grub-devel wrote: > > PCR mismatching is one common cause of TPM key unsealing fail. Since the > > system may be compromised, it is not safe to boot into OS to get the PCR > > valu

Re: [PATCH v3 02/10] tpm2_key_protector: Add 'tpm2_dump_pcr' command

On Mon, Jan 13, 2025 at 11:07:05AM +0800, Gary Lin via Grub-devel wrote: > The user may need to inspect the TPM 2.0 PCR values with the GRUB shell, > so the new 'tpm2_dump_pcr' command is added to print all PCRs of the > specified bank. Please update a documentation as well. Daniel _

Re: [PATCH v3 10/10] docs: Update NV index mode of TPM2 key protector

On Mon, Jan 13, 2025 at 11:07:13AM +0800, Gary Lin via Grub-devel wrote: > This commit updates the NV index mode section and the grub-protect > section to reflect the recent changes in TPM2 key protector and > grub-protect. > > Signed-off-by: Gary Lin > --- > docs/grub.texi | 189

Re: [PATCH v3 09/10] tests/tpm2_key_protector_test: Amend the NV index mode test

On Mon, Jan 13, 2025 at 11:07:12AM +0800, Gary Lin via Grub-devel wrote: > Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is > replaced with one 'grub-protect' command to simplify the test script. > > Two more NV index test cases are also added to test key sealing and > unseali

Re: [PATCH v3 08/10] util/grub-protect: Support NV index mode

On Mon, Jan 13, 2025 at 11:07:11AM +0800, Gary Lin via Grub-devel wrote: > This commit implements the missing NV index mode support in > 'grub-protect'. NV index mode stores the sealed key in the TPM > non-volatile memory (NVRAM) instead of a file. There are two supported > types of TPM handles. >

[PATCH v4] powerpc: increase MIN RMA size for CAS negotiation

Change RMA size from 512 MB to 768 MB which will result in more memory at boot time for PowerPC. When vTPM, Secure Boot or FADump are enabled on PowerPC, the 512 MB RMA memory is not sufficient for booting. With this 512 MB RMA, GRUB2 runs out of memory and fails to boot the machine. Sometimes even

Re: [PATCH v3 07/10] tpm2_key_protector: Support NV index handles

On Mon, Jan 13, 2025 at 11:07:10AM +0800, Gary Lin via Grub-devel wrote: > Previously, NV index mode only supported persistent handles which are > only for TPM objects. > > On the other hand, the "NV index" handle allows the user-defined data, > so it can be an alternative to the key file and suppo

Re: [PATCH v3 06/10] tpm2_key_protector: Unseal key from a buffer

On Mon, Jan 13, 2025 at 11:07:09AM +0800, Gary Lin via Grub-devel wrote: > Extract the logic to handle the file buffer from the SRK recover > function to prepare to load the sealed key from the NV index handle. > The SRK recover function now only reads the file and sends the file > buffer to the ne

Re: [PATCH v3 04/10] tss2: Fix the missing authCommand

On Mon, Jan 13, 2025 at 11:07:07AM +0800, Gary Lin via Grub-devel wrote: > grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check > 'authCommand' when marshaling the input data buffer. Currently, there is > no caller using non-NULL 'authCommand'. However, to avoid the potential > issue, the

Re: [PATCH v3 02/10] tpm2_key_protector: Add 'tpm2_dump_pcr' command

On Thu, Mar 13, 2025 at 02:45:25PM +0100, Daniel Kiper wrote: > On Mon, Jan 13, 2025 at 11:07:05AM +0800, Gary Lin via Grub-devel wrote: > > The user may need to inspect the TPM 2.0 PCR values with the GRUB shell, > > so the new 'tpm2_dump_pcr' command is added to print all PCRs of the > > specifie

Re: [PATCH] key_protector: Add systemd TPM2 Key Protector

On Wed, Mar 12, 2025 at 08:40:36AM +0100, Yann Diorcet wrote: > Good idea, I will rework the patch with the few modifications that I talked > about. If you are going to do that may I ask you to split this patch into smaller ones doing only one logical thing at a time? Daniel

Re: [PATCH v3 01/10] tpm2_key_protector: dump PCRs on policy fail

On Mon, Jan 13, 2025 at 11:07:04AM +0800, Gary Lin via Grub-devel wrote: > PCR mismatching is one common cause of TPM key unsealing fail. Since the > system may be compromised, it is not safe to boot into OS to get the PCR > values and TPM eventlog for the further investigation. > > To provide some

Re: [PATCH v2 2/2] efi: Use shim's loader protocol for EFI image verification and loading

On Mon, Mar 10, 2025 at 09:12:22AM +, Mate Kukri wrote: > - Use shim loader protocol to verify images in the shim_lock verifier. > - Add API to allow downstream consumers to re-use image handles produced > by the verifier. This is necessary to avoid having images measured > twice to the TPM

Re: [PATCH] fs/zfs: Fix a number of memory leaks in ZFS code

On Mon, Mar 10, 2025 at 09:14:31PM +0300, Vladimir 'phcoder' Serbinenko wrote: > LGTM. > Reviewed-By: Vladimir Serbinenko Reviewed-by: Daniel Kiper Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH] tss2: restore buffer offset on tpm2_submit_command retry

On Thu, Mar 06, 2025 at 08:46:52PM +0100, Yann Diorcet wrote: > When tpm2_submit_command_real is called for a retry, the content of > out buffer can already be set with previous grub_tcg2_submit_command > call's reply. Restore previous offset allowing the next > tpm2_submit_command_real calls to su

Re: [PATCH v3] powerpc: increase MIN RMA size for CAS negotiation

On 2025-03-13 00:28, Daniel Kiper wrote: On Wed, Mar 12, 2025 at 10:06:15PM +0530, Avnish Chouhan wrote: Change RMA size from 512 MB to 768 MB which will result in more memory at boot time for PowerPC. When vTPM, Secure Boot or FADump are enabled on PowerPC, the 512 MB RMA memory is not sufficie