[PATCH v2 0/5] Automatic TPM Disk Unlock

e/html/grub-devel/2022-01/msg00125.html Thank you, Hernan Signed-off-by: Hernan Gatta Hernan Gatta (5): protectors: Add key protectors framework tpm2: Add TPM Software Stack (TSS) protectors: Add TPM2 Key Protector cryptodisk: Support key protectors util/grub-protect:

[PATCH v2 4/5] cryptodisk: Support key protectors

Add a new parameter to cryptomount to support the key protectors framework: -k. The parameter is used to automatically retrieve a key from specified key protectors. The parameter may be repeated to specify any number of key protectors. These are tried in order until one provides a usable key for an

[PATCH v2 1/5] protectors: Add key protectors framework

retrieved by it, the function returns to the caller the retrieved key and its length. Signed-off-by: Hernan Gatta --- grub-core/Makefile.am | 1 + grub-core/Makefile.core.def | 1 + grub-core/kern/protectors.c | 75 + include/grub/protector.h

[PATCH v2 5/5] util/grub-protect: Add new tool

t/efi/boot/grub2/sealed_key Then, in the boot script: tpm2_key_protector_init -k (hd0,gpt1)/boot/grub2/sealed_key cryptomount -u b20f95d0834842bc9197bd78b36732f8 -k tpm2 where the UUID corresponds to /dev/sdb1. Signed-off-by: Hernan Gatta --- .gitignore |1 + Makefile.util.de

[PATCH v2 3/5] protectors: Add TPM2 Key Protector

r does not initialize the key protector and attempts to use it anyway, the protector returns an error. Signed-off-by: Hernan Gatta --- grub-core/Makefile.core.def | 10 + grub-core/tpm2/args.c | 129 +++ grub-core/tpm2/module.c | 710 +

Re: [PATCH 4/5] cryptodisk: Support key protectors

On Tue, 25 Jan 2022, James Bottomley wrote: On Mon, 2022-01-24 at 23:42 -0600, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:17 -0800 Hernan Gatta wrote: [...] +} + if (state[0].set) /* uuid */ { int found_uuid; @@ -1385,7 +1404,7 @@ GRUB_MOD_INIT (cryptodisk

Re: [PATCH 4/5] cryptodisk: Support key protectors

On Mon, 24 Jan 2022, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:17 -0800 Hernan Gatta wrote: From: Hernan Gatta Add a new parameter to cryptomount to support the key protectors framework: -k. This parameter is accepted whenever the cryptomount command is used to mount a specific

Re: [PATCH 0/5] Automatic TPM Disk Unlock

On Tue, 25 Jan 2022, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:13 -0800 Hernan Gatta wrote: This patch series adds support for automatically unlocking fully-encrypted disks using a TPM 2.0. Currently, when GRUB encounters a fully-encrypted disk that it must access, its corresponding

Re: [PATCH 3/5] protectors: Add TPM2 Key Protector

On Mon, 24 Jan 2022, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:16 -0800 Hernan Gatta wrote: From: Hernan Gatta The TPM2 key protector is a module that enables the automatic retrieval of a fully-encrypted disk's unlocking key from a TPM 2.0. The theory of operation is such tha

Re: [PATCH 1/5] protectors: Add key protectors framework

On Mon, 24 Jan 2022, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:14 -0800 Hernan Gatta wrote: From: Hernan Gatta A key protector encapsulates functionality to retrieve an unlocking key for a fully-encrypted disk from a specific source. A key protector module registers itself with the

Re: [PATCH 5/5] util/grub-protect: Add new tool

On Mon, 24 Jan 2022, Glenn Washburn wrote: On Mon, 24 Jan 2022 06:12:18 -0800 Hernan Gatta wrote: From: Hernan Gatta To utilize the key protectors framework, there must be a way to protect full-disk encryption keys in the first place. The grub-protect tool includes support for the TPM2

[PATCH 3/5] protectors: Add TPM2 Key Protector

From: Hernan Gatta The TPM2 key protector is a module that enables the automatic retrieval of a fully-encrypted disk's unlocking key from a TPM 2.0. The theory of operation is such that the module accepts various arguments, most of which are optional therefore possess reasonable defaults

[PATCH 1/5] protectors: Add key protectors framework

From: Hernan Gatta A key protector encapsulates functionality to retrieve an unlocking key for a fully-encrypted disk from a specific source. A key protector module registers itself with the key protectors framework when it is loaded and unregisters when unloaded. Additionally, a key protector

[PATCH 5/5] util/grub-protect: Add new tool

From: Hernan Gatta To utilize the key protectors framework, there must be a way to protect full-disk encryption keys in the first place. The grub-protect tool includes support for the TPM2 key protector but other protectors that require setup ahead of time can be supported in the future. For

[PATCH 0/5] Automatic TPM Disk Unlock

rtition, such as the EFI System Partition (ESP), where GRUB can read it. The sealed key is then unsealed by the TPM2 key protector automatically, provided that the PCRs selected match on subsequent boots. Signed-off-by: Hernan Gatta Hernan Gatta (5): protectors: Add key protectors framework tp

[PATCH 4/5] cryptodisk: Support key protectors

From: Hernan Gatta Add a new parameter to cryptomount to support the key protectors framework: -k. This parameter is accepted whenever the cryptomount command is used to mount a specific disk either via a disk specification (e.g., (hd0,gpt1)) or by UUID, but not when disks are mounted in bulk