On Tue, Dec 10, 2024 at 12:22:07PM -0500, Stefan Berger wrote:
>
>
> On 12/3/24 3:45 AM, Gary Lin wrote:
> > PCR mismatching is one common cause of TPM key unsealing fail. Since the
> > system may be compromised, it is not safe to boot into OS to get the PCR
> > values and TPM eventlog for the fu
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
On Mon, Dec 16, 2024 at 05:28:34PM +0100, Daniel Kiper wrote:
> On Thu, Dec 12, 2024 at 02:11:24PM +0800, Gary Lin wrote:
> > PCR mismatching is one common cause of TPM key unsealing fail. Since the
> > system may be compromised, it is not safe to boot into OS to get the PCR
> > values and TPM even
On Tue, Dec 17, 2024 at 09:35:34AM +0800, Gary Lin wrote:
> On Mon, Dec 16, 2024 at 05:28:34PM +0100, Daniel Kiper wrote:
> > On Thu, Dec 12, 2024 at 02:11:24PM +0800, Gary Lin wrote:
> > > PCR mismatching is one common cause of TPM key unsealing fail. Since the
> > > system may be compromised, it
On Tue, Dec 17, 2024 at 03:29:02PM +0100, Daniel Kiper wrote:
> On Tue, Dec 17, 2024 at 11:45:32AM +0800, Gary Lin wrote:
> > On Tue, Dec 17, 2024 at 09:35:34AM +0800, Gary Lin wrote:
> > > On Mon, Dec 16, 2024 at 05:28:34PM +0100, Daniel Kiper wrote:
> > > > On Thu, Dec 12, 2024 at 02:11:24PM +080
This commit updates the NV index mode section and the grub-protect
section to reflect the recent changes in TPM2 key protector and
grub-protect.
Signed-off-by: Gary Lin
---
docs/grub.texi | 185 +++--
1 file changed, 163 insertions(+), 22 deletions(-)
Previously, NV index mode only supported persistent handles which are
only for the TPM objects. Without introducing new parameters, it is
difficult to support authorized policy.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and s
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles.
- TPM2_NV_DefineSpace
- TPM2_NV_UndefineSpace
- TPM2_NV_ReadPublic
- TPM2_NV_Read
- TPM2_NV_Write
The related marshal/unmarshal functions are also introduced.
Signed-
Update the documentation to address tpm2_dump_pcr.
Signed-off-by: Gary Lin
---
docs/grub.texi | 13 +
1 file changed, 13 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 200e747af..aba43e35e 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6433,6 +6433,7 @@ you f
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
'authCommand' when marshaling the input data buffer. Currently, there is
no caller using non-NULL 'authCommand'. However, to avoid the potential
issue, the conditional check is added to insert 'authCommand' into the
input buffer if neces
git: https://github.com/lcp/grub2/tree/tpm2-follow-up
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2~3 adds the new command to dump PCRs in GRUB shell and the
* documentation of the command
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Signed-off-by: Gary Lin
---
.../commands/tpm2_key_protector/module.c | 35 +++
1 file changed, 35 insertions(+)
diff
This commit implements the missing NV index mode support in
'grub-protect'. NV index mode stores the sealed key in the TPM
non-volatile memory (NVRAM) instead of a file. There are two supported
types of TPM handles.
1. Persistent handle (0x8100~0x81FF)
TPM 2.0 Key File format (--tpm2key
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
As the preparation to load the sealed key from the NV index handle,
the logic to handle the file buffer is extracted as an independent
function and the SRK recover function only reads the file and sends the
file buffer to the new function. Besides, the file format is detected
automatically before u
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle, 0x100.
Signed-off-by: Gary Lin
---
tests/tpm2_
Previously, NV index mode only supported persistent handles which are
only for TPM objects.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and support TPM 2.0 Key
File format immediately.
The following tpm2-tools commands store t
git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v2
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2~3 adds the new command to dump PCRs in GRUB shell and the
* documentation of the comm
This commit updates the NV index mode section and the grub-protect
section to reflect the recent changes in TPM2 key protector and
grub-protect.
Signed-off-by: Gary Lin
---
docs/grub.texi | 188 +++--
1 file changed, 166 insertions(+), 22 deletions(-)
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle 0x100.
Also, there is a minor fix to reset 'ret'
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Signed-off-by: Gary Lin
Tested-by: Stefan Berger
---
.../commands/tpm2_key_protector/module.c | 35 +++
1 file chang
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
This commit implements the missing NV index mode support in
'grub-protect'. NV index mode stores the sealed key in the TPM
non-volatile memory (NVRAM) instead of a file. There are two supported
types of TPM handles.
1. Persistent handle (0x8100~0x81FF)
TPM 2.0 Key File format (--tpm2key
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles.
- TPM2_NV_DefineSpace
- TPM2_NV_UndefineSpace
- TPM2_NV_ReadPublic
- TPM2_NV_Read
- TPM2_NV_Write
The related marshal/unmarshal functions are also introduced.
Signed-
Extract the logic to handle the file buffer from the SRK recover
function to prepare to load the sealed key from the NV index handle.
The SRK recover function now only reads the file and sends the file
buffer to the new function. Besides this, the file format is detected
automatically before unmars
Update the documentation to address tpm2_dump_pcr.
Signed-off-by: Gary Lin
Reviewed-by: Stefan Berger
---
docs/grub.texi | 13 +
1 file changed, 13 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 200e747af..aba43e35e 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
'authCommand' when marshaling the input data buffer. Currently, there is
no caller using non-NULL 'authCommand'. However, to avoid the potential
issue, the conditional check is added to insert 'authCommand' into the
input buffer if neces
On Thu, Jan 09, 2025 at 01:03:54PM -0500, Stefan Berger wrote:
>
>
> On 1/8/25 10:58 PM, Gary Lin wrote:
> > Previously, NV index mode only supported persistent handles which are
> > only for TPM objects.
> >
> > On the other hand, the "NV index" handle allows the user-defined data,
> > so it ca
On Thu, Jan 09, 2025 at 02:03:47PM -0500, Stefan Berger wrote:
>
>
> On 1/8/25 10:58 PM, Gary Lin wrote:
> > This commit implements the missing NV index mode support in
> > 'grub-protect'. NV index mode stores the sealed key in the TPM
> > non-volatile memory (NVRAM) instead of a file. There are
On Thu, Jan 09, 2025 at 02:13:02PM -0500, Stefan Berger wrote:
>
>
> On 1/8/25 10:58 PM, Gary Lin wrote:
> > Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> > replaced with one 'grub-protect' command to simplify the test script.
> >
> > Two more NV index test cases are a
This commit implements the missing NV index mode support in
'grub-protect'. NV index mode stores the sealed key in the TPM
non-volatile memory (NVRAM) instead of a file. There are two supported
types of TPM handles.
1. Persistent handle (0x8100~0x81FF)
TPM 2.0 Key File format (--tpm2key
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
Two more NV index test cases are also added to test key sealing and
unsealing with the NV index handle 0x100.
Also, there is a minor fix to reset 'ret'
git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v3
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2~3 adds the new command to dump PCRs in GRUB shell and the
* documentation of the comm
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles.
- TPM2_NV_DefineSpace
- TPM2_NV_UndefineSpace
- TPM2_NV_ReadPublic
- TPM2_NV_Read
- TPM2_NV_Write
The related marshal/unmarshal functions are also introduced.
Signed-
Previously, NV index mode only supported persistent handles which are
only for TPM objects.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and support TPM 2.0 Key
File format immediately.
The following tpm2-tools commands store t
Extract the logic to handle the file buffer from the SRK recover
function to prepare to load the sealed key from the NV index handle.
The SRK recover function now only reads the file and sends the file
buffer to the new function. Besides this, the file format is detected
automatically before unmars
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Signed-off-by: Gary Lin
Tested-by: Stefan Berger
---
.../commands/tpm2_key_protector/module.c | 35 +++
1 file chang
This commit updates the NV index mode section and the grub-protect
section to reflect the recent changes in TPM2 key protector and
grub-protect.
Signed-off-by: Gary Lin
---
docs/grub.texi | 189 +++--
1 file changed, 167 insertions(+), 22 deletions(-)
Update the documentation to address tpm2_dump_pcr.
Signed-off-by: Gary Lin
Reviewed-by: Stefan Berger
---
docs/grub.texi | 13 +
1 file changed, 13 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index 200e747af..aba43e35e 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
'authCommand' when marshaling the input data buffer. Currently, there is
no caller using non-NULL 'authCommand'. However, to avoid the potential
issue, the conditional check is added to insert 'authCommand' into the
input buffer if neces
On Thu, Jan 02, 2025 at 04:11:42PM -0500, Stefan Berger wrote:
>
>
> On 12/19/24 3:12 AM, Gary Lin wrote:
> > Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> > replaced with one 'grub-protect' command to simplify the test script.
> >
> > Two more NV index test cases are
On Thu, Jan 02, 2025 at 02:54:51PM -0500, Stefan Berger wrote:
>
>
> On 12/19/24 3:12 AM, Gary Lin wrote:
> > Previously, NV index mode only supported persistent handles which are
> > only for the TPM objects. Without introducing new parameters, it is
>
> for TPM objects.
>
Will fix it in v2.
On Thu, Jan 02, 2025 at 02:12:57PM -0500, Stefan Berger wrote:
>
>
> On 12/19/24 3:12 AM, Gary Lin wrote:
> > As the preparation to load the sealed key from the NV index handle,
>
> Extract the logic to handle the file buffer from ... to prepare to load the
> sealed key from the NV index handle.
Reset 'ret' to 0 when a test case fails so that the other test cases
could continue.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protector_test.in
index 07477ba2a..0d1115e02 1
Extract the logic to handle the file buffer from the SRK recover
function to prepare to load the sealed key from the NV index handle,
so the NV index mode can share the same code path in the later patch.
The SRK recover function now only reads the file and sends the file
buffer to the new function.
Previously, NV index mode only supported persistent handles which are
only for TPM objects.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and support TPM 2.0 Key
File format immediately.
The following tpm2-tools commands store t
git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v4
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2 adds the new command to dump PCRs in GRUB shell and the
* documentation of the comman
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
'authCommand' when marshaling the input data buffer. Currently, there is
no caller using non-NULL 'authCommand'. However, to avoid the potential
issue, the conditional check is added to insert 'authCommand' into the
input buffer if neces
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Also update the document for the new command.
Signed-off-by: Gary Lin
Tested-by: Stefan Berger
Reviewed-by: Daniel Kiper
---
docs/grub.
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles.
- TPM2_NV_DefineSpace
- TPM2_NV_UndefineSpace
- TPM2_NV_ReadPublic
- TPM2_NV_Read
- TPM2_NV_Write
The related marshal/unmarshal functions are also introduced.
Signed-
On Fri, Mar 14, 2025 at 02:58:48PM +0100, Yann Diorcet wrote:
> For the moment only the system-tpm2 token type is supported.
>
Hi Yann,
Could you consider creating a cover letter for this patch set?
A cover letter is useful for the reviewer to have the overview of the
patches before diving into th
On Thu, Mar 13, 2025 at 02:49:29PM +0100, Daniel Kiper wrote:
> On Thu, Mar 13, 2025 at 02:45:25PM +0100, Daniel Kiper wrote:
> > On Mon, Jan 13, 2025 at 11:07:05AM +0800, Gary Lin via Grub-devel wrote:
> > > The user may need to inspect the TPM 2.0 PCR values with the GRUB shell
On Sat, Mar 15, 2025 at 03:45:14AM -0500, Glenn Washburn wrote:
> On Mon, 13 Jan 2025 11:07:12 +0800
> Gary Lin via Grub-devel wrote:
>
> > Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
> > replaced with one 'grub-protect&
This commit implements the missing NV index mode support in
'grub-protect'. NV index mode stores the sealed key in the TPM
non-volatile memory (NVRAM) instead of a file. There are two supported
types of TPM handles.
1. Persistent handle (0x8100~0x81FF)
Only the raw format is supported d
This commit updates the NV index mode section and the grub-protect
section to reflect the recent changes in TPM2 key protector and
grub-protect.
Signed-off-by: Gary Lin
---
docs/grub.texi | 188 +++--
1 file changed, 166 insertions(+), 22 deletions(-)
On Tue, Mar 25, 2025 at 04:37:43PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:08AM +0800, Gary Lin wrote:
> > The following TPM 2.0 commands are introduced to tss2 to access the
> > TPM non-volatile memory associated with the NV index handles.
> >
> > - TPM2_NV_DefineSpace
> > - TPM
Two more NV index test cases are added to test key sealing and
unsealing with the NV index handle 0x100.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 55 ++--
1 file changed, 39 insertions(+), 16 deletions(-)
diff --git a/tests/tpm2_key_protecto
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 108 +---
On Tue, Mar 25, 2025 at 05:01:02PM +0100, Daniel Kiper wrote:
> On Fri, Mar 21, 2025 at 03:59:01PM +0800, Gary Lin wrote:
> > Extract the logic to handle the file buffer from the SRK recover
> > function to prepare to load the sealed key from the NV index handle,
> > so the NV index mode can share
On Thu, Mar 13, 2025 at 02:59:18PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:09AM +0800, Gary Lin via Grub-devel wrote:
> > Extract the logic to handle the file buffer from the SRK recover
> > function to prepare to load the sealed key from the NV index handle.
>
On Thu, Mar 13, 2025 at 03:17:24PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:11AM +0800, Gary Lin via Grub-devel wrote:
> > This commit implements the missing NV index mode support in
> > 'grub-protect'. NV index mode stores the sealed key in the TPM
>
On Thu, Mar 13, 2025 at 03:27:47PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:13AM +0800, Gary Lin via Grub-devel wrote:
> > This commit updates the NV index mode section and the grub-protect
> > section to reflect the recent changes in TPM2 key protector and
&
On Thu, Mar 13, 2025 at 02:42:15PM +0100, Daniel Kiper wrote:
> On Mon, Jan 13, 2025 at 11:07:04AM +0800, Gary Lin via Grub-devel wrote:
> > PCR mismatching is one common cause of TPM key unsealing fail. Since the
> > system may be compromised, it is not safe to boot into OS
Since 'grub-protect' already supports NV index mode, tpm2_seal_nv() is
replaced with one 'grub-protect' command to simplify the test script.
'tpm2_evictcontrol' is also replaced with 'grub-protect --tpm2-evict'.
Signed-off-by: Gary Lin
Reviewed-by: Stefan Berger
Reviewed-by: Daniel Kiper
---
The TPM2 key protector tests require two external packages: swtpm-tools
and tpm2-tools. Add those two packages to the INSTALL file to inform
the user to install those packages before starting the TPM2 key protector
tests.
Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
---
INSTALL | 1 +
1 fi
git: https://github.com/lcp/grub2/tree/tpm2-follow-up-v5
This patchset is the collection of several enhancements for TPM2 key
protector.
* Patch 1 introduces the PCR dump to help debugging policy fail.
* Patch 2 adds the new command to dump PCRs in GRUB shell and the
* documentation of the comman
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Also update the document for the new command.
Signed-off-by: Gary Lin
Tested-by: Stefan Berger
Reviewed-by: Daniel Kiper
---
docs/grub.
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles.
- TPM2_NV_DefineSpace
- TPM2_NV_UndefineSpace
- TPM2_NV_ReadPublic
- TPM2_NV_Read
- TPM2_NV_Write
The related marshal/unmarshal functions are also introduced.
Signed-
PCR mismatching is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR
This commit implements the missing NV index mode support in
'grub-protect'. NV index mode stores the sealed key in the TPM
non-volatile memory (NVRAM) instead of a file. There are two supported
types of TPM handles.
1. Persistent handle (0x8100~0x81FF)
Only the raw format is supported d
Reset 'ret' to 0 when a test case fails so that the other test cases
could continue.
Also set the exit status to 1 when encountering a failure to reflect the
test result.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
d
This commit updates the NV index mode section and the grub-protect
section to reflect the recent changes in TPM2 key protector and
grub-protect.
Signed-off-by: Gary Lin
---
docs/grub.texi | 188 +++--
1 file changed, 166 insertions(+), 22 deletions(-)
Two more NV index test cases are added to test key sealing and
unsealing with the NV index handle 0x100.
Signed-off-by: Gary Lin
Reviewed-by: Stefan Berger
---
tests/tpm2_key_protector_test.in | 57 ++--
1 file changed, 40 insertions(+), 17 deletions(-)
diff --g
Extract the logic to handle the file buffer from the SRK recover
function to prepare to load the sealed key from the NV index handle,
so the NV index mode can share the same code path in the later patch.
The SRK recover function now only reads the file and sends the file
buffer to the new function.
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
'authCommand' when marshaling the input data buffer. Currently, there is
no caller using non-NULL 'authCommand'. However, to avoid the potential
issue, the conditional check is added to insert 'authCommand' into the
input buffer if neces
On Tue, Apr 15, 2025 at 10:57:05PM +, Vladimir Serbinenko wrote:
> Signed-off-by: Vladimir Serbinenko
> ---
->8-
> @@ -281,7 +283,7 @@ for cipher_file in cipher_files:
> hold = False
> # We're optimising for size and exclude anything needing good
>
On Thu, Mar 27, 2025 at 01:02:31AM +0530, Sudhakar Kuppusamy wrote:
> From: Daniel Axtens
>
> Building on the parsers and the ability to embed x509 certificates, as
> well as the existing gcrypt functionality, add a module for verifying
> appended signatures.
>
> This includes a verifier that re
Add the long options of tpm2_key_protect_init along with the short
options.
Signed-off-by: Gary Lin
---
docs/grub.texi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index cf64c54c8..2b3d536d3 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@
Previously, NV index mode only supported persistent handles which are
only for TPM objects.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and support TPM 2.0 Key
File format immediately.
The following tpm2-tools commands store t
On Thu, Mar 27, 2025 at 01:02:41AM +0530, Sudhakar Kuppusamy wrote:
> To support the following trusted and distrusted commands
>
> 1. trusted_list:
> It will show the list of trusted certificates and binary hashes
> 2. distrusted_list:
> It will show the list of distrusted cert
On Thu, Mar 27, 2025 at 01:02:41AM +0530, Sudhakar Kuppusamy wrote:
> To support the following trusted and distrusted commands
>
> 1. trusted_list:
> It will show the list of trusted certificates and binary hashes
> 2. distrusted_list:
> It will show the list of distrusted cert
On Sun, Mar 02, 2025 at 10:54:04AM -0600, Andrew Hamilton wrote:
> tss2_structs.h contains a duplicate typedef as follows:
> typedef TPMS_SCHEME_HASH_t TPMS_SCHEME_KDF2_t;
>
> This causes a build failure when compiling with clang.
> Remove the duplicate typedef which allows successfully
> building
On Thu, Mar 06, 2025 at 08:46:52PM +0100, Yann Diorcet wrote:
> When tpm2_submit_command_real is called for a retry, the content of
> out buffer can already be set with previous grub_tcg2_submit_command
> call's reply. Restore previous offset allowing the next
> tpm2_submit_command_real calls to su
On Thu, Mar 06, 2025 at 10:15:09PM +0100, Diorcet Yann wrote:
> The systemd TPM2 key protector is a module that enables the automatic
> retrieval
> of a fully-encrypted disk's unlocking key from a systemd token in luks2
> partition header.
>
> Inspired by the tpm2_key_protector module and the cryp
version.
Gary Lin
> > ven. 21 mars 2025, 11: 01, Gary Lin via Grub-devel > org> a écrit : Reset 'ret'
> >
> > Is there a risk here of missing the failures? It's common that no one
> > looks at the output unless it causes a failed build on some
The TPM2 key protector tests require two external packages: swtpm-tools
and tpm2-tools. Add those two packages to the INSTALL file to inform
the user to install those packages before starting the TPM2 key protector
tests.
Signed-off-by: Gary Lin
---
INSTALL | 1 +
1 file changed, 1 insertion(+)
For "tpm2_key_protector" and "grub-protect", 'SHA256' is chosen as the
hash algorithm for the TPM session. However, grub-protect mistakenly
used the hash algorithm of the PCR bank to calculate PCR digest. If the
user chose a PCR bank other than 'SHA256", "grub-protect" created a
non-SHA256 PCR dige
Add a few more tests to seal and unseal the key with the SHA384 PCR
bank instead of the default SHA256 PCR bank.
Signed-off-by: Gary Lin
Reviewed-by: Sudhakar Kuppusamy
---
tests/tpm2_key_protector_test.in | 46 +++-
1 file changed, 33 insertions(+), 13 deletions(-)
TPM 2.0 Key File format stores the PCR selection in the parameters
for 'TPM2_PolicyPCR' and it already contains the selected PCR bank.
Currently, "tpm2_key_protector" dumped the PCR bank specified by the
'--bank' option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank f
There are two bugs when using the TPM PCR banks other than the default
SHA256 PCR bank:
1) Key unsealing failure
2) Dumping the wrong PCR bank
This patch set fixes the above two bugs and adds the tests for SHA384
PCR bank.
v2:
- Set the SHA256 PCR bank explicitly in tpm2_key_protector_test
Ga
On Tue, Jun 10, 2025 at 03:11:27PM -0400, Stefan Berger wrote:
>
>
> On 6/9/25 3:46 AM, Gary Lin wrote:
> > Add a few more tests to seal and unseal the key with the SHA384 PCR
> > bank instead of the default SHA256 PCR bank.
> >
> > Signed-off-by: Gary Lin
> > ---
> > tests/tpm2_key_protector
TPM 2.0 Key File format stores the PCR selection in the parameters
for 'TPM2_PolicyPCR' and it already contains the selected PCR bank.
Currently, "tpm2_key_protector" dumped the PCR bank specified by the
'--bank' option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank f
Add a few more tests to seal and unseal the key with the SHA384 PCR
bank instead of the default SHA256 PCR bank.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 34 +---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/tests/tpm2_key_prote
For "tpm2_key_protector" and "grub-protect", 'SHA256' is chosen as the
hash algorithm for the TPM session. However, grub-protect mistakenly
used the hash algorithm of the PCR bank to calculate PCR digest. If the
user chose a PCR bank other than 'SHA256", "grub-protect" created a
non-SHA256 PCR dige
There are two bugs when using the TPM PCR banks other than the default
SHA256 PCR bank:
1) Key unsealing failure
2) Dumping the wrong PCR bank
This patch set fixes the above two bugs and adds the tests for SHA384
PCR bank.
Gary Lin (3):
grub-protect: Fix the hash algorithm of PCR digest
tpm2
On Tue, Jul 08, 2025 at 12:19:18PM -0400, Stefan Berger wrote:
>
>
> On 7/8/25 4:31 AM, Gary Lin wrote:
> > Since there is no system fimware for grub-emu, the TPM2_PCR_Event
>
> s/fimware/firmware
Will fix the typo in v2.
>
> > command becomes the only choice to implement grub_tcg2_cap_pcr().
A test is introduced to cap PCR 1 and track the PCR 1 value before and
after key unsealing.
Signed-off-by: Gary Lin
---
tests/tpm2_key_protector_test.in | 65
1 file changed, 65 insertions(+)
diff --git a/tests/tpm2_key_protector_test.in b/tests/tpm2_key_protect
Since there is no system fimware for grub-emu, the TPM2_PCR_Event
command becomes the only choice to implement grub_tcg2_cap_pcr().
Signed-off-by: Gary Lin
---
grub-core/lib/tss2/tcg2_emu.c | 19 +++
1 file changed, 19 insertions(+)
diff --git a/grub-core/lib/tss2/tcg2_emu.c b/g
601 - 700 of 738 matches
Mail list logo
