From: Patrick Colp
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
From: Hernan Gatta
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the
From: Hernan Gatta
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. On
Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with grub code.
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
docs/grub-dev.texi| 34 ++
...asn1-disable-code-not-needed-in-grub.patch
From: Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
From: Daniel Axtens
Do a few things to make libtasn1 compile as part of grub:
- remove _asn1_strcat and replace strcat with the bound-checked
_asn1_str_cat except the one inside _asn1_str_cat. That strcat is
replaced with strcpy.
- adjust header paths in libtasn1.h
- adjust header pat
An attacker may insert a malicious disk with the same crypto UUID and
trick grub2 to mount the fake root. Even though the key from the key
protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wip
From: Patrick Colp
If a protector is specified, but it fails to unlock the disk, fall back
to asking for the passphrase. However, an error was set indicating that
the protector(s) failed. Later code (e.g., LUKS code) fails as
`grub_errno` is now set. Print the existing errors out first, before
pr
In _asn1_tag_der(), the first while loop for the long form may end up
with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun
in the second while loop. This commit tweaks the conditional check to
avoid producing a too large 'k'.
This is a quick fix and may differ from the official u
As a preparation to test TPM 2.0 TSS stack with grub-emu, the new
option, --tpm-device, is introduced to specify the TPM device for
grub-emu so that grub-emu can share the emulated TPM device with
the host.
Since grub-emu can directly access the device node on host, it's easy to
implement the esse
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuth
On Mon, May 06, 2024 at 02:09:12PM -0500, Glenn Washburn wrote:
> On Fri, 3 May 2024 14:48:56 +0800
> Gary Lin wrote:
>
> > For the tpm2 module, the TCG2 command submission function is the only
> > difference between the a QEMU instance and grub-emu. To test TPM key
> > unsealing with a QEMU ins
On Wed, May 08, 2024 at 03:25:29PM -0500, Glenn Washburn wrote:
> On Tue, 7 May 2024 16:19:19 +0800
> Gary Lin wrote:
>
> > On Mon, May 06, 2024 at 02:09:12PM -0500, Glenn Washburn wrote:
> > > On Fri, 3 May 2024 14:48:56 +0800
> > > Gary Lin wrote:
> > >
> > > > For the tpm2 module, the TCG2
From: Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
In _asn1_tag_der(), the first while loop for the long form may end up
with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun
in the second while loop. This commit tweaks the conditional check to
avoid producing a too large 'k'.
This is a quick fix and may differ from the official u
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuth
From: Daniel Axtens
Do a few things to make libtasn1 compile as part of grub:
- remove _asn1_strcat and replace strcat with the bound-checked
_asn1_str_cat except the one inside _asn1_str_cat. That strcat is
replaced with strcpy.
- adjust header paths in libtasn1.h
- adjust header pat
GIT repo for v15: https://github.com/lcp/grub2/tree/tpm2-unlock-v15
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encry
From: Daniel Axtens
We don't expect to be able to write ASN.1, only read it,
so we can disable some code.
Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and grub is smaller,
which should make updating libtasn1 easier in the future.
With these ex
From: Hernan Gatta
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector ma
From: Hernan Gatta
Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provide
As a preparation to test TPM 2.0 TSS stack with grub-emu, the new
option, --tpm-device, is introduced to specify the TPM device for
grub-emu so that grub-emu can share the emulated TPM device with
the host.
Since grub-emu can directly access the device node on host, it's easy to
implement the esse
For the tpm2 module, the TCG2 command submission function is the only
difference between the a QEMU instance and grub-emu. To test TPM key
unsealing with a QEMU instance, it requires an extra OS image to invoke
grub-protect to seal the LUKS key, rather than a simple grub-shell rescue
CD image. On t
When using disk auto-unlocking with TPM 2.0, the typical grub.cfg may
look like this:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u -P tpm2
search --fs-uuid --set=root
Since the disk search order is based on the order of module loading, the
attacker cou
An attacker may insert a malicious disk with the same crypto UUID and
trick grub2 to mount the fake root. Even though the key from the key
protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wip
From: Daniel Axtens
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
grub-core/Makefile.core.def| 15 +++
grub-core/lib/libtasn1_wrap/wrap
From: Hernan Gatta
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the
Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with grub code.
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
docs/grub-dev.texi| 34 ++
...asn1-disable-code-not-needed-in-grub.patch
From: Hernan Gatta
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. On
From: Patrick Colp
If a protector is specified, but it fails to unlock the disk, fall back
to asking for the passphrase. However, an error was set indicating that
the protector(s) failed. Later code (e.g., LUKS code) fails as
`grub_errno` is now set. Print the existing errors out first, before
pr
From: Patrick Colp
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
On Fri, May 10, 2024 at 02:35:00PM +0800, Gary Lin wrote:
> From: Hernan Gatta
>
> Add a new parameter to cryptomount to support the key protectors framework:
> -P.
> The parameter is used to automatically retrieve a key from specified key
> protectors. The parameter may be repeated to specify a
Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with grub code.
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
docs/grub-dev.texi| 34 ++
...asn1-disable-code-not-needed-in-grub.patch
From: Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
In _asn1_tag_der(), the first while loop for the long form may end up
with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun
in the second while loop. This commit tweaks the conditional check to
avoid producing a too large 'k'.
This is a quick fix and may differ from the official u
From: Daniel Axtens
Do a few things to make libtasn1 compile as part of grub:
- remove _asn1_strcat and replace strcat with the bound-checked
_asn1_str_cat except the one inside _asn1_str_cat. That strcat is
replaced with strcpy.
- adjust header paths in libtasn1.h
- adjust header pat
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuth
When using disk auto-unlocking with TPM 2.0, the typical grub.cfg may
look like this:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u -P tpm2
search --fs-uuid --set=root
Since the disk search order is based on the order of module loading, the
attacker cou
From: Hernan Gatta
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector ma
From: Hernan Gatta
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. On
From: Patrick Colp
If a protector is specified, but it fails to unlock the disk, fall back
to asking for the passphrase. However, an error was set indicating that
the protector(s) failed. Later code (e.g., LUKS code) fails as
`grub_errno` is now set. Print the existing errors out first, before
pr
From: Patrick Colp
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
From: Daniel Axtens
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
grub-core/Makefile.core.def| 15 +++
grub-core/lib/libtasn1_wrap/wrap
From: Daniel Axtens
We don't expect to be able to write ASN.1, only read it,
so we can disable some code.
Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and grub is smaller,
which should make updating libtasn1 easier in the future.
With these ex
An attacker may insert a malicious disk with the same crypto UUID and
trick grub2 to mount the fake root. Even though the key from the key
protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wip
As a preparation to test TPM 2.0 TSS stack with grub-emu, the new
option, --tpm-device, is introduced to specify the TPM device for
grub-emu so that grub-emu can share the emulated TPM device with
the host.
Since grub-emu can directly access the device node on host, it's easy to
implement the esse
From: Hernan Gatta
Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provide
For the tpm2 module, the TCG2 command submission function is the only
difference between the a QEMU instance and grub-emu. To test TPM key
unsealing with a QEMU instance, it requires an extra OS image to invoke
grub-protect to seal the LUKS key, rather than a simple grub-shell rescue
CD image. On t
GIT repo for v16: https://github.com/lcp/grub2/tree/tpm2-unlock-v16
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encry
From: Hernan Gatta
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the
Hi Vladimir,
Originally, there are only cipher, mpi, and src in the libgcrypt
directory, but the unnecessary stuff, e.g. AUTHORS, COPYING, build-aux,
tests, etc., was added and bloated the size of the patch. Could you
remove them and only keep the necessary files?
Thanks,
Gary Lin
_
On Tue, May 21, 2024 at 01:36:18PM +0300, Vladimir 'phcoder' Serbinenko wrote:
> I think at least AUTHORS and COPYING should be included.
I see the point to keep AUTHORS and COPYING but other library such
minilzo only copies the essential .c/.h files.
> Rest is for the ease of update in the futur
On Fri, May 24, 2024 at 08:30:06PM +0300, Vladimir Serbinenko wrote:
> ---
> .../lib/libgcrypt-patches/02_keccak_sse.diff | 19 +++
> 1 file changed, 19 insertions(+)
> create mode 100644 grub-core/lib/libgcrypt-patches/02_keccak_sse.diff
>
> diff --git a/grub-core/lib/libgcrypt
On Fri, May 24, 2024 at 08:30:04PM +0300, Vladimir Serbinenko wrote:
> diff --git a/conf/Makefile.common b/conf/Makefile.common
> index b8f216f6c..1fd3fc9da 100644
> --- a/conf/Makefile.common
> +++ b/conf/Makefile.common
> @@ -81,8 +81,8 @@ CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib
On Wed, Jun 05, 2024 at 05:18:32PM +0200, Daniel Kiper wrote:
> On Wed, May 15, 2024 at 01:06:55PM +0800, Gary Lin wrote:
> > From: Daniel Axtens
> >
> > We don't expect to be able to write ASN.1, only read it,
> > so we can disable some code.
> >
> > Do that with #if 0/#endif, rather than deletio
On Wed, Jun 05, 2024 at 04:45:07PM +0200, Daniel Kiper wrote:
> On Wed, May 15, 2024 at 01:06:53PM +0800, Gary Lin wrote:
> > From: Daniel Axtens
> >
> > - Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
> >SIZEOF_UNSIGNED_LONG.
> >
> > - Define WORD_BIT, the size in bits of an int. This i
On Wed, Jun 05, 2024 at 05:04:46PM +0200, Daniel Kiper wrote:
> On Wed, May 15, 2024 at 01:06:54PM +0800, Gary Lin wrote:
> > From: Daniel Axtens
> >
> > Import a very trimmed-down set of libtasn1 files:
>
> I hope you merge the latest one...
>
Yes, I updated Daniel's patch to include the latest
On Fri, Jun 07, 2024 at 04:14:54PM +0200, Daniel Kiper wrote:
> On Fri, Jun 07, 2024 at 11:07:31AM +0800, Gary Lin wrote:
> > On Wed, Jun 05, 2024 at 05:18:32PM +0200, Daniel Kiper wrote:
> > > On Wed, May 15, 2024 at 01:06:55PM +0800, Gary Lin wrote:
> > > > From: Daniel Axtens
> > > >
> > > > We
On Wed, Jun 12, 2024 at 06:10:12PM +0200, Daniel Kiper wrote:
> On Tue, Jun 11, 2024 at 03:10:56PM +0800, Gary Lin via Grub-devel wrote:
> > On Fri, Jun 07, 2024 at 04:14:54PM +0200, Daniel Kiper wrote:
> > > On Fri, Jun 07, 2024 at 11:07:31AM +0800, Gary Lin wrote:
> > >
Based on the patch from "Daniel Axtens "
We don't expect to be able to write ASN.1, only read it,
so we can disable some code.
Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and grub is smaller,
which should make updating libtasn1 easier in the fu
From: Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with grub code.
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
docs/grub-dev.texi | 33 +
1 file changed, 33 insertions(+)
diff --gi
From: Hernan Gatta
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the
Based on the patch from "Daniel Axtens "
Do a few things to make libtasn1 compile as part of grub:
- remove _asn1_strcat and replace strcat with the bound-checked
_asn1_str_cat except the one inside _asn1_str_cat. That strcat is
replaced with strcpy.
- adjust header paths in libtasn1.h
In _asn1_tag_der(), the first while loop for the long form may end up
with a 'k' value with 'ASN1_MAX_TAG_SIZE' and cause the buffer overrun
in the second while loop. This commit tweaks the conditional check to
avoid producing a too large 'k'.
This is a quick fix and may differ from the official u
From: Hernan Gatta
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector ma
When using disk auto-unlocking with TPM 2.0, the typical grub.cfg may
look like this:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u -P tpm2
search --fs-uuid --set=root
Since the disk search order is based on the order of module loading, the
attacker cou
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuth
From: Hernan Gatta
Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provide
From: Hernan Gatta
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. On
As a preparation to test TPM 2.0 TSS stack with grub-emu, the new
option, --tpm-device, is introduced to specify the TPM device for
grub-emu so that grub-emu can share the emulated TPM device with
the host.
Since grub-emu can directly access the device node on host, it's easy to
implement the esse
GIT repo for v17: https://github.com/lcp/grub2/tree/tpm2-unlock-v17
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encry
From: Daniel Axtens
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
autogen.sh | 16
grub-core/Makefile.core.def
An attacker may insert a malicious disk with the same crypto UUID and
trick grub2 to mount the fake root. Even though the key from the key
protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wip
From: Patrick Colp
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
For the tpm2 module, the TCG2 command submission function is the only
difference between the a QEMU instance and grub-emu. To test TPM key
unsealing with a QEMU instance, it requires an extra OS image to invoke
grub-protect to seal the LUKS key, rather than a simple grub-shell rescue
CD image. On t
From: Patrick Colp
If a protector is specified, but it fails to unlock the disk, fall back
to asking for the passphrase. However, an error was set indicating that
the protector(s) failed. Later code (e.g., LUKS code) fails as
`grub_errno` is now set. Print the existing errors out first, before
pr
On Mon, Jun 17, 2024 at 05:12:12PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:37PM +0800, Gary Lin wrote:
> > Based on the patch from "Daniel Axtens "
> >
> > Do a few things to make libtasn1 compile as part of grub:
> >
> > - remove _asn1_strcat and replace strcat with the bound-c
On Mon, Jun 17, 2024 at 05:55:57PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:40PM +0800, Gary Lin wrote:
> > From: Daniel Axtens
> >
> > Import tests from libtasn1 that don't use functionality we don't
> > import. This test module is integrated into functional_test so that the
> >
On Mon, Jun 17, 2024 at 06:00:44PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:41PM +0800, Gary Lin wrote:
> > Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
> > Also add the patches to make libtasn1 compatible with grub code.
> >
> > Signed-off-by: Gary Lin
> >
On Mon, Jun 17, 2024 at 05:36:04PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:39PM +0800, Gary Lin wrote:
> > From: Daniel Axtens
> >
> > Create a wrapper file that specifies the module license.
> > Set up the makefile so it is built.
> >
> > Signed-off-by: Daniel Axtens
> > Signe
On Tue, Jun 18, 2024 at 03:30:03PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > From: Hernan Gatta
> >
> > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > compose and submit TPM commands and parse reponses.
> >
> > A limited
On Tue, Jun 18, 2024 at 05:41:13PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > From: Hernan Gatta
> >
> > A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
> > compose and submit TPM commands and parse reponses.
> >
> > A limited
On Wed, Jun 19, 2024 at 04:04:47PM +0200, Daniel Kiper wrote:
> On Wed, Jun 19, 2024 at 02:41:13PM +0800, Gary Lin wrote:
> > On Tue, Jun 18, 2024 at 03:30:03PM +0200, Daniel Kiper wrote:
> > > On Fri, Jun 14, 2024 at 02:45:43PM +0800, Gary Lin wrote:
> > > > From: Hernan Gatta
> > > >
> > > > A T
On Wed, Jun 19, 2024 at 06:34:13PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:44PM +0800, Gary Lin wrote:
> > From: Hernan Gatta
> >
> > The TPM2 key protector is a module that enables the automatic retrieval
> > of a fully-encrypted disk's unlocking key from a TPM 2.0.
> >
> > The
On Mon, Jun 24, 2024 at 07:28:14PM +0200, Daniel Kiper wrote:
> On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> > On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > > Hey,
> > >
> > --8<--
> > >
> > &g
Remove _asn1_strcat() and replace strcat() with the bound-checked
_asn1_str_cat() except the one inside _asn1_str_cat(). That strcat
is replaced with strcpy.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
---
...asn1-use-bound-checked-_asn1_str_cat.patch | 85 +++
1 file c
From: Hernan Gatta
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. On
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuth
From: Daniel Axtens
Create a wrapper file that specifies the module license.
Set up the makefile so it is built.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
Reviewed-by: Daniel Kiper
---
autogen.sh | 18 ++
grub-core/Makefile.core.def|
As the prepartion to support TPM2 Software Stack (TSS2), this commit
implements the TPM2 buffer handling functions to pack data for the TPM2
commands and unpack the data from the response.
Cc: Stefan Berger
Signed-off-by: Hernan Gatta
Signed-off-by: Gary Lin
---
grub-core/lib/tss2/buffer.c
From: Hernan Gatta
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector ma
This commit adds the necessary TPM2 types and structs as the preparation
for the TPM2 Software Stack (TSS2) support. The Marshal/Unmarshal
functions are also added to handle the data structure to be submitted to
TPM2 commands and to be received from the response.
Cc: Stefan Berger
Signed-off-by:
Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with grub code.
Signed-off-by: Gary Lin
Reviewed-by: Vladimir Serbinenko
---
docs/grub-dev.texi | 35 +++
1 file changed, 35 insertions(+)
diff --
From: Daniel Axtens
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
SIZEOF_UNSIGNED_LONG.
- Define WORD_BIT, the size in bits of an int. This is a defined
in the Single Unix Specification and in gnulib's limits.h. gnulib
assumes it's 32 bits on all our platforms, including 64 bit
From: Hernan Gatta
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the
Use the grub headers instead of the standard POSIX headers.
Signed-off-by: Daniel Axtens
Signed-off-by: Gary Lin
---
...djust-the-header-paths-in-libtasn1.h.patch | 32 +++
1 file changed, 32 insertions(+)
create mode 100644
grub-core/lib/libtasn1-patches/0003-libtasn1-adjust-
Do a few things to make asn1 tests compile as part of grub:
- include asn1_test.h only
- rename the main functions to the test names
- remove 'verbose' and the unnecessary printf()
- print the error messages with grub_printf()
- return either 0 or 1 to reflect the results of the tests
- repla
We don't expect to be able to write ASN.1, only read it,
so we can disable some code.
Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and grub is smaller,
which should make updating libtasn1 easier in the future.
With these exclusions we also avoid
A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose and submit TPM commands and parse reponses.
A limited number of TPM commands may be accessed via the EFI TCG2
protocol. This protocol exposes functionality that is primarily geared
toward TPM usage within the context of
101 - 200 of 690 matches
Mail list logo
