[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 00/14] Automatic Disk Unlock with TPM2
From: |
Gary Lin |
Subject: |
[PATCH 00/14] Automatic Disk Unlock with TPM2 |
Date: |
Wed, 22 Feb 2023 15:00:40 +0800 |
The patch series "Automatic TPM Disk Unlock" posted by Hernan Gatta
introduces the key protector framework and TPM2 stack to GRUB2, and it's
a useful feature for the systems to implement full disk encryption.
However, it seems the development was stalled for a while, and I'd like
to push it forward.
Patch 1~5 are Hernan Gatta's patch series(*) with a few modifications:
- Converting 8 spaces into 1 tab
- Merging the minor build fix from Michael Chang
- Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf
- Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def
- Rebasing "cryptodisk: Support key protectors" to the git master
To minimize the changes to Patch 1~5, the follow-up fixes (Patch 6~14)
from my colleagues and me are committed separately. Those patches fix
the problems we found while testing the original patchset.
Quote from Hernan Gatta's cover letter:
"
Updates since v1:
1. One key can unlock multiple disks:
It is now possible to use key protectors with cryptomount's -a and -b
options.
2. No passphrase prompt on error if key protector(s) specified:
cryptomount no longer prompts for a passphrase if key protectors are
specified but fail to provide a working unlock key seeing as the user
explicitly requested unlocking via key protectors.
3. Key protector parameterization is separate:
Previously, one would parameterize a key protector via a colon-separated
argument list nested within a cryptomount argument. Now, key protectors
are expected to provide an initialization function, if necessary.
As such, instead of:
cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...
one now writes:
tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
cryptomount -k tpm2
Additionally, one may write:
cryptomount -k protector_1 -k protector_2 ...
where cryptomount will try each in order on failure.
4. Standard argument parsing:
The TPM2 key protector now uses 'struct grub_arg_option' and the
grub-protect tool uses 'struct argp_option'. Additionally, common
argument parsing functionality is now shared between the module and
the tool.
5. More useful messages:
Both the TPM2 module and the grub-protect tool now provide more
useful messages to help the user learn how to use their functionality
(--help and --usage) as well as to determine what is wrong, if
anything. Furthermore, the module now prints additional debug output
to help diagnose problems.
I forgot to mention last time that this patch series intends to address:
https://bugzilla.redhat.com/show_bug.cgi?id=1854177
Previous series:
https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html
"
(*) https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00006.html
Gary Lin (8):
tpm2: Don't measure the sealed key
tpm2: adjust the input parameters of TPM2_EvictControl
tpm2: declare the input arguments of TPM2 functions as const
tpm2: resend the command on TPM_RC_RETRY
tpm2: check the command parameters of TPM2 commands
tpm2: pack the missing authorization command for TPM2_PCR_Read
tpm2: allow some command parameters to be NULL
tpm2: remove the unnecessary variables
Hernan Gatta (5):
protectors: Add key protectors framework
tpm2: Add TPM Software Stack (TSS)
protectors: Add TPM2 Key Protector
cryptodisk: Support key protectors
util/grub-protect: Add new tool
Michael Chang (1):
crytodisk: fix cryptodisk module looking up
.gitignore | 1 +
Makefile.util.def | 19 +
configure.ac | 1 +
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 12 +
grub-core/disk/cryptodisk.c | 176 +++-
grub-core/kern/protectors.c | 75 ++
grub-core/tpm2/args.c | 129 +++
grub-core/tpm2/buffer.c | 145 +++
grub-core/tpm2/module.c | 710 +++++++++++++
grub-core/tpm2/mu.c | 807 +++++++++++++++
grub-core/tpm2/tcg2.c | 143 +++
grub-core/tpm2/tpm2.c | 761 ++++++++++++++
include/grub/cryptodisk.h | 14 +
include/grub/protector.h | 48 +
include/grub/tpm2/buffer.h | 65 ++
include/grub/tpm2/internal/args.h | 39 +
include/grub/tpm2/internal/functions.h | 117 +++
include/grub/tpm2/internal/structs.h | 675 ++++++++++++
include/grub/tpm2/internal/types.h | 372 +++++++
include/grub/tpm2/mu.h | 292 ++++++
include/grub/tpm2/tcg2.h | 34 +
include/grub/tpm2/tpm2.h | 38 +
util/grub-protect.c | 1314 ++++++++++++++++++++++++
24 files changed, 5955 insertions(+), 33 deletions(-)
create mode 100644 grub-core/kern/protectors.c
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
create mode 100644 grub-core/tpm2/tpm2.c
create mode 100644 include/grub/protector.h
create mode 100644 include/grub/tpm2/buffer.h
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/internal/functions.h
create mode 100644 include/grub/tpm2/internal/structs.h
create mode 100644 include/grub/tpm2/internal/types.h
create mode 100644 include/grub/tpm2/mu.h
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
create mode 100644 util/grub-protect.c
--
2.35.3
- [PATCH 00/14] Automatic Disk Unlock with TPM2,
Gary Lin <=
- [PATCH 01/14] protectors: Add key protectors framework, Gary Lin, 2023/02/22
- [PATCH 02/14] tpm2: Add TPM Software Stack (TSS), Gary Lin, 2023/02/22
- [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/02/22
- [PATCH 05/14] util/grub-protect: Add new tool, Gary Lin, 2023/02/22
- [PATCH 07/14] tpm2: Don't measure the sealed key, Gary Lin, 2023/02/22
- [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const, Gary Lin, 2023/02/22
- [PATCH 13/14] tpm2: allow some command parameters to be NULL, Gary Lin, 2023/02/22
- [PATCH 14/14] tpm2: remove the unnecessary variables, Gary Lin, 2023/02/22