grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2

From: Stefan Berger
Subject: Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2
Date: Mon, 15 Apr 2024 10:26:32 -0400
User-agent: Mozilla Thunderbird 


On 4/15/24 05:45, Gary Lin wrote:

On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:



On 4/12/24 04:39, Gary Lin via Grub-devel wrote:

GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11

This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encryption.


You also need to extend the documentation with the command line steps and a
IMO there has to be a warning for VM users that sealing to PCRs inside a VM
is dangerous since the next packages update may bring an update to TianoCore
UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
work then.


For baremetal users, it still could happen after upgrading the firmware.


Right but this is much rarer.


We surely need a place to notice users this situation when using PCR
0~7.
PCRs 8-9 probably have to be all zeros at the time of sealing (running the user space application for seting this up) so they have the values at the time before grub measures kernel and initramfs, right? 



Thanks,

Gary Lin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]