On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:
On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encryption.
You also need to extend the documentation with the command line steps and a
IMO there has to be a warning for VM users that sealing to PCRs inside a VM
is dangerous since the next packages update may bring an update to TianoCore
UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
work then.
For baremetal users, it still could happen after upgrading the firmware.