Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2024-12-05 17:05:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.28523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Thu Dec 5 17:05:11 2024 rev:343 rq:1228130 version:2.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2024-11-30
13:27:34.317020946 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new.28523/grub2.changes 2024-12-05
17:05:15.813107651 +0100
@@ -1,0 +2,22 @@
+Tue Dec 3 07:18:32 UTC 2024 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update the TPM2 patches to the upstream final version
+ * Update 0001-key_protector-Add-key-protectors-framework.patch
+ * Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
+ grub2-add-tss2-support.patch
+ * Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
+ 0001-key_protector-Add-TPM2-Key-Protector.patch
+ * Replace 0005-util-grub-protect-Add-new-tool.patch with
+ 0001-util-grub-protect-Add-new-tool.patch
+ * Replace 0001-tpm2-Implement-NV-index.patch with
+ 0001-tpm2_key_protector-Implement-NV-index.patch
+ * Replace 0001-tpm2-Support-authorized-policy.patch with
+ 0001-tpm2_key_protector-Support-authorized-policy.patch
+- Refresh the TPM2 related patches
+ * grub-read-pcr.patch
+ * 0001-tpm2-Add-extra-RSA-SRK-types.patch
+ * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+ * safe_tpm_pcr_snapshot.patch
+ * tpm-record-pcrs.patch
+
+-------------------------------------------------------------------
Old:
----
0001-tpm2-Implement-NV-index.patch
0001-tpm2-Support-authorized-policy.patch
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
0003-key_protector-Add-TPM2-Key-Protector.patch
0005-util-grub-protect-Add-new-tool.patch
New:
----
0001-key_protector-Add-TPM2-Key-Protector.patch
0001-tpm2_key_protector-Implement-NV-index.patch
0001-tpm2_key_protector-Support-authorized-policy.patch
0001-util-grub-protect-Add-new-tool.patch
grub2-add-tss2-support.patch
BETA DEBUG BEGIN:
Old: 0001-util-grub-protect-Add-new-tool.patch
* Replace 0001-tpm2-Implement-NV-index.patch with
0001-tpm2_key_protector-Implement-NV-index.patch
Old: 0001-tpm2_key_protector-Implement-NV-index.patch
* Replace 0001-tpm2-Support-authorized-policy.patch with
0001-tpm2_key_protector-Support-authorized-policy.patch
Old: * Update 0001-key_protector-Add-key-protectors-framework.patch
* Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
grub2-add-tss2-support.patch
Old: grub2-add-tss2-support.patch
* Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
0001-key_protector-Add-TPM2-Key-Protector.patch
Old: 0001-key_protector-Add-TPM2-Key-Protector.patch
* Replace 0005-util-grub-protect-Add-new-tool.patch with
0001-util-grub-protect-Add-new-tool.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New: * Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
0001-key_protector-Add-TPM2-Key-Protector.patch
* Replace 0005-util-grub-protect-Add-new-tool.patch with
New: * Replace 0001-tpm2-Implement-NV-index.patch with
0001-tpm2_key_protector-Implement-NV-index.patch
* Replace 0001-tpm2-Support-authorized-policy.patch with
New: * Replace 0001-tpm2-Support-authorized-policy.patch with
0001-tpm2_key_protector-Support-authorized-policy.patch
- Refresh the TPM2 related patches
New: * Replace 0005-util-grub-protect-Add-new-tool.patch with
0001-util-grub-protect-Add-new-tool.patch
* Replace 0001-tpm2-Implement-NV-index.patch with
New: * Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
grub2-add-tss2-support.patch
* Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:20.009283373 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:20.013283540 +0100
@@ -339,10 +339,10 @@
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
-Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
-Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
+Patch151: grub2-add-tss2-support.patch
+Patch152: 0001-key_protector-Add-TPM2-Key-Protector.patch
Patch153: 0004-cryptodisk-Support-key-protectors.patch
-Patch154: 0005-util-grub-protect-Add-new-tool.patch
+Patch154: 0001-util-grub-protect-Add-new-tool.patch
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
Patch156: 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
Patch157: 0010-templates-import-etc-crypttab-to-grub.cfg.patch
@@ -356,7 +356,7 @@
Patch165: 0004-ofpath-controller-name-update.patch
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
Patch167: grub2-increase-crypttab-path-buffer.patch
-Patch170: 0001-tpm2-Support-authorized-policy.patch
+Patch170: 0001-tpm2_key_protector-Support-authorized-policy.patch
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
@@ -368,7 +368,7 @@
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
Patch183: grub2-change-bash-completion-dir.patch
-Patch184: 0001-tpm2-Implement-NV-index.patch
+Patch184: 0001-tpm2_key_protector-Implement-NV-index.patch
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
@@ -779,7 +779,7 @@
PXE_MODULES="tftp http"
CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512
crypttab"
%ifarch %{efi}
-CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tpm2 memdisk tar
squash4 xzio blscfg"
+CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tss2
tpm2_key_protector memdisk tar squash4 xzio blscfg"
PXE_MODULES="${PXE_MODULES} efinet"
%else
CD_MODULES="${CD_MODULES} net ofnet"
@@ -877,7 +877,7 @@
%{?sbat_generation:--sbat sbat.csv} \
-d grub-core \
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt
png reboot video \
- fat tpm tpm2 memdisk tar squash4 xzio blscfg linux bli regexp loadenv test
echo true sleep
+ fat tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg linux bli
regexp loadenv test echo true sleep
%endif
%ifarch x86_64 aarch64
++++++ 0003-key_protector-Add-TPM2-Key-Protector.patch ->
0001-key_protector-Add-TPM2-Key-Protector.patch ++++++
++++ 2171 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/grub2/0003-key_protector-Add-TPM2-Key-Protector.patch
++++ and
/work/SRC/openSUSE:Factory/.grub2.new.28523/0001-key_protector-Add-TPM2-Key-Protector.patch
++++++ 0001-key_protector-Add-key-protectors-framework.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:20.217292084 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:20.225292418 +0100
@@ -1,7 +1,7 @@
-From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
+From 1bc53f8fc980914132040670b85a010e094559ec Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
-Subject: [PATCH 1/5] key_protector: Add key protectors framework
+Subject: [PATCH] key_protector: Add key protectors framework
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
@@ -19,17 +19,18 @@
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
+Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 5 +++
- grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
- include/grub/key_protector.h | 46 ++++++++++++++++++++
- 4 files changed, 130 insertions(+)
+ grub-core/disk/key_protector.c | 73 ++++++++++++++++++++++++++++++++++
+ include/grub/key_protector.h | 47 ++++++++++++++++++++++
+ 4 files changed, 126 insertions(+)
create mode 100644 grub-core/disk/key_protector.c
create mode 100644 include/grub/key_protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
-index f18550c1c..9d3d5f519 100644
+index 1eda467e0..e50db8106 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ endif
@@ -41,10 +42,10 @@
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index bc893e547..4307b8e2d 100644
+index a38955e18..37f131ae2 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
-@@ -1302,6 +1302,11 @@ module = {
+@@ -1282,6 +1282,11 @@ module = {
common = disk/raid6_recover.c;
};
@@ -58,13 +59,14 @@
common = disk/scsi.c;
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
new file mode 100644
-index 000000000..b84afe1c7
+index 000000000..0d146c1c0
--- /dev/null
+++ b/grub-core/disk/key_protector.c
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,73 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
++ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
@@ -93,16 +95,14 @@
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
-+ if (protector == NULL || protector->name == NULL || grub_strlen
(protector->name) == 0)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ if (protector == NULL || protector->name == NULL || protector->name[0] ==
'\0')
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for
registration");
+
-+ if (grub_key_protectors &&
-+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+ protector->name))
-+ return GRUB_ERR_BAD_ARGUMENT;
++ if (grub_key_protectors != NULL &&
++ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
protector->name) != NULL)
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Key protector '%s' already
registered", protector->name);
+
-+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
-+ GRUB_AS_LIST (protector));
++ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), GRUB_AS_LIST
(protector));
+
+ return GRUB_ERR_NONE;
+}
@@ -111,7 +111,7 @@
+grub_key_protector_unregister (struct grub_key_protector *protector)
+{
+ if (protector == NULL)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for
unregistration");
+
+ grub_list_remove (GRUB_AS_LIST (protector));
+
@@ -125,30 +125,27 @@
+ struct grub_key_protector *kp = NULL;
+
+ if (grub_key_protectors == NULL)
-+ return GRUB_ERR_OUT_OF_RANGE;
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
+
-+ if (protector == NULL || grub_strlen (protector) == 0)
-+ return GRUB_ERR_BAD_ARGUMENT;
++ if (protector == NULL || protector[0] == '\0')
++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector");
+
-+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
-+ protector);
++ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
protector);
+ if (kp == NULL)
-+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
-+ N_("A key protector with name '%s' could not be found. "
-+ "Is the name spelled correctly and is the "
-+ "corresponding module loaded?"), protector);
++ return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found",
protector);
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
new file mode 100644
-index 000000000..6e6a6fb24
+index 000000000..00b15c13d
--- /dev/null
+++ b/include/grub/key_protector.h
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,47 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
++ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
@@ -193,6 +190,6 @@
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
-2.35.3
+2.43.0
++++++ 0001-tpm2-Add-extra-RSA-SRK-types.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:20.285294931 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:20.289295099 +0100
@@ -1,4 +1,4 @@
-From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
+From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types
@@ -8,16 +8,16 @@
Signed-off-by: Gary Lin <g...@suse.com>
---
- grub-core/tpm2/args.c | 12 ++++++++++++
- grub-core/tpm2/module.c | 16 ++++++++++++++--
- util/grub-protect.c | 4 ++--
+ grub-core/commands/tpm2_key_protector/args.c | 12 ++++++++++++
+ grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
+ util/grub-protect.c | 4 ++--
3 files changed, 28 insertions(+), 4 deletions(-)
-diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
-index c11280ab9..d140364d2 100644
---- a/grub-core/tpm2/args.c
-+++ b/grub-core/tpm2/args.c
-@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
+diff --git a/grub-core/commands/tpm2_key_protector/args.c
b/grub-core/commands/tpm2_key_protector/args.c
+index 48c39de01..b291793a7 100644
+--- a/grub-core/commands/tpm2_key_protector/args.c
++++ b/grub-core/commands/tpm2_key_protector/args.c
+@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
srk_type->type = TPM_ALG_RSA;
srk_type->detail.rsa_bits = 2048;
}
@@ -34,13 +34,13 @@
+ srk_type->detail.rsa_bits = 4096;
+ }
else
- return grub_error (GRUB_ERR_OUT_OF_RANGE,
- N_("Value '%s' is not a valid asymmetric key type"),
-diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index b754b38df..8b72ed6fa 100644
---- a/grub-core/tpm2/module.c
-+++ b/grub-core/tpm2/module.c
-@@ -136,8 +136,8 @@ static const struct grub_arg_option
grub_tpm2_protector_init_cmd_options[] =
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid
asymmetric key type"), value);
+
+diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
+index 74e79a545..ee16d7f15 100644
+--- a/grub-core/commands/tpm2_key_protector/module.c
++++ b/grub-core/commands/tpm2_key_protector/module.c
+@@ -138,8 +138,8 @@ static const struct grub_arg_option
tpm2_protector_init_cmd_options[] =
.arg = NULL,
.type = ARG_TYPE_STRING,
.doc =
@@ -51,18 +51,18 @@
},
/* NV Index-mode options */
{
-@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
- {
- case 2048:
- return "RSA2048";
-+ case 3072:
-+ return "RSA3072";
-+ case 4096:
-+ return "RSA4096";
- }
- }
+@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
+ return "ECC_NIST_P256";
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
+ return "RSA2048";
++ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
++ return "RSA3072";
++ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
++ return "RSA4096";
-@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct
grub_tpm2_protector_context *ctx,
+ return "Unknown";
+ }
+@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t
*ctx,
.type = TPM_ALG_ECC,
.detail.ecc_curve = TPM_ECC_NIST_P256,
},
@@ -78,21 +78,21 @@
.type = TPM_ALG_RSA,
.detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
-index 869f45861..00be03ca0 100644
+index 5b7e952f4..f1108f2c5 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
-@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
+@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
.arg = "TYPE",
.flags = 0,
.doc =
-- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
+- N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- "(default: ECC)"),
-+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
++ N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
.group = 0
},
{
--
-2.35.3
+2.43.0
++++++ 0001-tpm2_key_protector-Implement-NV-index.patch ++++++
>From 53e24662523d033ae3506b73787b972ef332db36 Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.c...@oracle.com>
Date: Mon, 31 Jul 2023 07:01:45 -0700
Subject: [PATCH] tpm2_key_protector: Implement NV index
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub-protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
An example of inserting a key using tpm2-tools:
# Get random key.
tpm2_getrandom 32 > key.dat
# Create primary object.
tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx
# Create policy object. `pcrs.dat` contains the PCR values to seal against.
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l sha256:7,11 -f pcrs.dat -L policy.dat
tpm2_flushcontext session.dat
# Seal key into TPM.
cat key.dat | tpm2_create -C primary.ctx -u key.pub -r key.priv -L policy.dat
-i-
tpm2_load -C primary.ctx -u key.pub -r key.priv -n sealing.name -c sealing.ctx
tpm2_evictcontrol -C o -c sealing.ctx 0x81000000
Then to unseal the key in grub, add this to grub.cfg:
tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=7,11
cryptomount -u <UUID> --protector tpm2
Signed-off-by: Patrick Colp <patrick.c...@oracle.com>
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
.../commands/tpm2_key_protector/module.c | 23 +++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
index 6b4b5d460..74e79a545 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -973,11 +973,26 @@ tpm2_protector_srk_recover (const
tpm2_protector_context_t *ctx,
}
static grub_err_t
-tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx __attribute__
((unused)),
- grub_uint8_t **key __attribute__ ((unused)),
- grub_size_t *key_size __attribute__ ((unused)))
+tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx,
+ grub_uint8_t **key, grub_size_t *key_size)
{
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "NV Index mode is not
implemented yet");
+ TPM_HANDLE_t sealed_handle = ctx->nv;
+ tpm2key_policy_t policy_seq = NULL;
+ grub_err_t err;
+
+ /* Create a basic policy sequence based on the given PCR selection */
+ err = tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ if (err != GRUB_ERR_NONE)
+ goto exit;
+
+ err = tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
+
+ exit:
+ grub_tpm2_flushcontext (sealed_handle);
+
+ grub_tpm2key_free_policy_seq (policy_seq);
+
+ return err;
}
static grub_err_t
--
2.43.0
++++++ 0001-tpm2_key_protector-Support-authorized-policy.patch ++++++
>From 7ef1b9b357c803cb8e30bbbebd44494b2b5c9d09 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH] tpm2_key_protector: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
digest is hashed with the hash algorithm written in 'signature', and then
'signature' is verified with the hashed policy digest and 'pubkey'. Once
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
signed policy.
To create the key file with authorized policy, here are the pcr-oracle(*2)
commands:
# Generate the RSA key and create the authorized policy file
$ pcr-oracle \
--rsa-generate-key \
--private-key policy-key.pem \
--auth authorized.policy \
create-authorized-policy 0,2,4,7,9
# Seal the secret with the authorized policy
$ pcr-oracle \
--key-format tpm2.0 \
--auth authorized.policy \
--input disk-secret.txt \
--output sealed.key \
seal-secret
# Sign the predicted PCR policy
$ pcr-oracle \
--key-format tpm2.0 \
--private-key policy-key.pem \
--from eventlog \
--stop-event "grub-file=grub.cfg" \
--after \
--input sealed.key \
--output /boot/efi/efi/grub/sealed.tpm \
sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
to update the signature in sealed.tpm, and TPM can unseal the key file
with the updated PCR policy.
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
.../commands/tpm2_key_protector/module.c | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
index 70d4d0df7..6b4b5d460 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -618,6 +618,73 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session,
struct grub_tpm2_buffe
return GRUB_ERR_NONE;
}
+static grub_err_t
+tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION_t session, struct
grub_tpm2_buffer *cmd_buf)
+{
+ TPM2B_PUBLIC_t pubkey;
+ TPM2B_DIGEST_t policy_ref;
+ TPMT_SIGNATURE_t signature;
+ TPM2B_DIGEST_t pcr_policy;
+ TPM2B_DIGEST_t pcr_policy_hash;
+ TPMI_ALG_HASH_t sig_hash;
+ TPMT_TK_VERIFIED_t verification_ticket;
+ TPM_HANDLE_t pubkey_handle = 0;
+ TPM2B_NAME_t pubname;
+ TPM_RC_t rc;
+ grub_err_t err;
+
+ grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
+ grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
+ grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
+ if (cmd_buf->error != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal the buffer
for TPM2_PolicyAuthorize");
+
+ /* Retrieve Policy Digest */
+ rc = grub_tpm2_policygetdigest (session, NULL, &pcr_policy, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to get policy digest
(TPM2_PolicyGetDigest: 0x%x).", rc);
+
+ /* Calculate the digest of the polcy for VerifySignature */
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
+ if (sig_hash == TPM_ALG_NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to get the hash
algorithm of the signature");
+
+ rc = grub_tpm2_hash (NULL, (TPM2B_MAX_BUFFER_t *) &pcr_policy, sig_hash,
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to create PCR policy hash
(TPM2_Hash: 0x%x)", rc);
+
+ /* Load the public key */
+ rc = grub_tpm2_loadexternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
&pubkey_handle, &pubname, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to load public key
(TPM2_LoadExternal: 0x%x)", rc);
+
+ /* Verify the signature against the public key and the policy digest */
+ rc = grub_tpm2_verifysignature (pubkey_handle, NULL, &pcr_policy_hash,
&signature,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to verify signature
(TPM2_VerifySignature: 0x%x)", rc);
+ goto error;
+ }
+
+ /* Authorize the signed policy with the public key and the verification
ticket */
+ rc = grub_tpm2_policyauthorize (session, NULL, &pcr_policy, &policy_ref,
&pubname,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to authorize PCR policy
(TPM2_PolicyAuthorize: 0x%x)", rc);
+ goto error;
+ }
+
+ err = GRUB_ERR_NONE;
+
+ error:
+ grub_tpm2_flushcontext (pubkey_handle);
+
+ return err;
+}
+
static grub_err_t
tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t
session)
{
@@ -636,6 +703,9 @@ tpm2_protector_enforce_policy (tpm2key_policy_t policy,
TPMI_SH_AUTH_SESSION_t s
case TPM_CC_PolicyPCR:
err = tpm2_protector_policypcr (session, &buf);
break;
+ case TPM_CC_PolicyAuthorize:
+ err = tpm2_protector_policyauthorize (session, &buf);
+ break;
default:
return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown TPM Command: 0x%x",
policy->cmd_code);
}
--
2.43.0
++++++ 0005-util-grub-protect-Add-new-tool.patch ->
0001-util-grub-protect-Add-new-tool.patch ++++++
++++ 1685 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/grub2/0005-util-grub-protect-Add-new-tool.patch
++++ and
/work/SRC/openSUSE:Factory/.grub2.new.28523/0001-util-grub-protect-Add-new-tool.patch
++++++ grub-read-pcr.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:20.861319053 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:20.889320226 +0100
@@ -1,5 +1,7 @@
---- a/include/grub/tpm.h
-+++ b/include/grub/tpm.h
+Index: grub-2.12/include/grub/tpm.h
+===================================================================
+--- grub-2.12.orig/include/grub/tpm.h
++++ grub-2.12/include/grub/tpm.h
@@ -36,6 +36,12 @@
#define EV_IPL 0x0d
@@ -13,7 +15,7 @@
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr, const char *description);
int grub_tpm_present (void);
-@@ -45,5 +51,7 @@
+@@ -45,5 +51,7 @@ grub_is_tpm_fail_fatal (void)
{
return grub_env_get_bool ("tpm_fail_fatal", false);
}
@@ -21,29 +23,32 @@
+void grub_tpm_digest_free (struct grub_tpm_digest *d);
#endif
---- a/grub-core/commands/efi/tpm.c
-+++ b/grub-core/commands/efi/tpm.c
-@@ -24,6 +24,7 @@
- #include <grub/efi/efi.h>
- #include <grub/efi/cc.h>
- #include <grub/efi/tpm.h>
-+#include <grub/tpm2/tpm2.h>
- #include <grub/mm.h>
+Index: grub-2.12/grub-core/commands/efi/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/efi/tpm.c
++++ grub-2.12/grub-core/commands/efi/tpm.c
+@@ -28,6 +28,8 @@
#include <grub/tpm.h>
#include <grub/term.h>
-@@ -186,6 +187,91 @@
+
++#include <tpm2_cmd.h>
++
+ typedef TCG_PCR_EVENT grub_tpm_event_t;
+
+ static grub_guid_t tpm_guid = EFI_TPM_GUID;
+@@ -186,6 +188,91 @@ grub_tpm1_log_event (grub_efi_handle_t t
return grub_efi_log_event_status (status);
}
+static void
-+grub_tpm2_select_pcr(TPML_PCR_SELECTION *o, unsigned int pcrIndex, unsigned
int algo)
++grub_tpm2_select_pcr (TPML_PCR_SELECTION_t *o, unsigned int pcrIndex,
unsigned int algo)
+{
-+ TPMS_PCR_SELECTION *pcr;
++ TPMS_PCR_SELECTION_t *pcr;
+
+ pcr = &o->pcrSelections[o->count++];
+ pcr->hash = algo;
+ pcr->sizeOfSelect = 3;
-+ pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
++ TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
+}
+
+struct grub_tpm_hash_info {
@@ -77,10 +82,10 @@
+grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct
grub_tpm_digest **ret)
+{
+ const struct grub_tpm_hash_info *info;
-+ TPML_PCR_SELECTION inSelection, outSelection;
++ TPML_PCR_SELECTION_t inSelection, outSelection;
+ grub_uint32_t pcrUpdateCounter;
-+ TPML_DIGEST digests = { 0 };
-+ TPM2B_DIGEST *d;
++ TPML_DIGEST_t digests = { 0 };
++ TPM2B_DIGEST_t *d;
+ struct grub_tpm_digest *result;
+ int rc;
+
@@ -92,7 +97,7 @@
+ grub_memset(&outSelection, 0, sizeof(outSelection));
+ grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
+
-+ rc = TPM2_PCR_Read(
++ rc = grub_tpm2_pcr_read(
+ NULL,
+ &inSelection,
+ &pcrUpdateCounter,
@@ -123,7 +128,7 @@
static grub_err_t
grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
grub_size_t size, grub_uint8_t pcr,
-@@ -323,3 +409,26 @@
+@@ -323,3 +410,26 @@ grub_tpm_present (void)
return grub_tpm2_present (tpm);
}
}
@@ -150,17 +155,16 @@
+
+ return result;
+}
---- a/include/grub/tpm2/tpm2.h
-+++ b/include/grub/tpm2/tpm2.h
-@@ -23,6 +23,10 @@
- #include <grub/tpm2/internal/structs.h>
- #include <grub/tpm2/internal/functions.h>
-
-+/* Defined in: TCG TPM Specification, v1.59, Part 2, Section 10.6.1. */
-+#define TPM2_PCR_TO_SELECT(x) ((x) / 8)
-+#define TPM2_PCR_TO_BIT(x) (1 << ((x) % 8))
-+
- /* Well-Known Windows SRK handle */
- #define TPM2_SRK_HANDLE 0x81000001
+Index: grub-2.12/grub-core/Makefile.core.def
+===================================================================
+--- grub-2.12.orig/grub-core/Makefile.core.def
++++ grub-2.12/grub-core/Makefile.core.def
+@@ -2606,6 +2606,7 @@ module = {
+ common = commands/tpm.c;
+ efi = commands/efi/tpm.c;
+ enable = efi;
++ cppflags = '-I$(srcdir)/lib/tss2';
+ };
+ module = {
++++++ grub2-add-tss2-support.patch ++++++
++++ 4587 lines (skipped)
++++++ grub2-bsc1220338-key_protector-implement-the-blocklist.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:21.225334297 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:21.257335637 +0100
@@ -1,4 +1,4 @@
-From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
+From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
@@ -15,11 +15,11 @@
include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
-diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
-index b84afe1c7..3d630ca4f 100644
---- a/grub-core/disk/key_protector.c
-+++ b/grub-core/disk/key_protector.c
-@@ -24,6 +24,10 @@
+Index: grub-2.12/grub-core/disk/key_protector.c
+===================================================================
+--- grub-2.12.orig/grub-core/disk/key_protector.c
++++ grub-2.12/grub-core/disk/key_protector.c
+@@ -25,6 +25,10 @@
GRUB_MOD_LICENSE ("GPLv3+");
@@ -30,7 +30,7 @@
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
-@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector
*protector)
+@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
return GRUB_ERR_NONE;
}
@@ -64,10 +64,10 @@
+ grub_err_t err;
if (grub_key_protectors == NULL)
- return GRUB_ERR_OUT_OF_RANGE;
-@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector,
grub_uint8_t **key,
- "Is the name spelled correctly and is the "
- "corresponding module loaded?"), protector);
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
+@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
+ if (kp == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found",
protector);
+ err = grub_key_protector_check_blocklist ();
+ if (err != GRUB_ERR_NONE)
@@ -75,10 +75,10 @@
+
return kp->recover_key (key, key_size);
}
-diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
-index 7947cf592..975b90b09 100644
---- a/include/grub/efi/api.h
-+++ b/include/grub/efi/api.h
+Index: grub-2.12/include/grub/efi/api.h
+===================================================================
+--- grub-2.12.orig/include/grub/efi/api.h
++++ grub-2.12/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
@@ -91,7 +91,4 @@
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
---
-2.35.3
-
++++++ safe_tpm_pcr_snapshot.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:23.965449044 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:23.997450384 +0100
@@ -3,20 +3,21 @@
util/grub-install.c | 6 ++++--
2 files changed, 40 insertions(+), 12 deletions(-)
---- a/grub-core/commands/tpm.c
-+++ b/grub-core/commands/tpm.c
-@@ -27,8 +27,10 @@
+Index: grub-2.12/grub-core/commands/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/tpm.c
++++ grub-2.12/grub-core/commands/tpm.c
+@@ -27,7 +27,9 @@
#include <grub/verify.h>
#include <grub/dl.h>
#include <grub/extcmd.h>
+#ifdef GRUB_MACHINE_EFI
- #include <grub/tpm2/tpm2.h>
#include <grub/efi/efi.h>
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
-@@ -97,12 +99,6 @@
+@@ -96,12 +98,6 @@ struct grub_file_verifier grub_tpm_verif
.verify_string = grub_tpm_verify_string,
};
@@ -29,7 +30,7 @@
static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
{
{
-@@ -118,6 +114,14 @@
+@@ -117,6 +113,14 @@ static const struct grub_arg_option grub
{0, 0, 0, 0, 0, 0}
};
@@ -44,7 +45,7 @@
static grub_err_t
grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned
int *index)
{
-@@ -269,6 +273,10 @@
+@@ -268,6 +272,10 @@ grub_tpm_record_pcrs (grub_extcmd_contex
grub_size_t size = 0;
int n, rv = 1;
@@ -55,7 +56,7 @@
if (argc == 0)
pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
else
-@@ -297,6 +305,18 @@
+@@ -296,6 +304,18 @@ out:
return rv;
}
@@ -74,9 +75,11 @@
static grub_extcmd_t cmd;
GRUB_MOD_INIT (tpm)
---- a/util/grub-install.c
-+++ b/util/grub-install.c
-@@ -1560,8 +1560,9 @@
+Index: grub-2.12/util/grub-install.c
+===================================================================
+--- grub-2.12.orig/util/grub-install.c
++++ grub-2.12/util/grub-install.c
+@@ -1574,8 +1574,9 @@ main (int argc, char *argv[])
grub_util_unlink (load_cfg);
@@ -87,7 +90,7 @@
load_cfg_f = grub_util_fopen (load_cfg, "wb");
have_load_cfg = 1;
fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
-@@ -1569,7 +1570,8 @@
+@@ -1583,7 +1584,8 @@ main (int argc, char *argv[])
if (debug_image && debug_image[0])
{
++++++ tpm-record-pcrs.patch ++++++
--- /var/tmp/diff_new_pack.QBoIHh/_old 2024-12-05 17:05:24.145456582 +0100
+++ /var/tmp/diff_new_pack.QBoIHh/_new 2024-12-05 17:05:24.173457755 +0100
@@ -1,16 +1,17 @@
---- a/grub-core/commands/tpm.c
-+++ b/grub-core/commands/tpm.c
-@@ -26,6 +26,9 @@
+Index: grub-2.12/grub-core/commands/tpm.c
+===================================================================
+--- grub-2.12.orig/grub-core/commands/tpm.c
++++ grub-2.12/grub-core/commands/tpm.c
+@@ -26,6 +26,8 @@
#include <grub/term.h>
#include <grub/verify.h>
#include <grub/dl.h>
+#include <grub/extcmd.h>
-+#include <grub/tpm2/tpm2.h>
+#include <grub/efi/efi.h>
GRUB_MOD_LICENSE ("GPLv3+");
-@@ -94,8 +97,214 @@
+@@ -94,8 +96,214 @@ struct grub_file_verifier grub_tpm_verif
.verify_string = grub_tpm_verify_string,
};
@@ -225,7 +226,7 @@
/*
* Even though this now calls ibmvtpm's grub_tpm_present() from
GRUB_MOD_INIT(),
* it does seem to call it late enough in the initialization sequence so
-@@ -109,6 +318,7 @@
+@@ -109,6 +317,7 @@ GRUB_MOD_INIT (tpm)
GRUB_MOD_FINI (tpm)
{
