On 10/21/24 4:07 AM, Gary Lin wrote:
From: Hernan Gatta <hega...@linux.microsoft.com>
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the TPM2 key protector, the intended flow is for a user to have a
LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates a
new LUKS key file, say by reading /dev/urandom into a file, and creates
a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.
Sample usage:
$ dd if=/dev/urandom of=luks-key bs=1 count=32
$ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512
To seal the key with TPM 2.0 Key File (recommended):
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2key \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/efi/grub/sealed.tpm
Or, to seal the key with the raw sealed key:
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/efi/grub/sealed.key
+static grub_err_t
+protect_read_file (const char *filepath, void **buffer, size_t *buffer_size)
+{
+ grub_err_t err;
+ FILE *f;
+ long len;
+ void *buf;
+
+ f = fopen (filepath, "rb");
+ if (f == NULL)
An error message should be either printed here or the caller should
print out an error. Otherwise no error message appears at all.
+ return GRUB_ERR_FILE_NOT_FOUND;
+
+ if (fseek (f, 0, SEEK_END))
+ {
+ err = GRUB_ERR_FILE_READ_ERROR;
+ goto exit1;
+ }
+
+ len = ftell (f);
+ if (len <= 0)
+ {
+ err = GRUB_ERR_FILE_READ_ERROR;
+ goto exit1;
+ }
+
+ rewind (f);
+
+ buf = grub_malloc (len);
+ if (buf == NULL)
+ {
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ goto exit1;
+ }
+
+ if (fread (buf, len, 1, f) != 1)
+ {
+ err = GRUB_ERR_FILE_READ_ERROR;
+ goto exit2;
+ }
+
+ *buffer = buf;
+ *buffer_size = len;
+
+ buf = NULL;
+ err = GRUB_ERR_NONE;
+
+ exit2:
+ grub_free (buf);
+
+ exit1:
probably also print an error message here that something with the file
went wrong.
+ fclose (f);
+
+ return err;
+}
+
+static grub_err_t
+protect_write_file (const char *filepath, void *buffer, size_t buffer_size)
+{
+ grub_err_t err;
+ FILE *f;
+
+ f = fopen (filepath, "wb");
+ if (f == NULL)
Here the caller prints out err. Good.
+ return GRUB_ERR_FILE_NOT_FOUND;
+
+ if (fwrite (buffer, buffer_size, 1, f) != 1)
+ {
+ err = GRUB_ERR_WRITE_ERROR;
+ goto exit;
+ }
+
+ err = GRUB_ERR_NONE;
+
+ exit:
+ fclose (f);
+
+ return err;
+}
+
+grub_err_t
+grub_tcg2_get_max_output_size (grub_size_t *size)
+{
+ if (size == NULL)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ *size = GRUB_TPM2_BUFFER_CAPACITY;
+
+ return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tcg2_submit_command (grub_size_t input_size, grub_uint8_t *input,
+ grub_size_t output_size, grub_uint8_t *output)
+{
+ static const grub_size_t header_size = sizeof (grub_uint16_t) +
+ (2 * sizeof(grub_uint32_t));
+
+ if (write (protector_tpm2_fd, input, input_size) != input_size)
Also here ...
+ return GRUB_ERR_BAD_DEVICE;
+
+ if (read (protector_tpm2_fd, output, output_size) < header_size)
... and here since the (single) caller does not print an error.
+ return GRUB_ERR_BAD_DEVICE;
+
+ return GRUB_ERR_NONE;
+}
+
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
