The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new 'tpm2_dump_pcr' command is added to print all PCRs of the
specified bank.
Also update the document for the new command.
Signed-off-by: Gary Lin <g...@suse.com>
Tested-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
docs/grub.texi | 13 +++++++
.../commands/tpm2_key_protector/module.c | 35 +++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/docs/grub.texi b/docs/grub.texi
index d9b26fa36..54d3ab52f 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6488,6 +6488,7 @@ you forget a command, you can run the command
@command{help}
* test:: Check file types and compare values
* tpm2_key_protector_init:: Initialize the TPM2 key protector
* tpm2_key_protector_clear:: Clear the TPM2 key protector
+* tpm2_dump_pcr:: Dump TPM2 PCRs
* true:: Do nothing, successfully
* trust:: Add public key to list of trusted keys
* unset:: Unset an environment variable
@@ -8104,6 +8105,18 @@ key and unseal it with the given PCR list and bank.
Clear the TPM2 key protector if previously initialized.
@end deffn
+@node tpm2_dump_pcr
+@subsection tpm2_dump_pcr
+
+@deffn Command tpm2_dump_pcr [@var{bank}]
+Print all PCRs of the specified TPM 2.0 @var{bank}. The supported banks are
+@samp{sha1}, @samp{sha256}, @samp{sha384}, and @samp{sha512}. If @var{bank}
+is not specified, @samp{sha256} is chosen by default.
+
+Since GRUB measures every command into PCR 8, invoking @command{tpm2_dump_pcr}
+also extends PCR 8, so PCR 8 will not be a stable value in GRUB shell.
+@end deffn
+
@node true
@subsection true
diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
index d5e530f77..0a5d81e4c 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -160,6 +160,8 @@ static grub_extcmd_t tpm2_protector_init_cmd;
static grub_extcmd_t tpm2_protector_clear_cmd;
static tpm2_protector_context_t tpm2_protector_ctx = {0};
+static grub_command_t tpm2_dump_pcr_cmd;
+
static grub_err_t
tpm2_protector_srk_read_file (const char *filepath, void **buffer, grub_size_t
*buffer_size)
{
@@ -1315,6 +1317,33 @@ static struct grub_key_protector tpm2_key_protector =
.recover_key = tpm2_protector_recover_key
};
+static grub_err_t
+tpm2_dump_pcr (grub_command_t cmd __attribute__((__unused__)),
+ int argc, char *argv[])
+{
+ TPM_ALG_ID_t pcr_bank;
+
+ if (argc == 0)
+ pcr_bank = TPM_ALG_SHA256;
+ else if (grub_strcmp (argv[0], "sha1") == 0)
+ pcr_bank = TPM_ALG_SHA1;
+ else if (grub_strcmp (argv[0], "sha256") == 0)
+ pcr_bank = TPM_ALG_SHA256;
+ else if (grub_strcmp (argv[0], "sha384") == 0)
+ pcr_bank = TPM_ALG_SHA384;
+ else if (grub_strcmp (argv[0], "sha512") == 0)
+ pcr_bank = TPM_ALG_SHA512;
+ else
+ {
+ grub_printf ("Unknown PCR bank\n");
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ tpm2_protector_dump_pcr (pcr_bank);
+
+ return GRUB_ERR_NONE;
+}
+
GRUB_MOD_INIT (tpm2_key_protector)
{
tpm2_protector_init_cmd =
@@ -1336,6 +1365,10 @@ GRUB_MOD_INIT (tpm2_key_protector)
N_("Clear the TPM2 key protector if previously
initialized."),
NULL);
grub_key_protector_register (&tpm2_key_protector);
+
+ tpm2_dump_pcr_cmd =
+ grub_register_command ("tpm2_dump_pcr", tpm2_dump_pcr, N_("Dump TPM2
PCRs"),
+ N_("Print all PCRs of the specified TPM 2.0 bank"));
}
GRUB_MOD_FINI (tpm2_key_protector)
@@ -1345,4 +1378,6 @@ GRUB_MOD_FINI (tpm2_key_protector)
grub_key_protector_unregister (&tpm2_key_protector);
grub_unregister_extcmd (tpm2_protector_clear_cmd);
grub_unregister_extcmd (tpm2_protector_init_cmd);
+
+ grub_unregister_command (tpm2_dump_pcr_cmd);
}
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
