On Tue, Jun 10, 2025 at 03:11:27PM -0400, Stefan Berger wrote:
>
>
> On 6/9/25 3:46 AM, Gary Lin wrote:
> > Add a few more tests to seal and unseal the key with the SHA384 PCR
> > bank instead of the default SHA256 PCR bank.
> >
> > Signed-off-by: Gary Lin <g...@suse.com>
> > ---
> > tests/tpm2_key_protector_test.in | 34 +++++++++++++++++++++++++++++---
> > 1 file changed, 31 insertions(+), 3 deletions(-)
> >
> > diff --git a/tests/tpm2_key_protector_test.in
> > b/tests/tpm2_key_protector_test.in
> > index fae27f9e4..52753d191 100644
> > --- a/tests/tpm2_key_protector_test.in
> > +++ b/tests/tpm2_key_protector_test.in
> > @@ -136,16 +136,28 @@ done
> > # Export the TCTI variable for tpm2-tools
> > export TPM2TOOLS_TCTI="device:${tpm2dev}"
> > +# Check if the sha384 bank is available
> > +if [ "$(tpm2_getcap pcrs | grep sha384)" != "" ]; then
> > + with_sha384=true
> > +fi
> > +
> > # Extend PCR 0
> > tpm2_pcrextend 0:sha256=$(echo "test0" | sha256sum | cut -d ' ' -f 1) ||
> > exit 99
> > +if [ "${with_sha384}" = "true" ]; then
> > + tpm2_pcrextend 0:sha384=$(echo "test0" | sha384sum | cut -d ' ' -f 1)
> > || exit 99
> > +fi
> > # Extend PCR 1
> > tpm2_pcrextend 1:sha256=$(echo "test1" | sha256sum | cut -d ' ' -f 1) ||
> > exit 99
> > +if [ "${with_sha384}" = "true" ]; then
> > + tpm2_pcrextend 1:sha384=$(echo "test1" | sha384sum | cut -d ' ' -f 1)
> > || exit 99
> > +fi
> > tpm2_seal_unseal() {
> > srk_alg="$1"
> > handle_type="$2"
> > srk_test="$3"
> > + pcr_bank="$4"
>
> I would now adjust all existing callers to pass a 4th argument "" so that
> the number of arguments match.
>
I was thinking about minimizing the diff, but adding the 4th argument is
better in the long run.
Will fix that in v2.
Thanks,
Gary Lin
> > grub_srk_alg=${srk_alg}
> > @@ -164,13 +176,17 @@ tpm2_seal_unseal() {
> > extra_opt="${extra_opt} --tpm2-asymmetric=${srk_alg}"
> > fi
> > + if [ "${pcr_bank}" = "" ]; then
> > + pcr_bank="sha256"
> > + fi
> > +
>
> To avoid this the 4th argument should probably be "sha256" for all existing
> callers.
>
> > # Seal the password with grub-protect
> > grub-protect ${extra_opt} \
> > --tpm2-device="${tpm2dev}" \
> > --action=add \
> > --protector=tpm2 \
> > --tpm2key \
> > - --tpm2-bank=sha256 \
> > + --tpm2-bank="${pcr_bank}" \
> > --tpm2-pcrs=0,1 \
> > --tpm2-keyfile="${lukskeyfile}" \
> > --tpm2-outfile="${sealedkey}" || ret=$?
> > @@ -228,6 +244,7 @@ EOF
> > tpm2_seal_unseal_nv() {
> > handle_type="$1"
> > key_type="$2"
> > + pcr_bank="$3"
>
> Same comments here...
>
> > extra_opt=""
> > extra_grub_opt=""
> > @@ -238,10 +255,14 @@ tpm2_seal_unseal_nv() {
> > nv_index="0x81000000"
> > fi
> > + if [ "${pcr_bank}" = "" ]; then
> > + pcr_bank="sha256"
> > + fi
> > +
> ... and here.
>
> > if [ "$key_type" = "tpm2key" ]; then
> > extra_opt="--tpm2key"
> > else
> > - extra_grub_opt="--pcrs=0,1"
> > + extra_grub_opt="--pcrs=0,1 -b ${pcr_bank}"
> > fi
> > grub_cfg=${tpm2testdir}/testcase.cfg
> > @@ -251,7 +272,7 @@ tpm2_seal_unseal_nv() {
> > --tpm2-device="${tpm2dev}" \
> > --action=add \
> > --protector=tpm2 \
> > - --tpm2-bank=sha256 \
> > + --tpm2-bank="${pcr_bank}" \
> > --tpm2-pcrs=0,1 \
> > --tpm2-keyfile="${lukskeyfile}" \
> > --tpm2-nvindex="${nv_index}" || ret=$?
> > @@ -300,6 +321,9 @@ srktests+=("RSA persistent no_fallback_srk")
> > srktests+=("ECC persistent no_fallback_srk")
> > srktests+=("RSA transient fallback_srk")
> > srktests+=("ECC transient fallback_srk")
> > +if [ "${with_sha384}" = "true" ]; then
> > + srktests+=("default transient no_fallback_srk sha384")
> > +fi
> > exit_status=0
> > @@ -322,6 +346,10 @@ declare -a nvtests=()
> > nvtests+=("persistent raw")
> > nvtests+=("nvindex raw")
> > nvtests+=("nvindex tpm2key")
> > +if [ "${with_sha384}" = "true" ]; then
> > + nvtests+=("persistent raw sha384")
> > + nvtests+=("nvindex tpm2key sha384")
> > +fi
> > for i in "${!nvtests[@]}"; do
> > tpm2_seal_unseal_nv ${nvtests[$i]} || ret=$?
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
