Re: [PATCH 2/3] tpm2_key_protector: Dump the PCR bank for key unsealing

Tue, 10 Jun 2025 20:30:42 -0700 

On 2025-06-09 13:16, Gary Lin via Grub-devel wrote:

TPM 2.0 Key File format stores the PCR selection in the parameters
for 'TPM2_PolicyPCR' and it already contains the selected PCR bank.
Currently, "tpm2_key_protector" dumped the PCR bank specified by the
'--bank' option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank for key unsealing, this commit records the PCR 
bank used by 'TPM2_PolicyPCR' and dumps PCR values from that bank when
necessary.

Signed-off-by: Gary Lin <g...@suse.com>


Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>


---
 grub-core/commands/tpm2_key_protector/module.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/grub-core/commands/tpm2_key_protector/module.c
b/grub-core/commands/tpm2_key_protector/module.c
index 857f3753f..0043d8bd7 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -162,6 +162,8 @@ static tpm2_protector_context_t tpm2_protector_ctx = {0}; 

 static grub_command_t tpm2_dump_pcr_cmd;

+static TPM_ALG_ID_t tpm2_dump_bank;
+
 static grub_err_t
 tpm2_protector_srk_read_file (const char *filepath, void **buffer,
grub_size_t *buffer_size)
 {
@@ -654,6 +656,9 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t
session, struct grub_tpm2_buffe
   if (cmd_buf->error != 0)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal
commandPolicy for TPM2_PolicyPCR");

+  /* Record the chosen PCR bank */
+  tpm2_dump_bank = pcr_sel.pcrSelections[0].hash;
+
rc = grub_tpm2_policypcr (session, NULL, &pcr_digest, &pcr_sel, NULL); 
   if (rc != TPM_RC_SUCCESS)
     return grub_error (GRUB_ERR_BAD_DEVICE, "failed to submit PCR
policy (TPM2_PolicyPCR: 0x%x)", rc);
@@ -1091,7 +1096,7 @@ tpm2_protector_key_from_buffer (const
tpm2_protector_context_t *ctx,
   if (dump_pcr == true)
     {
       grub_printf ("PCR Mismatch! Check firmware and bootloader
before typing passphrase!\n");
-      tpm2_protector_dump_pcr (ctx->bank);
+      tpm2_protector_dump_pcr (tpm2_dump_bank);
     }

  exit2:
@@ -1151,7 +1156,7 @@ tpm2_protector_load_persistent (const
tpm2_protector_context_t *ctx, TPM_HANDLE_
   if (dump_pcr == true)
     {
       grub_printf ("PCR Mismatch! Check firmware and bootloader
before typing passphrase!\n");
-      tpm2_protector_dump_pcr (ctx->bank);
+      tpm2_protector_dump_pcr (tpm2_dump_bank);
     }

  exit:
@@ -1273,6 +1278,8 @@ tpm2_protector_check_args (tpm2_protector_context_t *ctx) 
   if (ctx->bank == TPM_ALG_ERROR)
     ctx->bank = TPM_ALG_SHA256;

+  tpm2_dump_bank = ctx->bank;
+
   if (ctx->pcr_count == 0)
     {
       ctx->pcrs[0] = 7;


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to