[PATCH v2 0/3] Fixes for non-default TPM PCR banks

Gary Lin via Grub-devel Fri, 13 Jun 2025 00:04:19 -0700

There are two bugs when using the TPM PCR banks other than the default
SHA256 PCR bank:


1) Key unsealing failure
2) Dumping the wrong PCR bank

This patch set fixes the above two bugs and adds the tests for SHA384
PCR bank.

v2:
  - Set the SHA256 PCR bank explicitly in tpm2_key_protector_test

Gary Lin (3):
  grub-protect: Fix the hash algorithm of PCR digest
  tpm2_key_protector: Dump the PCR bank for key unsealing
  tests/tpm2_key_protector_test: Add tests for SHA384 PCR bank

 .../commands/tpm2_key_protector/module.c      | 11 ++++-
 tests/tpm2_key_protector_test.in              | 46 +++++++++++++------
 util/grub-protect.c                           |  2 +-
 3 files changed, 43 insertions(+), 16 deletions(-)

Range-diff against v1:
1:  815b486ca ! 1:  fc7f713fb grub-protect: Fix the hash algorithm of PCR digest
    @@ Commit message
         Ref: https://github.com/lcp/grub2/issues/4
     
         Signed-off-by: Gary Lin <g...@suse.com>
    +    Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
    +    Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
     
      ## util/grub-protect.c ##
     @@ util/grub-protect.c: protect_tpm2_get_policy_digest (protect_args_t 
*args, TPM2B_DIGEST_t *digest)
2:  6e26ea23e ! 2:  7d3769fe2 tpm2_key_protector: Dump the PCR bank for key 
unsealing
    @@ Commit message
         necessary.
     
         Signed-off-by: Gary Lin <g...@suse.com>
    +    Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
    +    Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
     
      ## grub-core/commands/tpm2_key_protector/module.c ##
     @@ grub-core/commands/tpm2_key_protector/module.c: static 
tpm2_protector_context_t tpm2_protector_ctx = {0};
3:  8bf3b04b1 ! 3:  cccf03d72 tests/tpm2_key_protector_test: Add tests for 
SHA384 PCR bank
    @@ Commit message
         bank instead of the default SHA256 PCR bank.
     
         Signed-off-by: Gary Lin <g...@suse.com>
    +    Reviewed-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
     
      ## tests/tpm2_key_protector_test.in ##
     @@ tests/tpm2_key_protector_test.in: done
    @@ tests/tpm2_key_protector_test.in: done
          grub_srk_alg=${srk_alg}
      
     @@ tests/tpm2_key_protector_test.in: tpm2_seal_unseal() {
    -   extra_opt="${extra_opt} --tpm2-asymmetric=${srk_alg}"
    -     fi
    - 
    -+    if [ "${pcr_bank}" = "" ]; then
    -+        pcr_bank="sha256"
    -+    fi
    -+
    -     # Seal the password with grub-protect
    -     grub-protect ${extra_opt} \
    -   --tpm2-device="${tpm2dev}" \
        --action=add \
        --protector=tpm2 \
        --tpm2key \
    @@ tests/tpm2_key_protector_test.in: EOF
          extra_opt=""
          extra_grub_opt=""
     @@ tests/tpm2_key_protector_test.in: tpm2_seal_unseal_nv() {
    -   nv_index="0x81000000"
    -     fi
    - 
    -+    if [ "${pcr_bank}" = "" ]; then
    -+        pcr_bank="sha256"
    -+    fi
    -+
          if [ "$key_type" = "tpm2key" ]; then
        extra_opt="--tpm2key"
          else
    @@ tests/tpm2_key_protector_test.in: tpm2_seal_unseal_nv() {
        --tpm2-pcrs=0,1 \
        --tpm2-keyfile="${lukskeyfile}" \
        --tpm2-nvindex="${nv_index}" || ret=$?
    -@@ tests/tpm2_key_protector_test.in: srktests+=("RSA persistent 
no_fallback_srk")
    - srktests+=("ECC persistent no_fallback_srk")
    - srktests+=("RSA transient fallback_srk")
    - srktests+=("ECC transient fallback_srk")
    +@@ tests/tpm2_key_protector_test.in: EOF
    + 
    + # Testcases for SRK mode
    + declare -a srktests=()
    +-srktests+=("default transient no_fallback_srk")
    +-srktests+=("RSA transient no_fallback_srk")
    +-srktests+=("ECC transient no_fallback_srk")
    +-srktests+=("RSA persistent no_fallback_srk")
    +-srktests+=("ECC persistent no_fallback_srk")
    +-srktests+=("RSA transient fallback_srk")
    +-srktests+=("ECC transient fallback_srk")
    ++srktests+=("default transient no_fallback_srk sha256")
    ++srktests+=("RSA transient no_fallback_srk sha256")
    ++srktests+=("ECC transient no_fallback_srk sha256")
    ++srktests+=("RSA persistent no_fallback_srk sha256")
    ++srktests+=("ECC persistent no_fallback_srk sha256")
    ++srktests+=("RSA transient fallback_srk sha256")
    ++srktests+=("ECC transient fallback_srk sha256")
     +if [ "${with_sha384}" = "true" ]; then
     +    srktests+=("default transient no_fallback_srk sha384")
     +fi
      
      exit_status=0
      
    -@@ tests/tpm2_key_protector_test.in: declare -a nvtests=()
    - nvtests+=("persistent raw")
    - nvtests+=("nvindex raw")
    - nvtests+=("nvindex tpm2key")
    +@@ tests/tpm2_key_protector_test.in: done
    + 
    + # Testcases for NV index mode
    + declare -a nvtests=()
    +-nvtests+=("persistent raw")
    +-nvtests+=("nvindex raw")
    +-nvtests+=("nvindex tpm2key")
    ++nvtests+=("persistent raw sha256")
    ++nvtests+=("nvindex raw sha256")
    ++nvtests+=("nvindex tpm2key sha256")
     +if [ "${with_sha384}" = "true" ]; then
     +    nvtests+=("persistent raw sha384")
     +    nvtests+=("nvindex tpm2key sha384")
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 0/3] Fixes for non-default TPM PCR banks

Reply via email to