[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/5] Automatic TPM Disk Unlock
From: |
Glenn Washburn |
Subject: |
Re: [PATCH 0/5] Automatic TPM Disk Unlock |
Date: |
Tue, 25 Jan 2022 14:30:13 -0600 |
On Mon, 24 Jan 2022 06:12:13 -0800
Hernan Gatta <hegatta@linux.microsoft.com> wrote:
> This patch series adds support for automatically unlocking fully-encrypted
> disks
> using a TPM 2.0.
>
> Currently, when GRUB encounters a fully-encrypted disk that it must access,
> its
> corresponding cryptodisk module (LUKS 1, LUKS2, or GELI) interactively prompts
> the user for a passphrase. An improvement to the boot process would be for
> GRUB
> to automatically retrieve the unlocking key for fully-encrypted disks from a
> protected location and to unlock these transparently. To this end, a TPM may
> be
> used to protect the unlocking key to a known-good state of the platform. Once
> the key is protected in this way, assuming that the platform remains
> trustworthy, GRUB can then utilize the TPM to release the key during boot and
> thus unlock fully-encrypted disks without user interaction. Such a model would
> not only be more convenient for end-users but also for virtual machines in
> cloud
> environments where no user is ever present.
>
> Design
> ------
>
> This patchset first adds a key protectors framework. This framework allows for
> key protector modules to register when loaded. A key protector is defined as a
> module that knows how to retrieve an unlocking key from a specific source.
> This
> patchset adds a single such key protector module that understands how to
> retrieve an unlocking key from a TPM 2.0 by unsealing a sealed key file via a
> Storage Root Key (SRK).
>
> Additionally, this patchset expands the cryptomount command to accept a key
> protector parameter. This parameter carries the information necessary to
> select
> and parameterize a key protector to be used to retrieve an unlocking key for
> the
> disk in question. That is, given an invocation of cryptomount to mount a
> specific disk (e.g., "cryptomount (hd0,gpt2)", "cryptomount -u UUID"), a key
> protector can be used to automatically retrieve an unlocking key without an
> interactive prompt.
>
> Lastly, this patchset also includes a new tool, grub-protect, that allows the
> user to seal a key file against a set of Platform Configuration Registers
> (PCRs)
> using an SRK. This sealed key file is expected to be stored in an unencrypted
> partition, such as the EFI System Partition (ESP), where GRUB can read it. The
> sealed key is then unsealed by the TPM2 key protector automatically, provided
> that the PCRs selected match on subsequent boots.
This series should include a documentation patch at a minimum. I would
also like to see a QEMU test added. But it should use my cryptomount
test series, which hasn't made it to master yet. So this shouldn't be a
hard requirement. It would be nice for someone more familiar with
Secure boot and TPM to figure out how to get it working in QEMU so we/I
can easily add it to the tests. It looks like this should work with
the required software[1].
Glenn
[1] https://en.opensuse.org/Software_TPM_Emulator_For_QEMU
>
> Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
>
> Hernan Gatta (5):
> protectors: Add key protectors framework
> tpm2: Add TPM Software Stack (TSS)
> protectors: Add TPM2 Key Protector
> cryptodisk: Support key protectors
> util/grub-protect: Add new tool
>
> .gitignore | 1 +
> Makefile.util.def | 17 +
> configure.ac | 1 +
> grub-core/Makefile.am | 1 +
> grub-core/Makefile.core.def | 10 +
> grub-core/disk/cryptodisk.c | 21 +-
> grub-core/kern/protectors.c | 98 +++
> grub-core/tpm2/buffer.c | 145 ++++
> grub-core/tpm2/module.c | 742 ++++++++++++++++++
> grub-core/tpm2/mu.c | 807 +++++++++++++++++++
> grub-core/tpm2/tcg2.c | 143 ++++
> grub-core/tpm2/tpm2.c | 711 +++++++++++++++++
> include/grub/protector.h | 55 ++
> include/grub/tpm2/buffer.h | 65 ++
> include/grub/tpm2/internal/functions.h | 117 +++
> include/grub/tpm2/internal/structs.h | 675 ++++++++++++++++
> include/grub/tpm2/internal/types.h | 372 +++++++++
> include/grub/tpm2/mu.h | 292 +++++++
> include/grub/tpm2/tcg2.h | 34 +
> include/grub/tpm2/tpm2.h | 38 +
> util/grub-protect.c | 1344
> ++++++++++++++++++++++++++++++++
> 21 files changed, 5688 insertions(+), 1 deletion(-)
> create mode 100644 grub-core/kern/protectors.c
> create mode 100644 grub-core/tpm2/buffer.c
> create mode 100644 grub-core/tpm2/module.c
> create mode 100644 grub-core/tpm2/mu.c
> create mode 100644 grub-core/tpm2/tcg2.c
> create mode 100644 grub-core/tpm2/tpm2.c
> create mode 100644 include/grub/protector.h
> create mode 100644 include/grub/tpm2/buffer.h
> create mode 100644 include/grub/tpm2/internal/functions.h
> create mode 100644 include/grub/tpm2/internal/structs.h
> create mode 100644 include/grub/tpm2/internal/types.h
> create mode 100644 include/grub/tpm2/mu.h
> create mode 100644 include/grub/tpm2/tcg2.h
> create mode 100644 include/grub/tpm2/tpm2.h
> create mode 100644 util/grub-protect.c
>
- Re: [PATCH 1/5] protectors: Add key protectors framework, (continued)