[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/5] Automatic TPM Disk Unlock

From: Hernan Gatta
Subject: Re: [PATCH 0/5] Automatic TPM Disk Unlock
Date: Thu, 27 Jan 2022 06:03:21 -0800 (PST)

On Tue, 25 Jan 2022, Glenn Washburn wrote:

On Mon, 24 Jan 2022 06:12:13 -0800
Hernan Gatta <> wrote:

This patch series adds support for automatically unlocking fully-encrypted disks
using a TPM 2.0.

Currently, when GRUB encounters a fully-encrypted disk that it must access, its
corresponding cryptodisk module (LUKS 1, LUKS2, or GELI) interactively prompts
the user for a passphrase. An improvement to the boot process would be for GRUB
to automatically retrieve the unlocking key for fully-encrypted disks from a
protected location and to unlock these transparently. To this end, a TPM may be
used to protect the unlocking key to a known-good state of the platform. Once
the key is protected in this way, assuming that the platform remains
trustworthy, GRUB can then utilize the TPM to release the key during boot and
thus unlock fully-encrypted disks without user interaction. Such a model would
not only be more convenient for end-users but also for virtual machines in cloud
environments where no user is ever present.


This patchset first adds a key protectors framework. This framework allows for
key protector modules to register when loaded. A key protector is defined as a
module that knows how to retrieve an unlocking key from a specific source. This
patchset adds a single such key protector module that understands how to
retrieve an unlocking key from a TPM 2.0 by unsealing a sealed key file via a
Storage Root Key (SRK).

Additionally, this patchset expands the cryptomount command to accept a key
protector parameter. This parameter carries the information necessary to select
and parameterize a key protector to be used to retrieve an unlocking key for the
disk in question. That is, given an invocation of cryptomount to mount a
specific disk (e.g., "cryptomount (hd0,gpt2)", "cryptomount -u UUID"), a key
protector can be used to automatically retrieve an unlocking key without an
interactive prompt.

Lastly, this patchset also includes a new tool, grub-protect, that allows the
user to seal a key file against a set of Platform Configuration Registers (PCRs)
using an SRK. This sealed key file is expected to be stored in an unencrypted
partition, such as the EFI System Partition (ESP), where GRUB can read it. The
sealed key is then unsealed by the TPM2 key protector automatically, provided
that the PCRs selected match on subsequent boots.

This series should include a documentation patch at a minimum. I would
also like to see a QEMU test added. But it should use my cryptomount
test series, which hasn't made it to master yet. So this shouldn't be a
hard requirement. It would be nice for someone more familiar with
Secure boot and TPM to figure out how to get it working in QEMU so we/I
can easily add it to the tests. It looks like this should work with
the required software[1].



Agreed. I wanted to get feedback on the feature as a whole first before writing documentation for it since, I figured, the way it functions may change as a result of your comments. Once we settle on how it should work and, more importantly, on how a user might use it (I'm thinking of James' comment on separating the cryptomount command from the configuration of a key protector), then I'll add documentation.

With respect to your comment about adding tests, it should indeed be possible to test this using QEMU and a software TPM such as swtpm. I'm happy to take a look at that.

Would it be alright for me to submit a patch series for tests separately from this series?

Signed-off-by: Hernan Gatta <>

Hernan Gatta (5):
  protectors: Add key protectors framework
  tpm2: Add TPM Software Stack (TSS)
  protectors: Add TPM2 Key Protector
  cryptodisk: Support key protectors
  util/grub-protect: Add new tool

 .gitignore                             |    1 +
 Makefile.util.def                      |   17 +                           |    1 +
 grub-core/                  |    1 +
 grub-core/Makefile.core.def            |   10 +
 grub-core/disk/cryptodisk.c            |   21 +-
 grub-core/kern/protectors.c            |   98 +++
 grub-core/tpm2/buffer.c                |  145 ++++
 grub-core/tpm2/module.c                |  742 ++++++++++++++++++
 grub-core/tpm2/mu.c                    |  807 +++++++++++++++++++
 grub-core/tpm2/tcg2.c                  |  143 ++++
 grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
 include/grub/protector.h               |   55 ++
 include/grub/tpm2/buffer.h             |   65 ++
 include/grub/tpm2/internal/functions.h |  117 +++
 include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
 include/grub/tpm2/internal/types.h     |  372 +++++++++
 include/grub/tpm2/mu.h                 |  292 +++++++
 include/grub/tpm2/tcg2.h               |   34 +
 include/grub/tpm2/tpm2.h               |   38 +
 util/grub-protect.c                    | 1344 ++++++++++++++++++++++++++++++++
 21 files changed, 5688 insertions(+), 1 deletion(-)
 create mode 100644 grub-core/kern/protectors.c
 create mode 100644 grub-core/tpm2/buffer.c
 create mode 100644 grub-core/tpm2/module.c
 create mode 100644 grub-core/tpm2/mu.c
 create mode 100644 grub-core/tpm2/tcg2.c
 create mode 100644 grub-core/tpm2/tpm2.c
 create mode 100644 include/grub/protector.h
 create mode 100644 include/grub/tpm2/buffer.h
 create mode 100644 include/grub/tpm2/internal/functions.h
 create mode 100644 include/grub/tpm2/internal/structs.h
 create mode 100644 include/grub/tpm2/internal/types.h
 create mode 100644 include/grub/tpm2/mu.h
 create mode 100644 include/grub/tpm2/tcg2.h
 create mode 100644 include/grub/tpm2/tpm2.h
 create mode 100644 util/grub-protect.c

Thank you,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]