[PATCH v2 0/5] Automatic TPM Disk Unlock

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 0/5] Automatic TPM Disk Unlock

From:	Hernan Gatta
Subject:	[PATCH v2 0/5] Automatic TPM Disk Unlock
Date:	Tue, 1 Feb 2022 05:02:52 -0800

Updates since v1:

1. One key can unlock multiple disks:
   It is now possible to use key protectors with cryptomount's -a and -b
   options.

2. No passphrase prompt on error if key protector(s) specified:
   cryptomount no longer prompts for a passphrase if key protectors are
   specified but fail to provide a working unlock key seeing as the user
   explicitly requested unlocking via key protectors.

3. Key protector parameterization is separate:
   Previously, one would parameterize a key protector via a colon-separated
   argument list nested within a cryptomount argument. Now, key protectors are
   expected to provide an initialization function, if necessary.

   As such, instead of:

   cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...

   one now writes:

   tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
   cryptomount -k tpm2

   Additionally, one may write:

   cryptomount -k protector_1 -k protector_2 ...

   where cryptomount will try each in order on failure.

4. Standard argument parsing:
   The TPM2 key protector now uses 'struct grub_arg_option' and the grub-protect
   tool uses 'struct argp_option'. Additionally, common argument parsing
   functionality is now shared between the module and the tool.

5. More useful messages:
   Both the TPM2 module and the grub-protect tool now provide more useful
   messages to help the user learn how to use their functionality (--help and
   --usage) as well as to determine what is wrong, if anything. Furthermore, the
   module now prints additional debug output to help diagnose problems.

I forgot to mention last time that this patch series intends to address:
https://bugzilla.redhat.com/show_bug.cgi?id=1854177

Previous series:
https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html

Thank you,
Hernan

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>

Hernan Gatta (5):
  protectors: Add key protectors framework
  tpm2: Add TPM Software Stack (TSS)
  protectors: Add TPM2 Key Protector
  cryptodisk: Support key protectors
  util/grub-protect: Add new tool

 .gitignore                             |    1 +
 Makefile.util.def                      |   19 +
 configure.ac                           |    1 +
 grub-core/Makefile.am                  |    1 +
 grub-core/Makefile.core.def            |   11 +
 grub-core/disk/cryptodisk.c            |  166 +++-
 grub-core/kern/protectors.c            |   75 ++
 grub-core/tpm2/args.c                  |  129 ++++
 grub-core/tpm2/buffer.c                |  145 ++++
 grub-core/tpm2/module.c                |  710 +++++++++++++++++
 grub-core/tpm2/mu.c                    |  807 ++++++++++++++++++++
 grub-core/tpm2/tcg2.c                  |  143 ++++
 grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
 include/grub/cryptodisk.h              |   14 +
 include/grub/protector.h               |   48 ++
 include/grub/tpm2/buffer.h             |   65 ++
 include/grub/tpm2/internal/args.h      |   39 +
 include/grub/tpm2/internal/functions.h |  117 +++
 include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
 include/grub/tpm2/internal/types.h     |  372 +++++++++
 include/grub/tpm2/mu.h                 |  292 +++++++
 include/grub/tpm2/tcg2.h               |   34 +
 include/grub/tpm2/tpm2.h               |   38 +
 util/grub-protect.c                    | 1314 ++++++++++++++++++++++++++++++++
 24 files changed, 5897 insertions(+), 30 deletions(-)
 create mode 100644 grub-core/kern/protectors.c
 create mode 100644 grub-core/tpm2/args.c
 create mode 100644 grub-core/tpm2/buffer.c
 create mode 100644 grub-core/tpm2/module.c
 create mode 100644 grub-core/tpm2/mu.c
 create mode 100644 grub-core/tpm2/tcg2.c
 create mode 100644 grub-core/tpm2/tpm2.c
 create mode 100644 include/grub/protector.h
 create mode 100644 include/grub/tpm2/buffer.h
 create mode 100644 include/grub/tpm2/internal/args.h
 create mode 100644 include/grub/tpm2/internal/functions.h
 create mode 100644 include/grub/tpm2/internal/structs.h
 create mode 100644 include/grub/tpm2/internal/types.h
 create mode 100644 include/grub/tpm2/mu.h
 create mode 100644 include/grub/tpm2/tcg2.h
 create mode 100644 include/grub/tpm2/tpm2.h
 create mode 100644 util/grub-protect.c

-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/5] Automatic TPM Disk Unlock, Hernan Gatta <=
- [PATCH v2 4/5] cryptodisk: Support key protectors, Hernan Gatta, 2022/02/01
- [PATCH v2 5/5] util/grub-protect: Add new tool, Hernan Gatta, 2022/02/01
- [PATCH v2 3/5] protectors: Add TPM2 Key Protector, Hernan Gatta, 2022/02/01
- [PATCH v2 1/5] protectors: Add key protectors framework, Hernan Gatta, 2022/02/01
- [PATCH v2 2/5] tpm2: Add TPM Software Stack (TSS), Hernan Gatta, 2022/02/01
- Re: [PATCH v2 0/5] Automatic TPM Disk Unlock, Didier Spaier, 2022/02/01

Prev by Date: [PATCH v2 3/5] protectors: Add TPM2 Key Protector
Next by Date: [PATCH v2 1/5] protectors: Add key protectors framework
Previous by thread: [PATCH] efi: make sure EFI disk controllers are connected when, discovering devices
Next by thread: [PATCH v2 4/5] cryptodisk: Support key protectors
Index(es):
- Date
- Thread