From: Hernan Gatta <hegatta@linux.microsoft.com>
To: grub-devel@gnu.org
Cc: shkhisti@microsoft.com, jaskaran.khurana@microsoft.com,
christopher.co@microsoft.com, daniel.mihai@microsoft.com,
rharwood@redhat.com, jaredz@redhat.com,
development@efficientek.com, jejb@linux.ibm.com
Subject: [PATCH v2 0/5] Automatic TPM Disk Unlock
Date: Tue, 1 Feb 2022 05:02:52 -0800 [thread overview]
Message-ID: <1643720577-22911-1-git-send-email-hegatta@linux.microsoft.com> (raw)
Updates since v1:
1. One key can unlock multiple disks:
It is now possible to use key protectors with cryptomount's -a and -b
options.
2. No passphrase prompt on error if key protector(s) specified:
cryptomount no longer prompts for a passphrase if key protectors are
specified but fail to provide a working unlock key seeing as the user
explicitly requested unlocking via key protectors.
3. Key protector parameterization is separate:
Previously, one would parameterize a key protector via a colon-separated
argument list nested within a cryptomount argument. Now, key protectors are
expected to provide an initialization function, if necessary.
As such, instead of:
cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...
one now writes:
tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
cryptomount -k tpm2
Additionally, one may write:
cryptomount -k protector_1 -k protector_2 ...
where cryptomount will try each in order on failure.
4. Standard argument parsing:
The TPM2 key protector now uses 'struct grub_arg_option' and the grub-protect
tool uses 'struct argp_option'. Additionally, common argument parsing
functionality is now shared between the module and the tool.
5. More useful messages:
Both the TPM2 module and the grub-protect tool now provide more useful
messages to help the user learn how to use their functionality (--help and
--usage) as well as to determine what is wrong, if anything. Furthermore, the
module now prints additional debug output to help diagnose problems.
I forgot to mention last time that this patch series intends to address:
https://bugzilla.redhat.com/show_bug.cgi?id=1854177
Previous series:
https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html
Thank you,
Hernan
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Hernan Gatta (5):
protectors: Add key protectors framework
tpm2: Add TPM Software Stack (TSS)
protectors: Add TPM2 Key Protector
cryptodisk: Support key protectors
util/grub-protect: Add new tool
.gitignore | 1 +
Makefile.util.def | 19 +
configure.ac | 1 +
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 11 +
grub-core/disk/cryptodisk.c | 166 +++-
grub-core/kern/protectors.c | 75 ++
grub-core/tpm2/args.c | 129 ++++
grub-core/tpm2/buffer.c | 145 ++++
grub-core/tpm2/module.c | 710 +++++++++++++++++
grub-core/tpm2/mu.c | 807 ++++++++++++++++++++
grub-core/tpm2/tcg2.c | 143 ++++
grub-core/tpm2/tpm2.c | 711 +++++++++++++++++
include/grub/cryptodisk.h | 14 +
include/grub/protector.h | 48 ++
include/grub/tpm2/buffer.h | 65 ++
include/grub/tpm2/internal/args.h | 39 +
include/grub/tpm2/internal/functions.h | 117 +++
include/grub/tpm2/internal/structs.h | 675 ++++++++++++++++
include/grub/tpm2/internal/types.h | 372 +++++++++
include/grub/tpm2/mu.h | 292 +++++++
include/grub/tpm2/tcg2.h | 34 +
include/grub/tpm2/tpm2.h | 38 +
util/grub-protect.c | 1314 ++++++++++++++++++++++++++++++++
24 files changed, 5897 insertions(+), 30 deletions(-)
create mode 100644 grub-core/kern/protectors.c
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
create mode 100644 grub-core/tpm2/tpm2.c
create mode 100644 include/grub/protector.h
create mode 100644 include/grub/tpm2/buffer.h
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/internal/functions.h
create mode 100644 include/grub/tpm2/internal/structs.h
create mode 100644 include/grub/tpm2/internal/types.h
create mode 100644 include/grub/tpm2/mu.h
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
create mode 100644 util/grub-protect.c
--
1.8.3.1
next reply other threads:[~2022-02-01 13:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-01 13:02 Hernan Gatta [this message]
2022-02-01 13:02 ` [PATCH v2 1/5] protectors: Add key protectors framework Hernan Gatta
2022-02-01 13:02 ` [PATCH v2 2/5] tpm2: Add TPM Software Stack (TSS) Hernan Gatta
2022-02-01 13:02 ` [PATCH v2 3/5] protectors: Add TPM2 Key Protector Hernan Gatta
2022-03-22 3:47 ` Michael Chang
2022-03-22 5:46 ` Michael Chang
2022-02-01 13:02 ` [PATCH v2 4/5] cryptodisk: Support key protectors Hernan Gatta
2022-02-01 13:02 ` [PATCH v2 5/5] util/grub-protect: Add new tool Hernan Gatta
2022-03-22 5:54 ` Michael Chang
2022-02-01 21:40 ` [PATCH v2 0/5] Automatic TPM Disk Unlock Didier Spaier
2022-09-23 4:16 ` Max Vohra
2023-02-06 5:53 ` Gary Lin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1643720577-22911-1-git-send-email-hegatta@linux.microsoft.com \
--to=hegatta@linux.microsoft.com \
--cc=christopher.co@microsoft.com \
--cc=daniel.mihai@microsoft.com \
--cc=development@efficientek.com \
--cc=grub-devel@gnu.org \
--cc=jaredz@redhat.com \
--cc=jaskaran.khurana@microsoft.com \
--cc=jejb@linux.ibm.com \
--cc=rharwood@redhat.com \
--cc=shkhisti@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.