From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1nEsqk-0004qx-2G
	for mharc-grub-devel@gnu.org; Tue, 01 Feb 2022 08:05:40 -0500
Received: from eggs.gnu.org ([209.51.188.92]:57218)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <hegatta@linux.microsoft.com>)
 id 1nEsoc-0004bO-Ew
 for grub-devel@gnu.org; Tue, 01 Feb 2022 08:03:24 -0500
Received: from linux.microsoft.com ([13.77.154.182]:46368)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <hegatta@linux.microsoft.com>) id 1nEsoX-0005QG-NL
 for grub-devel@gnu.org; Tue, 01 Feb 2022 08:03:19 -0500
Received: from
 linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
 (linux.microsoft.com [13.77.154.182])
 by linux.microsoft.com (Postfix) with ESMTPSA id 7053220B6C63;
 Tue,  1 Feb 2022 05:03:13 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7053220B6C63
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
 s=default; t=1643720593;
 bh=7zLYVbjqE/Ls3O3JWo6/jCGmYqtm6CCm8TSivMHxTQU=;
 h=From:To:Cc:Subject:Date:From;
 b=mOH0J82/vhRMuM28iho0AiJOveaFvP80rDz2goZnjj8p0gDpCXZjj7/ZGM59Ym7aP
 N7x11fxJVdUoELoFZ6KqpvdCE6AOzUKXP8DeW0wo0YA7iC1eeOr++6/DNzTYTSHRNU
 n7vnG/PfPehkiL7P/Z5ztGq4ydQWp1pwQv7c7hss=
From: Hernan Gatta <hegatta@linux.microsoft.com>
To: grub-devel@gnu.org
Cc: shkhisti@microsoft.com, jaskaran.khurana@microsoft.com,
 christopher.co@microsoft.com, daniel.mihai@microsoft.com,
 rharwood@redhat.com, jaredz@redhat.com, development@efficientek.com,
 jejb@linux.ibm.com
Subject: [PATCH v2 0/5] Automatic TPM Disk Unlock
Date: Tue,  1 Feb 2022 05:02:52 -0800
Message-Id: <1643720577-22911-1-git-send-email-hegatta@linux.microsoft.com>
X-Mailer: git-send-email 1.8.3.1
Received-SPF: pass client-ip=13.77.154.182;
 envelope-from=hegatta@linux.microsoft.com; helo=linux.microsoft.com
X-Spam_score_int: -197
X-Spam_score: -19.8
X-Spam_bar: -------------------
X-Spam_report: (-19.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5,
 RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_DKIM_WL=-7.5,
 USER_IN_DEF_SPF_WL=-7.5 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2022 13:03:33 -0000
X-List-Received-Date: Tue, 01 Feb 2022 13:03:33 -0000
X-List-Received-Date: Tue, 01 Feb 2022 13:03:33 -0000
X-List-Received-Date: Tue, 01 Feb 2022 13:03:33 -0000
X-List-Received-Date: Tue, 01 Feb 2022 13:03:33 -0000

Updates since v1:

1. One key can unlock multiple disks:
   It is now possible to use key protectors with cryptomount's -a and -b
   options.

2. No passphrase prompt on error if key protector(s) specified:
   cryptomount no longer prompts for a passphrase if key protectors are
   specified but fail to provide a working unlock key seeing as the user
   explicitly requested unlocking via key protectors.

3. Key protector parameterization is separate:
   Previously, one would parameterize a key protector via a colon-separated
   argument list nested within a cryptomount argument. Now, key protectors are
   expected to provide an initialization function, if necessary.

   As such, instead of:

   cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...

   one now writes:

   tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
   cryptomount -k tpm2

   Additionally, one may write:

   cryptomount -k protector_1 -k protector_2 ...

   where cryptomount will try each in order on failure.

4. Standard argument parsing:
   The TPM2 key protector now uses 'struct grub_arg_option' and the grub-protect
   tool uses 'struct argp_option'. Additionally, common argument parsing
   functionality is now shared between the module and the tool.

5. More useful messages:
   Both the TPM2 module and the grub-protect tool now provide more useful
   messages to help the user learn how to use their functionality (--help and
   --usage) as well as to determine what is wrong, if anything. Furthermore, the
   module now prints additional debug output to help diagnose problems.

I forgot to mention last time that this patch series intends to address:
https://bugzilla.redhat.com/show_bug.cgi?id=1854177

Previous series:
https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html

Thank you,
Hernan

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>

Hernan Gatta (5):
  protectors: Add key protectors framework
  tpm2: Add TPM Software Stack (TSS)
  protectors: Add TPM2 Key Protector
  cryptodisk: Support key protectors
  util/grub-protect: Add new tool

 .gitignore                             |    1 +
 Makefile.util.def                      |   19 +
 configure.ac                           |    1 +
 grub-core/Makefile.am                  |    1 +
 grub-core/Makefile.core.def            |   11 +
 grub-core/disk/cryptodisk.c            |  166 +++-
 grub-core/kern/protectors.c            |   75 ++
 grub-core/tpm2/args.c                  |  129 ++++
 grub-core/tpm2/buffer.c                |  145 ++++
 grub-core/tpm2/module.c                |  710 +++++++++++++++++
 grub-core/tpm2/mu.c                    |  807 ++++++++++++++++++++
 grub-core/tpm2/tcg2.c                  |  143 ++++
 grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
 include/grub/cryptodisk.h              |   14 +
 include/grub/protector.h               |   48 ++
 include/grub/tpm2/buffer.h             |   65 ++
 include/grub/tpm2/internal/args.h      |   39 +
 include/grub/tpm2/internal/functions.h |  117 +++
 include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
 include/grub/tpm2/internal/types.h     |  372 +++++++++
 include/grub/tpm2/mu.h                 |  292 +++++++
 include/grub/tpm2/tcg2.h               |   34 +
 include/grub/tpm2/tpm2.h               |   38 +
 util/grub-protect.c                    | 1314 ++++++++++++++++++++++++++++++++
 24 files changed, 5897 insertions(+), 30 deletions(-)
 create mode 100644 grub-core/kern/protectors.c
 create mode 100644 grub-core/tpm2/args.c
 create mode 100644 grub-core/tpm2/buffer.c
 create mode 100644 grub-core/tpm2/module.c
 create mode 100644 grub-core/tpm2/mu.c
 create mode 100644 grub-core/tpm2/tcg2.c
 create mode 100644 grub-core/tpm2/tpm2.c
 create mode 100644 include/grub/protector.h
 create mode 100644 include/grub/tpm2/buffer.h
 create mode 100644 include/grub/tpm2/internal/args.h
 create mode 100644 include/grub/tpm2/internal/functions.h
 create mode 100644 include/grub/tpm2/internal/structs.h
 create mode 100644 include/grub/tpm2/internal/types.h
 create mode 100644 include/grub/tpm2/mu.h
 create mode 100644 include/grub/tpm2/tcg2.h
 create mode 100644 include/grub/tpm2/tpm2.h
 create mode 100644 util/grub-protect.c

-- 
1.8.3.1