From: Stefan Berger <stefanb@linux.ibm.com>
To: Gary Lin <glin@suse.com>
Cc: The development of GNU GRUB <grub-devel@gnu.org>,
Hernan Gatta <hegatta@linux.microsoft.com>,
Daniel Axtens <dja@axtens.net>,
Daniel Kiper <daniel.kiper@oracle.com>,
shkhisti@microsoft.com, jaskaran.khurana@microsoft.com,
christopher.co@microsoft.com, daniel.mihai@microsoft.com,
jaredz@redhat.com, development@efficientek.com,
jejb@linux.ibm.com, mchang@suse.com, patrick.colp@oracle.com
Subject: Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2
Date: Mon, 15 Apr 2024 10:26:32 -0400 [thread overview]
Message-ID: <48b96885-e080-4c49-91d0-ea5b426a04dc@linux.ibm.com> (raw)
In-Reply-To: <20240415094524.csybbn4ojci44k4f@GaryLaptop>
On 4/15/24 05:45, Gary Lin wrote:
> On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:
>>
>>
>> On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
>>> GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
>>>
>>> This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
>>> Hernan Gatta to introduce the key protector framework and TPM2 stack
>>> to GRUB2, and this could be a useful feature for the systems to
>>> implement full disk encryption.
>>
>> You also need to extend the documentation with the command line steps and a
>> IMO there has to be a warning for VM users that sealing to PCRs inside a VM
>> is dangerous since the next packages update may bring an update to TianoCore
>> UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
>> work then.
>>
> For baremetal users, it still could happen after upgrading the firmware.
Right but this is much rarer.
> We surely need a place to notice users this situation when using PCR
> 0~7.
PCRs 8-9 probably have to be all zeros at the time of sealing (running
the user space application for seting this up) so they have the values
at the time before grub measures kernel and initramfs, right?
>
> Thanks,
>
> Gary Lin
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2024-04-15 14:27 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-12 8:39 [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 01/20] posix_wrap: tweaks in preparation for libtasn1 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 02/20] libtasn1: import libtasn1-4.19.0 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 03/20] libtasn1: disable code not needed in grub Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 04/20] libtasn1: changes for grub compatibility Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 05/20] libtasn1: fix the potential buffer overrun Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 06/20] libtasn1: compile into asn1 module Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 07/20] asn1_test: test module for libtasn1 Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 08/20] libtasn1: Add the documentation Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 09/20] key_protector: Add key protectors framework Gary Lin via Grub-devel
2024-04-12 17:25 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 10/20] tpm2: Add TPM Software Stack (TSS) Gary Lin via Grub-devel
2024-04-12 15:26 ` Stefan Berger
2024-04-15 6:57 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 11/20] key_protector: Add TPM2 Key Protector Gary Lin via Grub-devel
2024-04-12 18:57 ` Stefan Berger
2024-04-15 7:53 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 12/20] cryptodisk: Support key protectors Gary Lin via Grub-devel
2024-04-12 20:00 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 13/20] util/grub-protect: Add new tool Gary Lin via Grub-devel
2024-04-12 20:52 ` Stefan Berger
2024-04-15 9:40 ` Gary Lin via Grub-devel
2024-04-15 12:31 ` Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 14/20] tpm2: Support authorized policy Gary Lin via Grub-devel
2024-04-12 16:18 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 15/20] tpm2: Implement NV index Gary Lin via Grub-devel
2024-04-12 20:56 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 16/20] cryptodisk: Fallback to passphrase Gary Lin via Grub-devel
2024-04-12 21:13 ` Stefan Berger
2024-04-12 23:12 ` Patrick Colp via Grub-devel
2024-04-12 8:39 ` [PATCH v11 17/20] cryptodisk: wipe out the cached keys from protectors Gary Lin via Grub-devel
2024-04-12 21:04 ` Stefan Berger
2024-04-12 8:39 ` [PATCH v11 18/20] diskfilter: look up cryptodisk devices first Gary Lin via Grub-devel
2024-04-12 8:39 ` [PATCH v11 19/20] tpm2: Enable tpm2 module for grub-emu Gary Lin via Grub-devel
2024-04-12 21:03 ` Stefan Berger
2024-04-12 8:40 ` [PATCH v11 20/20] tests: Add tpm2_test Gary Lin via Grub-devel
2024-04-12 16:24 ` [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Stefan Berger
2024-04-15 9:45 ` Gary Lin via Grub-devel
2024-04-15 14:26 ` Stefan Berger [this message]
2024-04-16 2:28 ` Gary Lin via Grub-devel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48b96885-e080-4c49-91d0-ea5b426a04dc@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christopher.co@microsoft.com \
--cc=daniel.kiper@oracle.com \
--cc=daniel.mihai@microsoft.com \
--cc=development@efficientek.com \
--cc=dja@axtens.net \
--cc=glin@suse.com \
--cc=grub-devel@gnu.org \
--cc=hegatta@linux.microsoft.com \
--cc=jaredz@redhat.com \
--cc=jaskaran.khurana@microsoft.com \
--cc=jejb@linux.ibm.com \
--cc=mchang@suse.com \
--cc=patrick.colp@oracle.com \
--cc=shkhisti@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.