From: Gary Lin via Grub-devel <grub-devel@gnu.org>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Gary Lin <glin@suse.com>, Daniel Kiper <daniel.kiper@oracle.com>,
mchang@suse.com, patrick.colp@oracle.com,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH 0/7] TPM2 PCR Capping
Date: Tue, 8 Jul 2025 16:31:28 +0800 [thread overview]
Message-ID: <20250708083135.14809-1-glin@suse.com> (raw)
For users who require a sealed key to be unsealable only once per boot
process, a straightforward technique involves "capping" the key by
extending the associated PCRs. This patch set introduces PCR capping
support for the TPM2 key protector, allowing users to select specific
PCRs to extend immediately after the key is unsealed.
Gary Lin (7):
tss2: Add TPM2_PCR_Event command
tss2: Introduce grub_tcg2_cap_pcr()
tss2: Implement grub_tcg2_cap_pcr() for EFI
tss2: Implement grub_tcg2_cap_pcr() for ieee1275
tss2: Implement grub_tcg2_cap_pcr() for EMU
tpm2_key_protector: Support PCR capping
tests/tpm2_key_protector_test: Add a test for PCR Capping
docs/grub.texi | 20 +++++-
grub-core/commands/ieee1275/ibmvtpm.c | 52 +--------------
.../commands/tpm2_key_protector/module.c | 56 +++++++++++++++-
grub-core/lib/efi/tcg2.c | 41 ++++++++++++
grub-core/lib/ieee1275/tcg2.c | 66 +++++++++++++++++++
grub-core/lib/tss2/tcg2.h | 5 ++
grub-core/lib/tss2/tcg2_emu.c | 19 ++++++
grub-core/lib/tss2/tpm2_cmd.c | 51 ++++++++++++++
grub-core/lib/tss2/tpm2_cmd.h | 7 ++
grub-core/lib/tss2/tss2_mu.c | 18 +++++
grub-core/lib/tss2/tss2_mu.h | 4 ++
grub-core/lib/tss2/tss2_structs.h | 7 ++
grub-core/lib/tss2/tss2_types.h | 1 +
grub-core/normal/main.c | 2 +-
include/grub/ieee1275/tpm.h | 5 ++
tests/tpm2_key_protector_test.in | 65 ++++++++++++++++++
16 files changed, 365 insertions(+), 54 deletions(-)
--
2.43.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next reply other threads:[~2025-07-08 21:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-08 8:31 Gary Lin via Grub-devel [this message]
2025-07-08 8:31 ` [PATCH 1/7] tss2: Add TPM2_PCR_Event command Gary Lin via Grub-devel
2025-07-10 14:54 ` Sudhakar Kuppusamy
2025-07-11 1:59 ` Gary Lin via Grub-devel
2025-07-08 8:31 ` [PATCH 2/7] tss2: Introduce grub_tcg2_cap_pcr() Gary Lin via Grub-devel
2025-07-08 16:05 ` Stefan Berger
2025-07-10 15:09 ` Sudhakar Kuppusamy
2025-07-11 2:20 ` Gary Lin via Grub-devel
2025-07-08 8:31 ` [PATCH 3/7] tss2: Implement grub_tcg2_cap_pcr() for EFI Gary Lin via Grub-devel
2025-07-08 16:27 ` Stefan Berger
2025-07-09 2:04 ` Gary Lin via Grub-devel
2025-07-08 8:31 ` [PATCH 4/7] tss2: Implement grub_tcg2_cap_pcr() for ieee1275 Gary Lin via Grub-devel
2025-07-08 15:52 ` Stefan Berger
2025-07-09 2:08 ` Gary Lin via Grub-devel
2025-07-08 8:31 ` [PATCH 5/7] tss2: Implement grub_tcg2_cap_pcr() for EMU Gary Lin via Grub-devel
2025-07-08 16:19 ` Stefan Berger
2025-07-09 2:35 ` Gary Lin via Grub-devel
2025-07-08 8:31 ` [PATCH 6/7] tpm2_key_protector: Support PCR capping Gary Lin via Grub-devel
2025-07-08 17:00 ` Stefan Berger
2025-07-10 15:24 ` Sudhakar Kuppusamy
2025-07-08 8:31 ` [PATCH 7/7] tests/tpm2_key_protector_test: Add a test for PCR Capping Gary Lin via Grub-devel
2025-07-09 12:31 ` Stefan Berger
2025-07-10 15:26 ` Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250708083135.14809-1-glin@suse.com \
--to=grub-devel@gnu.org \
--cc=daniel.kiper@oracle.com \
--cc=glin@suse.com \
--cc=mchang@suse.com \
--cc=patrick.colp@oracle.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).