[PATCH 2/7] tss2: Introduce grub_tcg2_cap_pcr() - Gary Lin via Grub-devel

From: Gary Lin via Grub-devel <grub-devel@gnu.org>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Gary Lin <glin@suse.com>, Daniel Kiper <daniel.kiper@oracle.com>,
	mchang@suse.com, patrick.colp@oracle.com,
	Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH 2/7] tss2: Introduce grub_tcg2_cap_pcr()
Date: Tue,  8 Jul 2025 16:31:30 +0800	[thread overview]
Message-ID: <20250708083135.14809-3-glin@suse.com> (raw)
In-Reply-To: <20250708083135.14809-1-glin@suse.com>

This commit introduces the definition of grub_tcg2_cap_pcr(), a new
function designed to enhance the security of sealed keys. Its primary
purpose is to "cap" a specific PCR by extending it with a SEPARATOR
event. This action cryptographically alters the PCR value, making it
impossible to unseal any key that was previously sealed to the original
PCR state. Consequently, the sealed key remains protected against
unauthorized unsealing attempts until the associated PCRs are reset to
their initial configuration, typically occurring during a subsequent
system boot.

Signed-off-by: Gary Lin <glin@suse.com>
---
 grub-core/lib/tss2/tcg2.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h
index 3d26373dd..c7e80d355 100644
--- a/grub-core/lib/tss2/tcg2.h
+++ b/grub-core/lib/tss2/tcg2.h
@@ -23,6 +23,8 @@
 #include <grub/err.h>
 #include <grub/types.h>
 
+#define EV_SEPARATOR 0x04
+
 extern grub_err_t
 grub_tcg2_get_max_output_size (grub_size_t *size);
 
@@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size,
 			  grub_size_t output_size,
 			  grub_uint8_t *output);
 
+extern grub_err_t
+grub_tcg2_cap_pcr (grub_uint8_t pcr);
+
 #endif /* ! GRUB_TPM2_TCG2_HEADER */
-- 
2.43.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
