For users who require a sealed key to be unsealable only once per boot
process, a straightforward technique involves "capping" the key by
extending the associated PCRs. This patch set introduces PCR capping
support for the TPM2 key protector, allowing users to select specific
PCRs to extend immediately after the key is unsealed.
v2:
- Fixing typos
- Moving the error message to grub_ieee1275_ibmvtpm_2hash_ext_log()
- Replacing 'SEPARATOR' with 'EV_SEPARATOR'
- Amending the conditional check for grub_tpm2_buffer.error
- Removing the unnecessary 'extern' from grub_tpm2_pcr_event()
Gary Lin (7):
tss2: Add TPM2_PCR_Event command
tss2: Introduce grub_tcg2_cap_pcr()
tss2: Implement grub_tcg2_cap_pcr() for EFI
tss2: Implement grub_tcg2_cap_pcr() for ieee1275
tss2: Implement grub_tcg2_cap_pcr() for EMU
tpm2_key_protector: Support PCR capping
tests/tpm2_key_protector_test: Add a test for PCR Capping
docs/grub.texi | 20 +++++-
grub-core/commands/ieee1275/ibmvtpm.c | 59 ++---------------
.../commands/tpm2_key_protector/module.c | 56 +++++++++++++++-
grub-core/lib/efi/tcg2.c | 40 ++++++++++++
grub-core/lib/ieee1275/tcg2.c | 65 +++++++++++++++++++
grub-core/lib/tss2/tcg2.h | 5 ++
grub-core/lib/tss2/tcg2_emu.c | 20 ++++++
grub-core/lib/tss2/tpm2_cmd.c | 51 +++++++++++++++
grub-core/lib/tss2/tpm2_cmd.h | 7 ++
grub-core/lib/tss2/tss2_mu.c | 18 +++++
grub-core/lib/tss2/tss2_mu.h | 4 ++
grub-core/lib/tss2/tss2_structs.h | 7 ++
grub-core/lib/tss2/tss2_types.h | 1 +
grub-core/normal/main.c | 2 +-
include/grub/ieee1275/tpm.h | 5 ++
tests/tpm2_key_protector_test.in | 65 +++++++++++++++++++
16 files changed, 367 insertions(+), 58 deletions(-)
Range-diff against v1:
1: 78a84a2f1 ! 1: e894ddecd tss2: Add TPM2_PCR_Event command
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_flushcontext (const
TPMI_DH_CONTEXT_t h
return TPM_RC_SUCCESS;
}
-+extern TPM_RC_t
++TPM_RC_t
+grub_tpm2_pcr_event (const TPMI_DH_PCR_t pcrHandle,
+ const TPMS_AUTH_COMMAND_t *authCommand,
+ const TPM2B_EVENT_t *eventData,
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_flushcontext (const
TPMI_DH_CONTEXT_t h
+ grub_tpm2_buffer_pack_u32 (&in, pcrHandle);
+ grub_Tss2_MU_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_Tss2_MU_TPM2B_Marshal (&in, eventData->size, eventData->buffer);
-+ if (in.error != 0)
++ if (in.error == true)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
@@ grub-core/lib/tss2/tpm2_cmd.c: grub_tpm2_flushcontext (const
TPMI_DH_CONTEXT_t h
+ grub_tpm2_buffer_unpack_u32 (&out, ¶meterSize);
+ grub_Tss2_MU_TPML_DIGEST_VALUE_Unmarshal (&out, digests);
+ grub_Tss2_MU_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
-+ if (out.error != 0)
++ if (out.error == true)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
@@ grub-core/lib/tss2/tss2_mu.c: grub_Tss2_MU_TPML_DIGEST_Unmarshal
(grub_tpm2_buff
+
+ if (digests->count > TPM_NUM_PCR_BANKS)
+ {
-+ buffer->error = 1;
++ buffer->error = true;
+ return;
+ }
+
2: bb4a9fad2 ! 2: 4033bd242 tss2: Introduce grub_tcg2_cap_pcr()
@@ Commit message
This commit introduces the definition of grub_tcg2_cap_pcr(), a new
function designed to enhance the security of sealed keys. Its primary
- purpose is to "cap" a specific PCR by extending it with a SEPARATOR
+ purpose is to "cap" a specific PCR by extending it with an EV_SEPARATOR
event. This action cryptographically alters the PCR value, making it
impossible to unseal any key that was previously sealed to the original
PCR state. Consequently, the sealed key remains protected against
@@ Commit message
system boot.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Stefan Berger <[email protected]>
## grub-core/lib/tss2/tcg2.h ##
@@
3: 2fe52d692 ! 3: 3965ccac6 tss2: Implement grub_tcg2_cap_pcr() for EFI
@@ Commit message
tss2: Implement grub_tcg2_cap_pcr() for EFI
This commit implements grub_tcg2_cap_pcr() for EFI by using the UEFI
- TCG2 protocol, HashLogExtendEvent, to extend the specified PCR with a
- SEPARATOR event and ensure the event will be recorded properly in the
+ TCG2 protocol, HashLogExtendEvent, to extend the specified PCR with an
+ EV_SEPARATOR event and ensure the event will be recorded properly in
the
TPM event log.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Stefan Berger <[email protected]>
## grub-core/lib/efi/tcg2.c ##
@@
@@ grub-core/lib/efi/tcg2.c: grub_tcg2_submit_command (grub_size_t
input_size,
+ event->Size = sizeof (*event) - sizeof (event->Event) + sizeof
(separator);
+ grub_memcpy (event->Event, separator, sizeof (separator));
+
-+
+ status = protocol->hash_log_extend_event (protocol, 0,
+ (grub_addr_t) separator,
+ sizeof (separator), event);
4: 7492d086a ! 4: 19325a234 tss2: Implement grub_tcg2_cap_pcr() for ieee1275
@@ Commit message
tss2: Implement grub_tcg2_cap_pcr() for ieee1275
This commit implements grub_tcg2_cap_pcr() for ieee1275 with the
- firmware function, 2hash-ext-log, to extend the target PCR with a
- SEPARATOR event and record the event into the TPM event log.
+ firmware function, 2hash-ext-log, to extend the target PCR with an
+ EV_SEPARATOR event and record the event into the TPM event log.
To avoid duplicate code, ibmvtpm_2hash_ext_log() is moved to tcg2.c
and exported as a global function.
@@ grub-core/commands/ieee1275/ibmvtpm.c
static grub_err_t
tpm2_log_event (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
const char *description)
-@@ grub-core/commands/ieee1275/ibmvtpm.c: tpm2_log_event (unsigned char
*buf, grub_size_t size, grub_uint8_t pcr,
+ {
static int error_displayed = 0;
- int rc;
+- int rc;
++ grub_err_t err;
- rc = ibmvtpm_2hash_ext_log (pcr, EV_IPL,
- description, grub_strlen(description) + 1,
- buf, size);
-+ rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_IPL,
-+ description,
grub_strlen(description) + 1,
-+ buf, size);
- if (rc && !error_displayed)
+- if (rc && !error_displayed)
++ err = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_IPL,
++ description,
grub_strlen(description) + 1,
++ buf, size);
++ if (err != GRUB_ERR_NONE && !error_displayed)
{
error_displayed++;
+- return grub_error (GRUB_ERR_BAD_DEVICE,
+- "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
++ return err;
+ }
+
+ return GRUB_ERR_NONE;
## grub-core/lib/ieee1275/tcg2.c ##
@@ grub-core/lib/ieee1275/tcg2.c: grub_ieee1275_tpm_init (void)
return GRUB_ERR_NONE;
}
-+int
++grub_err_t
+grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
+ grub_uint32_t eventtype,
+ const char *description,
@@ grub-core/lib/ieee1275/tcg2.c: grub_ieee1275_tpm_init (void)
+ args.size = (grub_ieee1275_cell_t) size;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
-+ return -1;
++ return grub_error (GRUB_ERR_BAD_DEVICE, "2HASH-EXT-LOG failed:
Firmware is likely too old.\n");
+
+ /*
+ * catch_result is set if firmware does not support 2hash-ext-log
+ * rc is GRUB_IEEE1275_CELL_FALSE (0) on failure
+ */
+ if ((args.catch_result) || args.rc == GRUB_IEEE1275_CELL_FALSE)
-+ return -1;
++ return grub_error (GRUB_ERR_BAD_DEVICE, "2HASH-EXT-LOG failed:
Firmware is likely too old.\n");
+
-+ return 0;
++ return GRUB_ERR_NONE;
+}
+
grub_err_t
@@ grub-core/lib/ieee1275/tcg2.c: grub_tcg2_submit_command (grub_size_t
input_size,
+{
+ grub_uint8_t separator[4] = {0};
+ static int error_displayed = 0;
-+ int rc;
++ grub_err_t err;
+
-+ rc = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_SEPARATOR,
-+ separator, sizeof(separator),
-+ separator, sizeof(separator));
-+ if (rc && !error_displayed)
++ err = grub_ieee1275_ibmvtpm_2hash_ext_log (pcr, EV_SEPARATOR,
++ separator, sizeof(separator),
++ separator, sizeof(separator));
++ if (err != GRUB_ERR_NONE && !error_displayed)
+ {
+ error_displayed++;
-+ return grub_error (GRUB_ERR_BAD_DEVICE,
-+ "2HASH-EXT-LOG failed: Firmware is likely too old.\n");
++ return err;
+ }
+
+ return GRUB_ERR_NONE;
@@ include/grub/ieee1275/tpm.h: extern grub_ieee1275_ihandle_t
grub_ieee1275_tpm_ih
extern grub_err_t grub_ieee1275_tpm_init (void);
-+extern int grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t pcrindex,
-+ grub_uint32_t eventtype,
-+ const char *description,
-+ grub_size_t description_size,
-+ void *buf, grub_size_t size);
++extern grub_err_t grub_ieee1275_ibmvtpm_2hash_ext_log (grub_uint8_t
pcrindex,
++ grub_uint32_t eventtype,
++ const char *description,
++ grub_size_t
description_size,
++ void *buf, grub_size_t
size);
#endif
5: ffa8554e9 ! 5: a9b17c590 tss2: Implement grub_tcg2_cap_pcr() for EMU
@@ Metadata
## Commit message ##
tss2: Implement grub_tcg2_cap_pcr() for EMU
- Since there is no system fimware for grub-emu, the TPM2_PCR_Event
+ Since there is no system firmware for grub-emu, the TPM2_PCR_Event
command becomes the only choice to implement grub_tcg2_cap_pcr().
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Stefan Berger <[email protected]>
## grub-core/lib/tss2/tcg2_emu.c ##
@@
@@ grub-core/lib/tss2/tcg2_emu.c: grub_tcg2_submit_command (grub_size_t
input_size,
+grub_err_t
+grub_tcg2_cap_pcr (grub_uint8_t pcr)
+{
-+ TPMS_AUTH_COMMAND_t authCmd = {0};
-+ TPM2B_EVENT_t data = {0};
++ TPMS_AUTH_COMMAND_t authCmd = {
++ .sessionHandle = TPM_RS_PW,
++ };
++ TPM2B_EVENT_t data = {
++ .size = 4,
++ };
+ TPM_RC_t rc;
+
-+ /* A SEPARATOR event is an event with 4 0-bytes. */
-+ data.size = 4;
-+ authCmd.sessionHandle = TPM_RS_PW;
-+
++ /* Submit an EV_SEPARATOR event, i.e. an event with 4 zero-bytes */
+ rc = grub_tpm2_pcr_event (pcr, &authCmd, &data, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, N_("cannot cap PCR %u"), pcr);
6: 7d295a1d6 ! 6: ac25056fd tpm2_key_protector: Support PCR capping
@@ Commit message
To cap a specific set of PCRs, simply append the argument '-c pcr_list'
to the tpm2_key_protector command. Upon successfully unsealing the key,
the TPM2 key protector will then invoke tpm2_protector_cap_pcrs(). This
- function extends the selected PCRs with a SEPARATOR event, effectively
- "capping" them. Consequently, the associated key cannot be unsealed in
- any subsequent attempts until these PCRs are reset to their original,
- pre-capped state, typically occurring upon the next system boot.
+ function extends the selected PCRs with an EV_SEPARATOR event,
+ effectively "capping" them. Consequently, the associated key cannot be
+ unsealed in any subsequent attempts until these PCRs are reset to their
+ original, pre-capped state, typically occurring upon the next system
+ boot.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Stefan Berger <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## docs/grub.texi ##
@@ docs/grub.texi: either @var{expression1} or @var{expression2} is true
@@ docs/grub.texi: bank that the key is sealed with. The PCR list is a
comma-separa
+PCRs. This feature addresses scenarios where a user wants to ensure a
sealed key
+cannot be unsealed again after its initial use. When the @option{-c}
option is
+employed, and the key is successfully unsealed, the TPM2 key protector
automatically
-+extends the selected PCRs with a SEPARATOR event. This action
cryptographically
++extends the selected PCRs with an EV_SEPARATOR event. This action
cryptographically
+alters the PCR values, thereby preventing the associated key from being
unsealed in
+any subsequent attempts until those specific PCRs are reset to their
original state,
+which typically occurs during a system reboot. In general, it is
sufficient to
7: dab6052fe ! 7: 719721b35 tests/tpm2_key_protector_test: Add a test for PCR
Capping
@@ Commit message
after key unsealing.
Signed-off-by: Gary Lin <[email protected]>
+ Reviewed-by: Stefan Berger <[email protected]>
+ Reviewed-by: Sudhakar Kuppusamy <[email protected]>
## tests/tpm2_key_protector_test.in ##
@@ tests/tpm2_key_protector_test.in: EOF
--
2.43.0
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
