tpm2_key_protector: Add tpm2_dump_pcr command

The user may need to inspect the TPM 2.0 PCR values with the GRUB shell, so the new tpm2_dump_pcr command is added to print all PCRs of the specified bank. Also update the document for the new command. Signed-off-by: Gary Lin <glin@suse.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-04-07 16:29:16 +08:00 · 2025-04-07 16:29:16 +08:00 · 46c9f3a8da
commit 46c9f3a8da
parent 617dab9e47
2 changed files with 48 additions and 0 deletions
--- a/docs/grub.texi
+++ b/docs/grub.texi
@ -6488,6 +6488,7 @@ you forget a command, you can run the command @command{help}
 * test::                        Check file types and compare values
 * tpm2_key_protector_init::     Initialize the TPM2 key protector
 * tpm2_key_protector_clear::    Clear the TPM2 key protector
+* tpm2_dump_pcr::               Dump TPM2 PCRs
 * true::                        Do nothing, successfully
 * trust::                       Add public key to list of trusted keys
 * unset::                       Unset an environment variable
@ -8104,6 +8105,18 @@ key and unseal it with the given PCR list and bank.
 Clear the TPM2 key protector if previously initialized.
@end deffn

+@node tpm2_dump_pcr
+@subsection tpm2_dump_pcr
+
+@deffn Command tpm2_dump_pcr [@var{bank}]
+Print all PCRs of the specified TPM 2.0 @var{bank}. The supported banks are
+@samp{sha1}, @samp{sha256}, @samp{sha384}, and @samp{sha512}. If @var{bank}
+is not specified, @samp{sha256} is chosen by default.
+
+Since GRUB measures every command into PCR 8, invoking @command{tpm2_dump_pcr}
+also extends PCR 8, so PCR 8 will not be a stable value in GRUB shell.
+@end deffn
+
@node true
@subsection true

--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@ -160,6 +160,8 @@ static grub_extcmd_t tpm2_protector_init_cmd;
 static grub_extcmd_t tpm2_protector_clear_cmd;
 static tpm2_protector_context_t tpm2_protector_ctx = {0};

+static grub_command_t tpm2_dump_pcr_cmd;
+
 static grub_err_t
 tpm2_protector_srk_read_file (const char *filepath, void **buffer, grub_size_t *buffer_size)
 {
@ -1315,6 +1317,33 @@ static struct grub_key_protector tpm2_key_protector =
    .recover_key = tpm2_protector_recover_key
  };

+static grub_err_t
+tpm2_dump_pcr (grub_command_t cmd __attribute__((__unused__)),
+	       int argc, char *argv[])
+{
+  TPM_ALG_ID_t pcr_bank;
+
+  if (argc == 0)
+    pcr_bank = TPM_ALG_SHA256;
+  else if (grub_strcmp (argv[0], "sha1") == 0)
+    pcr_bank = TPM_ALG_SHA1;
+  else if (grub_strcmp (argv[0], "sha256") == 0)
+    pcr_bank = TPM_ALG_SHA256;
+  else if (grub_strcmp (argv[0], "sha384") == 0)
+    pcr_bank = TPM_ALG_SHA384;
+  else if (grub_strcmp (argv[0], "sha512") == 0)
+    pcr_bank = TPM_ALG_SHA512;
+  else
+    {
+      grub_printf ("Unknown PCR bank\n");
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  tpm2_protector_dump_pcr (pcr_bank);
+
+  return GRUB_ERR_NONE;
+}
+
 GRUB_MOD_INIT (tpm2_key_protector)
 {
  tpm2_protector_init_cmd =
@ -1336,6 +1365,10 @@ GRUB_MOD_INIT (tpm2_key_protector)
 			  N_("Clear the TPM2 key protector if previously initialized."),
 			  NULL);
  grub_key_protector_register (&tpm2_key_protector);
+
+  tpm2_dump_pcr_cmd =
+    grub_register_command ("tpm2_dump_pcr", tpm2_dump_pcr, N_("Dump TPM2 PCRs"),
+			   N_("Print all PCRs of the specified TPM 2.0 bank"));
 }

 GRUB_MOD_FINI (tpm2_key_protector)
@ -1345,4 +1378,6 @@ GRUB_MOD_FINI (tpm2_key_protector)
  grub_key_protector_unregister (&tpm2_key_protector);
  grub_unregister_extcmd (tpm2_protector_clear_cmd);
  grub_unregister_extcmd (tpm2_protector_init_cmd);
+
+  grub_unregister_command (tpm2_dump_pcr_cmd);
 }