To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.
For the TPM2 key protector, the intended flow is for a user to have
a LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates
a new LUKS key file, say by reading /dev/urandom into a file, and creates
a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.
Sample usage:
$ dd if=/dev/urandom of=luks-key bs=1 count=32
$ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512
To seal the key with TPM 2.0 Key File (recommended):
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2key \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/efi/grub/sealed.tpm
Or, to seal the key with the raw sealed key:
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/efi/grub/sealed.key
Then, in the boot script, for TPM 2.0 Key File:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
cryptomount -u <SDB1_UUID> -P tpm2
Or, for the raw sealed key:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub/sealed.key --pcrs=0,2,4,7,9
cryptomount -u <SDB1_UUID> -P tpm2
The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Fixes Ubuntu bug #1082045.
* docs/grub.texi (Images): Refer generally to grub-install rather
than directly to grub-setup.
(Installing GRUB using grub-install): Remove direct reference to
grub-setup.
(Device map) Likewise.
(Invoking grub-install): Likewise.
* docs/man/grub-install.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkimage.h2m (SEE ALSO): Likewise.
* util/grub-install.in (usage): Likewise.
* util/bash-completion.d/grub-completion.bash.in (_grub_setup):
Apply to grub-bios-setup and grub-sparc64-setup rather than to
grub-setup.
* configure.ac: Remove grub_setup output variable.
* docs/man/grub-bios-setup.h2m (NAME): Change name from grub-setup
to grub-bios-setup.
* docs/man/grub-sparc64-setup.h2m (NAME): Change name from
grub-setup to grub-sparc64-setup.
#551428.
* docs/man/grub-editenv.h2m (SEE ALSO): New section.
* docs/man/grub-emu.h2m (SEE ALSO): Likewise.
* docs/man/grub-fstest.h2m (SEE ALSO): Likewise.
* docs/man/grub-install.h2m (SEE ALSO): Likewise.
* docs/man/grub-macho2img.h2m (SEE ALSO): Likewise.
* docs/man/grub-menulst2cfg.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkconfig.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkdevicemap.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkfont.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkimage.h2m (SEE ALSO): Likewise.
* docs/man/grub-mklayout.h2m (SEE ALSO): Likewise.
* docs/man/grub-mknetdir.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkpasswd-pbkdf2.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkrelpath.h2m (SEE ALSO): Likewise.
* docs/man/grub-mkrescue.h2m (SEE ALSO): Likewise.
* docs/man/grub-ofpathname.h2m (SEE ALSO): Likewise.
* docs/man/grub-pe2elf.h2m (SEE ALSO): Likewise.
* docs/man/grub-probe.h2m (SEE ALSO): Likewise.
* docs/man/grub-reboot.h2m (SEE ALSO): Likewise.
* docs/man/grub-script-check.h2m (SEE ALSO): Likewise.
* docs/man/grub-set-default.h2m (SEE ALSO): Likewise.
* docs/man/grub-setup.h2m (SEE ALSO): Likewise.
when generating manual pages.
* docs/man/grub-bin2h.h2m: New file.
* docs/man/grub-editenv.h2m: New file.
* docs/man/grub-fstest.h2m: New file.
* docs/man/grub-install.h2m: New file.
* docs/man/grub-macho2img.h2m: New file.
* docs/man/grub-mkconfig.h2m: New file.
* docs/man/grub-mkdevicemap.h2m: New file.
* docs/man/grub-mkfont.h2m: New file.
* docs/man/grub-mkimage.h2m: New file.
* docs/man/grub-mkpasswd-pbkdf2.h2m: New file.
* docs/man/grub-mkrelpath.h2m: New file.
* docs/man/grub-mkrescue.h2m: New file.
* docs/man/grub-ofpathname.h2m: New file.
* docs/man/grub-pe2elf.h2m: New file.
* docs/man/grub-probe.h2m: New file.
* docs/man/grub-reboot.h2m: New file.
* docs/man/grub-script-check.h2m: New file.
* docs/man/grub-set-default.h2m: New file.
* docs/man/grub-setup.h2m: New file.
