550ada7d67
This commit handles the TPM2_PolicyAuthorize command from the key file in TPM 2.0 Key File format. TPM2_PolicyAuthorize is the essential command to support authorized policy which allows the users to sign TPM policies with their own keys. Per TPM 2.0 Key File [1], CommandPolicy for TPM2_PolicyAuthorize comprises "TPM2B_PUBLIC pubkey", "TPM2B_DIGEST policy_ref", and "TPMT_SIGNATURE signature". To verify the signature, the current policy digest is hashed with the hash algorithm written in "signature", and then "signature" is verified with the hashed policy digest and "pubkey". Once TPM accepts "signature", TPM2_PolicyAuthorize is invoked to authorize the signed policy. To create the key file with authorized policy, here are the pcr-oracle [2] commands: # Generate the RSA key and create the authorized policy file $ pcr-oracle \ --rsa-generate-key \ --private-key policy-key.pem \ --auth authorized.policy \ create-authorized-policy 0,2,4,7,9 # Seal the secret with the authorized policy $ pcr-oracle \ --key-format tpm2.0 \ --auth authorized.policy \ --input disk-secret.txt \ --output sealed.key \ seal-secret # Sign the predicted PCR policy $ pcr-oracle \ --key-format tpm2.0 \ --private-key policy-key.pem \ --from eventlog \ --stop-event "grub-file=grub.cfg" \ --after \ --input sealed.key \ --output /boot/efi/efi/grub/sealed.tpm \ sign 0,2,4,7,9 Then specify the key file and the key protector to grub.cfg in the EFI system partition: tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm cryptomount -u <PART_UUID> -P tpm2 For any change in the boot components, just run the "sign" command again to update the signature in sealed.tpm, and TPM can unseal the key file with the updated PCR policy. [1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html [2] https://github.com/okirch/pcr-oracle Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com>
This is GRUB 2, the second version of the GRand Unified Bootloader. GRUB 2 is rewritten from scratch to make GNU GRUB cleaner, safer, more robust, more powerful, and more portable. See the file NEWS for a description of recent changes to GRUB 2. See the file INSTALL for instructions on how to build and install the GRUB 2 data and program files. See the file MAINTAINERS for information about the GRUB maintainers, etc. If you found a security vulnerability in the GRUB please check the SECURITY file to get more information how to properly report this kind of bugs to the maintainers. Please visit the official web page of GRUB 2, for more information. The URL is <http://www.gnu.org/software/grub/grub.html>. More extensive documentation is available in the Info manual, accessible using 'info grub' after building and installing GRUB 2. There are a number of important user-visible differences from the first version of GRUB, now known as GRUB Legacy. For a summary, please see: info grub Introduction 'Changes from GRUB Legacy'