tablet/grub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,172 Commits 1 Branch 0 Tags 49 MiB
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Gary Lin 5934bf51cb util/grub-protect: Support NV index mode 
This commit implements the missing NV index mode support in grub-protect.
NV index mode stores the sealed key in the TPM non-volatile memory (NVRAM)
instead of a file. There are two supported types of TPM handles.

1. Persistent handle (0x81000000~0x81FFFFFF)
   Only the raw format is supported due to the limitation of persistent
   handles. This grub-protect command seals the key into the
   persistent handle 0x81000000.

  # grub-protect \
      --protector=tpm2 \
      --action=add \
      --tpm2-bank=sha256 \
      --tpm2-pcrs=7,11 \
      --tpm2-keyfile=luks-key \
      --tpm2-nvindex=0x81000000

2. NV index handle (0x1000000~0x1FFFFFF)
   Both TPM 2.0 Key File format and the raw format are supported by NV
   index handles. Here is the grub-protect command to seal the key in
   TPM 2.0 Key File format into the NV index handle 0x1000000.

  # grub-protect \
      --protector=tpm2 \
      --action=add \
      --tpm2key \
      --tpm2-bank=sha256 \
      --tpm2-pcrs=7,11 \
      --tpm2-keyfile=luks-key \
      --tpm2-nvindex=0x1000000

Besides the "add" action, the corresponding "remove" action is also
introduced. To remove the data from a persistent or NV index handle,
just use "--tpm2-nvindex=HANDLE" combining with "--tpm2-evict". This
sample command removes the data from the NV index handle 0x1000000.

  # grub-protect \
      --protector=tpm2 \
      --action=remove \
      --tpm2-evict \
      --tpm2-nvindex=0x1000000

Also set and check the boolean variables with true/false instead of 1/0.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-04-10 18:12:57 +02:00
asm-tests
asm-tests/i386-pc: Check that movl is 5 bytes.
2016-09-28 20:31:04 +03:00
conf
build: Track explicit module dependencies in Makefile.core.def
2024-05-09 15:04:54 +02:00
docs
tpm2_key_protector: Unseal key from a buffer
2025-04-10 18:05:58 +02:00
grub-core
tpm2_key_protector: Support NV index handles
2025-04-10 18:10:33 +02:00
include
loader/i386/linux: Update linux_kernel_params to match upstream
2025-04-04 21:57:05 +02:00
po
po: Un-transliterate the %zu format code
2022-03-14 23:05:00 +01:00
tests
tests/util/grub-shell: Remove the work directory on successful run and debug is not on
2025-03-26 14:30:56 +01:00
themes/starfield
Starfield theme.
2012-02-23 17:21:38 +01:00
unicode
* unicode: Import Unicode 6.0 data.
2011-12-25 16:17:25 +01:00
util
util/grub-protect: Support NV index mode
2025-04-10 18:12:57 +02:00
.gitattributes
gitattributes: Mark po/exclude.pot as binary so git won't try to diff nonprintables
2019-09-23 13:17:15 +02:00
.gitignore
gitignore: Ignore generated files from libtasn
2025-03-05 12:05:38 +01:00
.travis.yml
travis: Run bootstrap to fix build
2020-09-18 22:31:30 +02:00
acinclude.m4
configure: Replace -Wl,-r,-d with -Wl,-r and add -fno-common
2022-03-07 15:05:22 +01:00
AUTHORS
2005-09-03 Yoshinori K. Okuji <okuji@enbug.org>
2005-09-03 16:54:27 +00:00
autogen.sh
asn1_test: Test module for libtasn1
2024-11-28 21:50:54 +01:00
bootstrap
gnulib: Update gnulib version and drop most gnulib patches
2022-03-21 19:14:54 +01:00
bootstrap.conf
bootstrap: Don't check gettext version
2023-12-13 13:25:34 +01:00
BUGS
* BUGS: New file.
2011-01-11 00:06:01 +01:00
config.h.in
efi: Generate stack protector canary at build time if urandom is available
2023-12-20 14:31:50 +01:00
configure.ac
util/grub-protect: Add new tool
2024-11-28 21:50:55 +01:00
COPYING
2007-07-22 Yoshinori K. Okuji <okuji@enbug.org>
2007-07-21 23:32:33 +00:00
coreboot.cfg
* coreboot.cfg: Add missing file.
2013-11-20 00:52:23 +01:00
geninit.sh
automake commit without merge history
2010-05-06 11:34:04 +05:30
gentpl.py
gentpl: Put boot/mips/startup_raw.S into beginning of the image
2024-09-05 17:25:27 +02:00
INSTALL
tests: Switch to requiring exfatprogs from exfat-utils
2024-06-20 15:19:12 +02:00
linguas.sh
linguas: Don't skip ko.po.
2017-02-04 00:06:57 +01:00
MAINTAINERS
SECURITY: Add SECURITY file
2021-06-08 14:24:34 +02:00
Makefile.am
Makefile: Make grub_fstest.pp depend on config-util.h
2022-08-10 14:24:46 +02:00
Makefile.util.def
tests: Add tpm2_key_protector_test
2024-11-28 21:50:56 +01:00
NEWS
Release 2.12
2023-12-20 16:54:46 +01:00
README
SECURITY: Add SECURITY file
2021-06-08 14:24:34 +02:00
SECURITY
SECURITY: Add SECURITY file
2021-06-08 14:24:34 +02:00
THANKS
2009-12-11 Robert Millan <rmh.grub@aybabtu.com>
2009-12-11 22:44:47 +00:00
TODO
TODO: Remove obsolete link
2016-02-12 17:51:52 +01:00

README 

This is GRUB 2, the second version of the GRand Unified Bootloader.
GRUB 2 is rewritten from scratch to make GNU GRUB cleaner, safer, more
robust, more powerful, and more portable.

See the file NEWS for a description of recent changes to GRUB 2.

See the file INSTALL for instructions on how to build and install the
GRUB 2 data and program files.

See the file MAINTAINERS for information about the GRUB maintainers, etc.

If you found a security vulnerability in the GRUB please check the SECURITY
file to get more information how to properly report this kind of bugs to
the maintainers.

Please visit the official web page of GRUB 2, for more information.
The URL is <http://www.gnu.org/software/grub/grub.html>.

More extensive documentation is available in the Info manual,
accessible using 'info grub' after building and installing GRUB 2.

There are a number of important user-visible differences from the
first version of GRUB, now known as GRUB Legacy. For a summary, please
see:

  info grub Introduction 'Changes from GRUB Legacy'
Description
No description provided
Readme
Languages
C 82.5%
Assembly 13.6%
M4 1.4%
Shell 1.3%
Makefile 0.5%
Other 0.5%