afddba0127
To prevent a sealed key from being unsealed again, a common and straightforward method is to "cap" the key by extending the associated PCRs. When the PCRs associated with the sealed key are extended, TPM will be unable to unseal the key, as the PCR values required for unsealing no longer match, effectively rendering the key unusable until the next system boot or a state where the PCRs are reset to their expected values. To cap a specific set of PCRs, simply append the argument '-c pcr_list' to the tpm2_key_protector command. Upon successfully unsealing the key, the TPM2 key protector will then invoke tpm2_protector_cap_pcrs(). This function extends the selected PCRs with an EV_SEPARATOR event, effectively "capping" them. Consequently, the associated key cannot be unsealed in any subsequent attempts until these PCRs are reset to their original, pre-capped state, typically occurring upon the next system boot. Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This is GRUB 2, the second version of the GRand Unified Bootloader. GRUB 2 is rewritten from scratch to make GNU GRUB cleaner, safer, more robust, more powerful, and more portable. See the file NEWS for a description of recent changes to GRUB 2. See the file INSTALL for instructions on how to build and install the GRUB 2 data and program files. See the file MAINTAINERS for information about the GRUB maintainers, etc. If you found a security vulnerability in the GRUB please check the SECURITY file to get more information how to properly report this kind of bugs to the maintainers. Please visit the official web page of GRUB 2, for more information. The URL is <http://www.gnu.org/software/grub/grub.html>. More extensive documentation is available in the Info manual, accessible using 'info grub' after building and installing GRUB 2. There are a number of important user-visible differences from the first version of GRUB, now known as GRUB Legacy. For a summary, please see: info grub Introduction 'Changes from GRUB Legacy'