[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 07/14] tpm2: Don't measure the sealed key

From: Gary Lin
Subject: [PATCH 07/14] tpm2: Don't measure the sealed key
Date: Wed, 22 Feb 2023 15:00:47 +0800

Based on the patch from Olaf Kirch <>

The sealed key is the subject to change and measuring the file into PCR9
makes the prediction of PCR9 value impossible. This commit opens the
file with GRUB_FILE_TYPE_SIGNATURE to avoid the measurement.

Signed-off-by: Gary Lin <>
 grub-core/tpm2/module.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index c35bfabdb..bebdecd1c 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -139,7 +139,9 @@ grub_tpm2_protector_srk_read_keyfile (const char *filepath, 
void **buffer,
   void *sealed_key_buffer;
   grub_off_t sealed_key_read;
-  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_NONE);
+  /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into 
+   * otherwise we'll never be able to predict the value of PCR9 at unseal time 
+  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
   if (!sealed_key_file)
       grub_dprintf ("tpm2", "Could not open sealed key file.\n");

reply via email to

[Prev in Thread] Current Thread [Next in Thread]