[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 07/14] tpm2: Don't measure the sealed key
From: |
Gary Lin |
Subject: |
[PATCH 07/14] tpm2: Don't measure the sealed key |
Date: |
Wed, 22 Feb 2023 15:00:47 +0800 |
Based on the patch from Olaf Kirch <OKir@suse.com>
The sealed key is the subject to change and measuring the file into PCR9
makes the prediction of PCR9 value impossible. This commit opens the
file with GRUB_FILE_TYPE_SIGNATURE to avoid the measurement.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/module.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index c35bfabdb..bebdecd1c 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -139,7 +139,9 @@ grub_tpm2_protector_srk_read_keyfile (const char *filepath,
void **buffer,
void *sealed_key_buffer;
grub_off_t sealed_key_read;
- sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_NONE);
+ /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into
PCR9
+ * otherwise we'll never be able to predict the value of PCR9 at unseal time
*/
+ sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
if (!sealed_key_file)
{
grub_dprintf ("tpm2", "Could not open sealed key file.\n");
--
2.35.3
- [PATCH 00/14] Automatic Disk Unlock with TPM2, Gary Lin, 2023/02/22
- [PATCH 01/14] protectors: Add key protectors framework, Gary Lin, 2023/02/22
- [PATCH 02/14] tpm2: Add TPM Software Stack (TSS), Gary Lin, 2023/02/22
- [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/02/22
- [PATCH 05/14] util/grub-protect: Add new tool, Gary Lin, 2023/02/22
- [PATCH 07/14] tpm2: Don't measure the sealed key,
Gary Lin <=
- [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const, Gary Lin, 2023/02/22
- [PATCH 13/14] tpm2: allow some command parameters to be NULL, Gary Lin, 2023/02/22
- [PATCH 14/14] tpm2: remove the unnecessary variables, Gary Lin, 2023/02/22
- [PATCH 04/14] cryptodisk: Support key protectors, Gary Lin, 2023/02/22
- [PATCH 06/14] crytodisk: fix cryptodisk module looking up, Gary Lin, 2023/02/22
- [PATCH 08/14] tpm2: adjust the input parameters of TPM2_EvictControl, Gary Lin, 2023/02/22
- [PATCH 11/14] tpm2: check the command parameters of TPM2 commands, Gary Lin, 2023/02/22
- [PATCH 10/14] tpm2: resend the command on TPM_RC_RETRY, Gary Lin, 2023/02/22
- [PATCH 12/14] tpm2: pack the missing authorization command for TPM2_PCR_Read, Gary Lin, 2023/02/22