[PATCH 07/14] tpm2: Don't measure the sealed key

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 07/14] tpm2: Don't measure the sealed key

From:	Gary Lin
Subject:	[PATCH 07/14] tpm2: Don't measure the sealed key
Date:	Wed, 22 Feb 2023 15:00:47 +0800

Based on the patch from Olaf Kirch <OKir@suse.com>

The sealed key is the subject to change and measuring the file into PCR9
makes the prediction of PCR9 value impossible. This commit opens the
file with GRUB_FILE_TYPE_SIGNATURE to avoid the measurement.

Signed-off-by: Gary Lin <glin@suse.com>
---
 grub-core/tpm2/module.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index c35bfabdb..bebdecd1c 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -139,7 +139,9 @@ grub_tpm2_protector_srk_read_keyfile (const char *filepath, 
void **buffer,
   void *sealed_key_buffer;
   grub_off_t sealed_key_read;
 
-  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_NONE);
+  /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile into 
PCR9
+   * otherwise we'll never be able to predict the value of PCR9 at unseal time 
*/
+  sealed_key_file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
   if (!sealed_key_file)
     {
       grub_dprintf ("tpm2", "Could not open sealed key file.\n");
-- 
2.35.3

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 00/14] Automatic Disk Unlock with TPM2, Gary Lin, 2023/02/22
- [PATCH 01/14] protectors: Add key protectors framework, Gary Lin, 2023/02/22
- [PATCH 02/14] tpm2: Add TPM Software Stack (TSS), Gary Lin, 2023/02/22
- [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/02/22
  - Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, James Bottomley, 2023/02/22
    - Re: [PATCH 03/14] protectors: Add TPM2 Key Protector, Gary Lin, 2023/02/23
- [PATCH 05/14] util/grub-protect: Add new tool, Gary Lin, 2023/02/22
- [PATCH 07/14] tpm2: Don't measure the sealed key, Gary Lin <=
- [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const, Gary Lin, 2023/02/22
- [PATCH 13/14] tpm2: allow some command parameters to be NULL, Gary Lin, 2023/02/22
- [PATCH 14/14] tpm2: remove the unnecessary variables, Gary Lin, 2023/02/22
- [PATCH 04/14] cryptodisk: Support key protectors, Gary Lin, 2023/02/22
  - Re: [PATCH 04/14] cryptodisk: Support key protectors, Gary Lin, 2023/02/23
- [PATCH 06/14] crytodisk: fix cryptodisk module looking up, Gary Lin, 2023/02/22
- [PATCH 08/14] tpm2: adjust the input parameters of TPM2_EvictControl, Gary Lin, 2023/02/22
- [PATCH 11/14] tpm2: check the command parameters of TPM2 commands, Gary Lin, 2023/02/22
- [PATCH 10/14] tpm2: resend the command on TPM_RC_RETRY, Gary Lin, 2023/02/22
- [PATCH 12/14] tpm2: pack the missing authorization command for TPM2_PCR_Read, Gary Lin, 2023/02/22

Prev by Date: [PATCH 05/14] util/grub-protect: Add new tool
Next by Date: [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const
Previous by thread: [PATCH 05/14] util/grub-protect: Add new tool
Next by thread: [PATCH 09/14] tpm2: declare the input arguments of TPM2 functions as const
Index(es):
- Date
- Thread