grub-devel.gnu.org archive mirror
 help / color / mirror / Atom feed
From: Gary Lin via Grub-devel <grub-devel@gnu.org>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: Gary Lin <glin@suse.com>,
	The development of GNU GRUB <grub-devel@gnu.org>,
	Hernan Gatta <hegatta@linux.microsoft.com>,
	Daniel Axtens <dja@axtens.net>,
	Daniel Kiper <daniel.kiper@oracle.com>,
	shkhisti@microsoft.com, jaskaran.khurana@microsoft.com,
	christopher.co@microsoft.com, daniel.mihai@microsoft.com,
	jaredz@redhat.com, development@efficientek.com,
	jejb@linux.ibm.com, mchang@suse.com, patrick.colp@oracle.com
Subject: Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2
Date: Tue, 16 Apr 2024 10:28:14 +0800	[thread overview]
Message-ID: <20240416022814.fr4r7gmx7rrkgkof@GaryLaptop> (raw)
In-Reply-To: <48b96885-e080-4c49-91d0-ea5b426a04dc@linux.ibm.com>

On Mon, Apr 15, 2024 at 10:26:32AM -0400, Stefan Berger wrote:
> 
> 
> On 4/15/24 05:45, Gary Lin wrote:
> > On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:
> > > 
> > > 
> > > On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
> > > > GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
> > > > 
> > > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
> > > > Hernan Gatta to introduce the key protector framework and TPM2 stack
> > > > to GRUB2, and this could be a useful feature for the systems to
> > > > implement full disk encryption.
> > > 
> > > You also need to extend the documentation with the command line steps and a
> > > IMO there has to be a warning for VM users that sealing to PCRs inside a VM
> > > is dangerous since the next packages update may bring an update to TianoCore
> > > UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
> > > work then.
> > > 
> > For baremetal users, it still could happen after upgrading the firmware.
> 
> Right but this is much rarer.
> 
> > We surely need a place to notice users this situation when using PCR
> > 0~7.
> 
> PCRs 8-9 probably have to be all zeros at the time of sealing (running the
> user space application for seting this up) so they have the values at the
> time before grub measures kernel and initramfs, right?
> 
For grub-protect, yes. On the other hand, pcr-oracle can predict PCR 9
based on the current grub.cfg and the eventlog. PCR 8 is tricky because
grub measures the command with the expanded variables, and pcr-oracle has
to be improved to parse all grub config files to make the prediction.

Gary Lin

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

      reply	other threads:[~2024-04-16  2:28 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-12  8:39 [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 01/20] posix_wrap: tweaks in preparation for libtasn1 Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 02/20] libtasn1: import libtasn1-4.19.0 Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 03/20] libtasn1: disable code not needed in grub Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 04/20] libtasn1: changes for grub compatibility Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 05/20] libtasn1: fix the potential buffer overrun Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 06/20] libtasn1: compile into asn1 module Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 07/20] asn1_test: test module for libtasn1 Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 08/20] libtasn1: Add the documentation Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 09/20] key_protector: Add key protectors framework Gary Lin via Grub-devel
2024-04-12 17:25   ` Stefan Berger
2024-04-12  8:39 ` [PATCH v11 10/20] tpm2: Add TPM Software Stack (TSS) Gary Lin via Grub-devel
2024-04-12 15:26   ` Stefan Berger
2024-04-15  6:57     ` Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 11/20] key_protector: Add TPM2 Key Protector Gary Lin via Grub-devel
2024-04-12 18:57   ` Stefan Berger
2024-04-15  7:53     ` Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 12/20] cryptodisk: Support key protectors Gary Lin via Grub-devel
2024-04-12 20:00   ` Stefan Berger
2024-04-12  8:39 ` [PATCH v11 13/20] util/grub-protect: Add new tool Gary Lin via Grub-devel
2024-04-12 20:52   ` Stefan Berger
2024-04-15  9:40     ` Gary Lin via Grub-devel
2024-04-15 12:31       ` Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 14/20] tpm2: Support authorized policy Gary Lin via Grub-devel
2024-04-12 16:18   ` Stefan Berger
2024-04-12  8:39 ` [PATCH v11 15/20] tpm2: Implement NV index Gary Lin via Grub-devel
2024-04-12 20:56   ` Stefan Berger
2024-04-12  8:39 ` [PATCH v11 16/20] cryptodisk: Fallback to passphrase Gary Lin via Grub-devel
2024-04-12 21:13   ` Stefan Berger
2024-04-12 23:12     ` Patrick Colp via Grub-devel
2024-04-12  8:39 ` [PATCH v11 17/20] cryptodisk: wipe out the cached keys from protectors Gary Lin via Grub-devel
2024-04-12 21:04   ` Stefan Berger
2024-04-12  8:39 ` [PATCH v11 18/20] diskfilter: look up cryptodisk devices first Gary Lin via Grub-devel
2024-04-12  8:39 ` [PATCH v11 19/20] tpm2: Enable tpm2 module for grub-emu Gary Lin via Grub-devel
2024-04-12 21:03   ` Stefan Berger
2024-04-12  8:40 ` [PATCH v11 20/20] tests: Add tpm2_test Gary Lin via Grub-devel
2024-04-12 16:24 ` [PATCH v11 00/20] Automatic Disk Unlock with TPM2 Stefan Berger
2024-04-15  9:45   ` Gary Lin via Grub-devel
2024-04-15 14:26     ` Stefan Berger
2024-04-16  2:28       ` Gary Lin via Grub-devel [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240416022814.fr4r7gmx7rrkgkof@GaryLaptop \
    --to=grub-devel@gnu.org \
    --cc=christopher.co@microsoft.com \
    --cc=daniel.kiper@oracle.com \
    --cc=daniel.mihai@microsoft.com \
    --cc=development@efficientek.com \
    --cc=dja@axtens.net \
    --cc=glin@suse.com \
    --cc=hegatta@linux.microsoft.com \
    --cc=jaredz@redhat.com \
    --cc=jaskaran.khurana@microsoft.com \
    --cc=jejb@linux.ibm.com \
    --cc=mchang@suse.com \
    --cc=patrick.colp@oracle.com \
    --cc=shkhisti@microsoft.com \
    --cc=stefanb@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).