[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2
From: |
Gary Lin |
Subject: |
Re: [PATCH v11 00/20] Automatic Disk Unlock with TPM2 |
Date: |
Tue, 16 Apr 2024 10:28:14 +0800 |
On Mon, Apr 15, 2024 at 10:26:32AM -0400, Stefan Berger wrote:
>
>
> On 4/15/24 05:45, Gary Lin wrote:
> > On Fri, Apr 12, 2024 at 12:24:36PM -0400, Stefan Berger wrote:
> > >
> > >
> > > On 4/12/24 04:39, Gary Lin via Grub-devel wrote:
> > > > GIT repo for v11: https://github.com/lcp/grub2/tree/tpm2-unlock-v11
> > > >
> > > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
> > > > Hernan Gatta to introduce the key protector framework and TPM2 stack
> > > > to GRUB2, and this could be a useful feature for the systems to
> > > > implement full disk encryption.
> > >
> > > You also need to extend the documentation with the command line steps and
> > > a
> > > IMO there has to be a warning for VM users that sealing to PCRs inside a
> > > VM
> > > is dangerous since the next packages update may bring an update to
> > > TianoCore
> > > UEFI/SeaBIOS/SLOF/... showing different PCR values and unsealing will not
> > > work then.
> > >
> > For baremetal users, it still could happen after upgrading the firmware.
>
> Right but this is much rarer.
>
> > We surely need a place to notice users this situation when using PCR
> > 0~7.
>
> PCRs 8-9 probably have to be all zeros at the time of sealing (running the
> user space application for seting this up) so they have the values at the
> time before grub measures kernel and initramfs, right?
>
For grub-protect, yes. On the other hand, pcr-oracle can predict PCR 9
based on the current grub.cfg and the eventlog. PCR 8 is tricky because
grub measures the command with the expanded variables, and pcr-oracle has
to be improved to parse all grub config files to make the prediction.
Gary Lin
- Re: [PATCH v11 16/20] cryptodisk: Fallback to passphrase, (continued)