[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v21 33/33] docs: Document TPM2 key protector
From: |
James Bottomley |
Subject: |
Re: [PATCH v21 33/33] docs: Document TPM2 key protector |
Date: |
Thu, 07 Nov 2024 12:11:15 -0500 |
User-agent: |
Evolution 3.42.4 |
On Wed, 2024-11-06 at 18:48 -0500, Stefan Berger wrote:
>
>
> On 11/4/24 2:32 AM, Gary Lin via Grub-devel wrote:
> > Update the user manual to address TPM2 key protector including the
> > two
> > related commands, tpm2_key_protector_init and
> > tpm2_key_protector_clear,
> > and the user-space utility: grub-protect.
> >
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
>
> > +@example
> > +# @kbd{dd if=/dev/urandom of=luks.key bs=1 count=128}
> > +# @kbd{cryptsetup luksAddKey /dev/sda2 luks.key --pbkdf=pbkdf2 --
> > hash=sha512}
> > +@end example
> > +
> > +@subsection SRK mode
> > +
> > +To unlock the partition with SRK mode, assume that the sealed key
> > is in
> > +@file{(hd0,gpt1)/efi/grub/sealed.tpm}, the following GRUB commands
> > +unseal the disk key with SRK mode and supply it to
> > @command{cryptomount}.
> > +
> > +@example
> > +grub> @kbd{tpm2_key_protector_init --
> > keyfile=(hd0,gpt1)/efi/grub/sealed.tpm}
> > +grub> @kbd{cryptomount -u <UUID> -P tpm2}
> > +@end example
>
> You may also want to give an example with --tpm2key= because it will
> go
> along with the grub-protect --tpm2key option that you show. And you
> may
> want to point that out to the user one when showing grub-protect with
> --tpm2key, because otherwise the key created by grub-protect --
> tpm2key
> cannot be read since the key formats (there are 2 key formats) do not
> match and you'd need some sort of trouble shooting section...
I've said previously since nothing seems to use the non-standard keys,
there's no real reason to code them in a release. However, even if you
have them, the standard TPM key format is designed to be completely
recognizable, since they should always begin 0x30 have the hex string
06066781050a (that's OBJECT :2.23.133.10.1.5) embedded at offset 2 or 3
(depending on how long the initial SEQUENCE is), so you should be able
to scan the file and recognize that it's a standard TPM key.
James
- [PATCH v21 29/33] cryptodisk: wipe out the cached keys from protectors, (continued)
- [PATCH v21 29/33] cryptodisk: wipe out the cached keys from protectors, Gary Lin, 2024/11/04
- [PATCH v21 31/33] tpm2_key_protector: Add grub-emu support, Gary Lin, 2024/11/04
- [PATCH v21 30/33] diskfilter: look up cryptodisk devices first, Gary Lin, 2024/11/04
- [PATCH v21 32/33] tests: Add tpm2_key_protector_test, Gary Lin, 2024/11/04
- [PATCH v21 33/33] docs: Document TPM2 key protector, Gary Lin, 2024/11/04