grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v21 33/33] docs: Document TPM2 key protector


From: James Bottomley
Subject: Re: [PATCH v21 33/33] docs: Document TPM2 key protector
Date: Thu, 07 Nov 2024 12:11:15 -0500
User-agent: Evolution 3.42.4

On Wed, 2024-11-06 at 18:48 -0500, Stefan Berger wrote:
> 
> 
> On 11/4/24 2:32 AM, Gary Lin via Grub-devel wrote:
> > Update the user manual to address TPM2 key protector including the
> > two
> > related commands, tpm2_key_protector_init and
> > tpm2_key_protector_clear,
> > and the user-space utility: grub-protect.
> > 
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> 
> > +@example
> > +# @kbd{dd if=/dev/urandom of=luks.key bs=1 count=128}
> > +# @kbd{cryptsetup luksAddKey /dev/sda2 luks.key --pbkdf=pbkdf2 --
> > hash=sha512}
> > +@end example
> > +
> > +@subsection SRK mode
> > +
> > +To unlock the partition with SRK mode, assume that the sealed key
> > is in
> > +@file{(hd0,gpt1)/efi/grub/sealed.tpm}, the following GRUB commands
> > +unseal the disk key with SRK mode and supply it to
> > @command{cryptomount}.
> > +
> > +@example
> > +grub> @kbd{tpm2_key_protector_init --
> > keyfile=(hd0,gpt1)/efi/grub/sealed.tpm}
> > +grub> @kbd{cryptomount -u <UUID> -P tpm2}
> > +@end example
> 
> You may also want to give an example with --tpm2key= because it will
> go 
> along with the grub-protect --tpm2key option that you show. And you
> may 
> want to point that out to the user one when showing grub-protect with
> --tpm2key, because otherwise the key created by grub-protect --
> tpm2key 
> cannot be read since the key formats (there are 2 key formats) do not
> match and you'd need some sort of trouble shooting section...

I've said previously since nothing seems to use the non-standard keys,
there's no real reason to code them in a release.  However, even if you
have them, the standard TPM key format is designed to be completely
recognizable, since they should always begin 0x30 have the hex string
06066781050a (that's OBJECT :2.23.133.10.1.5) embedded at offset 2 or 3
(depending on how long the initial SEQUENCE is), so you should be able
to scan the file and recognize that it's a standard TPM key.

James




reply via email to

[Prev in Thread] Current Thread [Next in Thread]