grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v16 13/20] util/grub-protect: Add new tool


From: Gary Lin
Subject: [PATCH v16 13/20] util/grub-protect: Add new tool
Date: Wed, 15 May 2024 13:07:05 +0800

From: Hernan Gatta <hegatta@linux.microsoft.com>

To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.

For the TPM2 key protector, the intended flow is for a user to have a
LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates a
new LUKS key file, say by reading /dev/urandom into a file, and creates
a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.

Sample usage:

$ dd if=/dev/urandom of=luks-key bs=1 count=32
$ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512

To seal the key with TPM 2.0 Key File (recommended):

$ sudo grub-protect --action=add \
                    --protector=tpm2 \
                    --tpm2-pcrs=0,2,4,7,9 \
                    --tpm2key \
                    --tpm2-keyfile=luks-key \
                    --tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm

Or, to seal the key with the raw sealed key:

$ sudo grub-protect --action=add \
                    --protector=tpm2 \
                    --tpm2-pcrs=0,2,4,7,9 \
                    --tpm2-keyfile=luks-key \
                    --tpm2-outfile=/boot/efi/boot/grub2/sealed.key

Then, in the boot script, for TPM 2.0 Key File:

tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <SDB1_UUID> -P tpm2

Or, for the raw sealed key:

tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key 
--pcrs=0,2,4,7,9
cryptomount -u <SDB1_UUID> -P tpm2

The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.

Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
 .gitignore                |    2 +
 Makefile.util.def         |   24 +
 configure.ac              |   30 +
 docs/man/grub-protect.h2m |    4 +
 util/grub-protect.c       | 1420 +++++++++++++++++++++++++++++++++++++
 5 files changed, 1480 insertions(+)
 create mode 100644 docs/man/grub-protect.h2m
 create mode 100644 util/grub-protect.c

diff --git a/.gitignore b/.gitignore
index 11fcecf5c..5391f7e6a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -168,6 +168,8 @@ widthspec.bin
 /grub-ofpathname.exe
 /grub-probe
 /grub-probe.exe
+/grub-protect
+/grub-protect.exe
 /grub-reboot
 /grub-render-label
 /grub-render-label.exe
diff --git a/Makefile.util.def b/Makefile.util.def
index 19ad5a96f..40bfe713d 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -207,6 +207,30 @@ program = {
   ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
 };
 
+program = {
+  name = grub-protect;
+  mansection = 1;
+
+  common = grub-core/kern/emu/argp_common.c;
+  common = grub-core/osdep/init.c;
+  common = grub-core/tpm2/args.c;
+  common = grub-core/tpm2/buffer.c;
+  common = grub-core/tpm2/mu.c;
+  common = grub-core/tpm2/tpm2.c;
+  common = grub-core/tpm2/tpm2key_asn1_tab.c;
+  common = util/grub-protect.c;
+  common = util/probe.c;
+
+  ldadd = libgrubmods.a;
+  ldadd = libgrubgcry.a;
+  ldadd = libgrubkern.a;
+  ldadd = grub-core/lib/gnulib/libgnu.a;
+  ldadd = '$(LIBTASN1)';
+  ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) 
$(LIBGEOM)';
+
+  condition = COND_GRUB_PROTECT;
+};
+
 program = {
   name = grub-mkrelpath;
   mansection = 1;
diff --git a/configure.ac b/configure.ac
index 84a202c6e..3a07ab570 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
 grub_TRANSFORM([grub-mkrelpath])
 grub_TRANSFORM([grub-mkrescue])
 grub_TRANSFORM([grub-probe])
+grub_TRANSFORM([grub-protect])
 grub_TRANSFORM([grub-reboot])
 grub_TRANSFORM([grub-script-check])
 grub_TRANSFORM([grub-set-default])
@@ -2057,6 +2058,29 @@ fi
 AC_SUBST([LIBZFS])
 AC_SUBST([LIBNVPAIR])
 
+AC_ARG_ENABLE([grub-protect],
+             [AS_HELP_STRING([--enable-grub-protect],
+                             [build and install the `grub-protect' utility 
(default=guessed)])])
+if test x"$enable_grub_protect" = xno ; then
+  grub_protect_excuse="explicitly disabled"
+fi
+
+LIBTASN1=
+if test x"$grub_protect_excuse" = x ; then
+  AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], 
[grub_protect_excuse="need libtasn1 library"])
+fi
+AC_SUBST([LIBTASN1])
+
+if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; 
then
+  AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled 
($grub_protect_excuse)])
+fi
+if test x"$grub_protect_excuse" = x ; then
+enable_grub_protect=yes
+else
+enable_grub_protect=no
+fi
+AC_SUBST([enable_grub_protect])
+
 LIBS=""
 
 AC_SUBST([FONT_SOURCE])
@@ -2173,6 +2197,7 @@ AM_CONDITIONAL([COND_GRUB_EMU_SDL], [test 
x$enable_grub_emu_sdl = xyes])
 AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes])
 AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes])
 AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes])
+AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes])
 AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x])
 if test x$FONT_SOURCE != x ; then
    HAVE_FONT_SOURCE=1
@@ -2300,6 +2325,11 @@ echo grub-mount: Yes
 else
 echo grub-mount: No "($grub_mount_excuse)"
 fi
+if [ x"$grub_protect_excuse" = x ]; then
+echo grub-protect: Yes
+else
+echo grub-protect: No "($grub_protect_excuse)"
+fi
 if [ x"$starfield_excuse" = x ]; then
 echo starfield theme: Yes
 echo With DejaVuSans font from $DJVU_FONT_SOURCE
diff --git a/docs/man/grub-protect.h2m b/docs/man/grub-protect.h2m
new file mode 100644
index 000000000..3bfa8b645
--- /dev/null
+++ b/docs/man/grub-protect.h2m
@@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to pretect a disk encryption key with a specified key 
protector.
diff --git a/util/grub-protect.c b/util/grub-protect.c
new file mode 100644
index 000000000..869f45861
--- /dev/null
+++ b/util/grub-protect.c
@@ -0,0 +1,1420 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2022 Microsoft Corporation
+ *  Copyright (C) 2023 SUSE LLC
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <libtasn1.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <grub/emu/hostdisk.h>
+#include <grub/emu/misc.h>
+#include <grub/tpm2/buffer.h>
+#include <grub/tpm2/internal/args.h>
+#include <grub/tpm2/mu.h>
+#include <grub/tpm2/tcg2.h>
+#include <grub/tpm2/tpm2.h>
+#include <grub/util/misc.h>
+
+#pragma GCC diagnostic ignored "-Wmissing-prototypes"
+#pragma GCC diagnostic ignored "-Wmissing-declarations"
+#include <argp.h>
+#pragma GCC diagnostic error "-Wmissing-prototypes"
+#pragma GCC diagnostic error "-Wmissing-declarations"
+
+#include "progname.h"
+
+/* Unprintable option keys for argp */
+typedef enum grub_protect_opt
+{
+  /* General */
+  GRUB_PROTECT_OPT_ACTION      = 'a',
+  GRUB_PROTECT_OPT_PROTECTOR   = 'p',
+  /* TPM2 */
+  GRUB_PROTECT_OPT_TPM2_DEVICE = 0x100,
+  GRUB_PROTECT_OPT_TPM2_PCRS,
+  GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
+  GRUB_PROTECT_OPT_TPM2_BANK,
+  GRUB_PROTECT_OPT_TPM2_SRK,
+  GRUB_PROTECT_OPT_TPM2_KEYFILE,
+  GRUB_PROTECT_OPT_TPM2_OUTFILE,
+  GRUB_PROTECT_OPT_TPM2_EVICT,
+  GRUB_PROTECT_OPT_TPM2_TPM2KEY
+} grub_protect_opt;
+
+/* Option flags to keep track of specified arguments */
+typedef enum grub_protect_arg
+{
+  /* General */
+  GRUB_PROTECT_ARG_ACTION          = 1 << 0,
+  GRUB_PROTECT_ARG_PROTECTOR       = 1 << 1,
+  /* TPM2 */
+  GRUB_PROTECT_ARG_TPM2_DEVICE     = 1 << 2,
+  GRUB_PROTECT_ARG_TPM2_PCRS       = 1 << 3,
+  GRUB_PROTECT_ARG_TPM2_ASYMMETRIC = 1 << 4,
+  GRUB_PROTECT_ARG_TPM2_BANK       = 1 << 5,
+  GRUB_PROTECT_ARG_TPM2_SRK        = 1 << 6,
+  GRUB_PROTECT_ARG_TPM2_KEYFILE    = 1 << 7,
+  GRUB_PROTECT_ARG_TPM2_OUTFILE    = 1 << 8,
+  GRUB_PROTECT_ARG_TPM2_EVICT      = 1 << 9,
+  GRUB_PROTECT_ARG_TPM2_TPM2KEY    = 1 << 10
+} grub_protect_arg_t;
+
+typedef enum grub_protect_protector
+{
+  GRUB_PROTECT_TYPE_ERROR,
+  GRUB_PROTECT_TYPE_TPM2
+} grub_protect_protector_t;
+
+typedef enum grub_protect_action
+{
+  GRUB_PROTECT_ACTION_ERROR,
+  GRUB_PROTECT_ACTION_ADD,
+  GRUB_PROTECT_ACTION_REMOVE
+} grub_protect_action_t;
+
+struct grub_protect_args
+{
+  grub_protect_arg_t args;
+  grub_protect_action_t action;
+  grub_protect_protector_t protector;
+
+  const char *tpm2_device;
+  grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+  grub_uint8_t tpm2_pcr_count;
+  grub_srk_type_t srk_type;
+  TPM_ALG_ID tpm2_bank;
+  TPM_HANDLE tpm2_srk;
+  const char *tpm2_keyfile;
+  const char *tpm2_outfile;
+  int tpm2_evict;
+  int tpm2_tpm2key;
+};
+
+static struct argp_option grub_protect_options[] =
+  {
+    /* Top-level options */
+   {
+      .name  = "action",
+      .key   = 'a',
+      .arg   = "add|remove",
+      .flags = 0,
+      .doc   =
+       N_("Add or remove a key protector to or from a key."),
+      .group = 0
+    },
+    {
+      .name  = "protector",
+      .key   = 'p',
+      .arg   = "tpm2",
+      .flags = 0,
+      .doc   =
+       N_("Key protector to use (only tpm2 is currently supported)."),
+      .group = 0
+    },
+    /* TPM2 key protector options */
+    {
+      .name = "tpm2-device",
+      .key   = GRUB_PROTECT_OPT_TPM2_DEVICE,
+      .arg   = "FILE",
+      .flags = 0,
+      .doc   =
+       N_("Path to the TPM2 device. (default: /dev/tpm0)"),
+      .group = 0
+    },
+    {
+      .name = "tpm2-pcrs",
+      .key   = GRUB_PROTECT_OPT_TPM2_PCRS,
+      .arg   = "0[,1]...",
+      .flags = 0,
+      .doc   =
+       N_("Comma-separated list of PCRs used to authorize key release "
+          "e.g., '7,11'. Please be aware that PCR 0~7 are used by the "
+          "firmware and the measurement result may change after a "
+          "firmware update (for baremetal systems) or a package "
+          "(OVMF/SeaBIOS/SLOF) update in the VM host. This may lead to"
+          "the failure of key unsealing. (default: 7)"),
+      .group = 0
+    },
+    {
+      .name = "tpm2-bank",
+      .key  = GRUB_PROTECT_OPT_TPM2_BANK,
+      .arg   = "ALG",
+      .flags = 0,
+      .doc   =
+       N_("Bank of PCRs used to authorize key release: "
+          "SHA1, SHA256, SHA384, or SHA512. (default: SHA256)"),
+      .group = 0
+    },
+    {
+      .name = "tpm2-keyfile",
+      .key   = GRUB_PROTECT_OPT_TPM2_KEYFILE,
+      .arg   = "FILE",
+      .flags = 0,
+      .doc   =
+       N_("Path to a file that contains the cleartext key to protect."),
+      .group = 0
+    },
+    {
+      .name = "tpm2-outfile",
+      .key   = GRUB_PROTECT_OPT_TPM2_OUTFILE,
+      .arg   = "FILE",
+      .flags = 0,
+      .doc   =
+       N_("Path to the file that will contain the key after sealing (must be "
+          "accessible to GRUB during boot)."),
+      .group = 0
+    },
+    {
+      .name = "tpm2-srk",
+      .key   = GRUB_PROTECT_OPT_TPM2_SRK,
+      .arg   = "NUM",
+      .flags = 0,
+      .doc   =
+       N_("The SRK handle if the SRK is to be made persistent."),
+      .group = 0
+    },
+    {
+      .name = "tpm2-asymmetric",
+      .key   = GRUB_PROTECT_OPT_TPM2_ASYMMETRIC,
+      .arg   = "TYPE",
+      .flags = 0,
+      .doc   =
+       N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
+          "(default: ECC)"),
+      .group = 0
+    },
+    {
+      .name = "tpm2-evict",
+      .key   = GRUB_PROTECT_OPT_TPM2_EVICT,
+      .arg   = NULL,
+      .flags = 0,
+      .doc   =
+       N_("Evict a previously persisted SRK from the TPM, if any."),
+      .group = 0
+    },
+    {
+      .name = "tpm2key",
+      .key   = GRUB_PROTECT_OPT_TPM2_TPM2KEY,
+      .arg   = NULL,
+      .flags = 0,
+      .doc   =
+       N_("Use TPM 2.0 Key File format instead of the raw format."),
+      .group = 0
+    },
+    /* End of list */
+    { 0, 0, 0, 0, 0, 0 }
+  };
+
+static int grub_protector_tpm2_fd = -1;
+
+static grub_err_t
+grub_protect_read_file (const char *filepath, void **buffer,
+                       size_t *buffer_size)
+{
+  grub_err_t err;
+  FILE *f;
+  long len;
+  void *buf;
+
+  f = fopen (filepath, "rb");
+  if (f == NULL)
+    return GRUB_ERR_FILE_NOT_FOUND;
+
+  if (fseek (f, 0, SEEK_END))
+    {
+       err = GRUB_ERR_FILE_READ_ERROR;
+       goto exit1;
+    }
+
+  len = ftell (f);
+  if (len <= 0)
+    {
+       err = GRUB_ERR_FILE_READ_ERROR;
+       goto exit1;
+    }
+
+  rewind (f);
+
+  buf = grub_malloc (len);
+  if (buf == NULL)
+    {
+       err = GRUB_ERR_OUT_OF_MEMORY;
+       goto exit1;
+    }
+
+  if (fread (buf, len, 1, f) != 1)
+    {
+       err = GRUB_ERR_FILE_READ_ERROR;
+       goto exit2;
+    }
+
+  *buffer = buf;
+  *buffer_size = len;
+
+  buf = NULL;
+  err = GRUB_ERR_NONE;
+
+exit2:
+  grub_free (buf);
+
+exit1:
+  fclose (f);
+
+  return err;
+}
+
+static grub_err_t
+grub_protect_write_file (const char *filepath, void *buffer, size_t 
buffer_size)
+{
+  grub_err_t err;
+  FILE *f;
+
+  f = fopen (filepath, "wb");
+  if (f == NULL)
+    return GRUB_ERR_FILE_NOT_FOUND;
+
+  if (fwrite (buffer, buffer_size, 1, f) != 1)
+  {
+    err = GRUB_ERR_WRITE_ERROR;
+    goto exit1;
+  }
+
+  err = GRUB_ERR_NONE;
+
+exit1:
+  fclose (f);
+
+  return err;
+}
+
+grub_err_t
+grub_tcg2_get_max_output_size (grub_size_t *size)
+{
+  if (size == NULL)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  *size = GRUB_TPM2_BUFFER_CAPACITY;
+
+  return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tcg2_submit_command (grub_size_t input_size, grub_uint8_t *input,
+                         grub_size_t output_size, grub_uint8_t *output)
+{
+  static const grub_size_t header_size = sizeof (grub_uint16_t) +
+                                        (2 * sizeof(grub_uint32_t));
+
+  if (write (grub_protector_tpm2_fd, input, input_size) != input_size)
+    return GRUB_ERR_BAD_DEVICE;
+
+  if (read (grub_protector_tpm2_fd, output, output_size) < header_size)
+    return GRUB_ERR_BAD_DEVICE;
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_tpm2_open_device (const char *dev_node)
+{
+  if (grub_protector_tpm2_fd != -1)
+    return GRUB_ERR_NONE;
+
+  grub_protector_tpm2_fd = open (dev_node, O_RDWR);
+  if (grub_protector_tpm2_fd == -1)
+    {
+      fprintf (stderr, _("Could not open TPM device (%s).\n"), strerror 
(errno));
+      return GRUB_ERR_FILE_NOT_FOUND;
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_tpm2_close_device (void)
+{
+  int err;
+
+  if (grub_protector_tpm2_fd == -1)
+    return GRUB_ERR_NONE;
+
+  err = close (grub_protector_tpm2_fd);
+  if (err != GRUB_ERR_NONE)
+  {
+    fprintf (stderr, _("Could not close TPM device (Error: %u).\n"), errno);
+    return GRUB_ERR_IO;
+  }
+
+  grub_protector_tpm2_fd = -1;
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_tpm2_get_policy_digest (struct grub_protect_args *args,
+                                    TPM2B_DIGEST *digest)
+{
+  TPM_RC rc;
+  TPML_PCR_SELECTION pcr_sel = {
+    .count = 1,
+    .pcrSelections = {
+      {
+       .hash = args->tpm2_bank,
+       .sizeOfSelect = 3,
+       .pcrSelect = { 0 }
+      },
+    }
+  };
+  TPML_PCR_SELECTION pcr_sel_out = { 0 };
+  TPML_DIGEST pcr_values = { 0 };
+  TPM2B_DIGEST pcr_digest = { 0 };
+  grub_size_t pcr_digest_len;
+  TPM2B_MAX_BUFFER pcr_concat = { 0 };
+  grub_size_t pcr_concat_len;
+  grub_uint8_t *pcr_cursor;
+  TPM2B_NONCE nonce = { 0 };
+  TPM2B_ENCRYPTED_SECRET salt = { 0 };
+  TPMT_SYM_DEF symmetric = { 0 };
+  TPMI_SH_AUTH_SESSION session = 0;
+  TPM2B_DIGEST policy_digest = { 0 };
+  grub_uint8_t i;
+  grub_err_t err;
+
+  /* PCR Read */
+  for (i = 0; i < args->tpm2_pcr_count; i++)
+    TPMS_PCR_SELECTION_SelectPCR (&pcr_sel.pcrSelections[0], 
args->tpm2_pcrs[i]);
+
+  rc = TPM2_PCR_Read (NULL, &pcr_sel, NULL, &pcr_sel_out, &pcr_values, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to read PCRs (TPM2_PCR_Read: 0x%x).\n"), rc);
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  if ((pcr_sel_out.count != pcr_sel.count) ||
+       (pcr_sel.pcrSelections[0].sizeOfSelect !=
+       pcr_sel_out.pcrSelections[0].sizeOfSelect))
+    {
+      fprintf (stderr, _("Could not read all the specified PCRs.\n"));
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  /* Compute PCR Digest */
+  switch (args->tpm2_bank)
+    {
+    case TPM_ALG_SHA1:
+      pcr_digest_len = TPM_SHA1_DIGEST_SIZE;
+      break;
+    case TPM_ALG_SHA256:
+      pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+      break;
+    case TPM_ALG_SHA384:
+      pcr_digest_len = TPM_SHA384_DIGEST_SIZE;
+      break;
+    case TPM_ALG_SHA512:
+      pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
+      break;
+    default:
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  pcr_concat_len = pcr_digest_len * args->tpm2_pcr_count;
+  if (pcr_concat_len > TPM_MAX_DIGEST_BUFFER)
+    {
+      fprintf (stderr, _("PCR concatenation buffer not enough.\n"));
+      return GRUB_ERR_OUT_OF_RANGE;
+    }
+
+  pcr_cursor = pcr_concat.buffer;
+  for (i = 0; i < args->tpm2_pcr_count; i++)
+    {
+      if (pcr_values.digests[i].size != pcr_digest_len)
+       {
+         fprintf (stderr,
+                  _("Bad PCR value size: expected %" PRIuGRUB_SIZE " bytes but 
got %u bytes.\n"),
+                  pcr_digest_len, pcr_values.digests[i].size);
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      grub_memcpy (pcr_cursor, pcr_values.digests[i].buffer, pcr_digest_len);
+      pcr_cursor += pcr_digest_len;
+    }
+  pcr_concat.size = pcr_concat_len;
+
+  rc = TPM2_Hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest,
+                 NULL, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to generate PCR digest (TPM2_Hash: 0x%x)\n"), 
rc);
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  /* Start Trial Session */
+  nonce.size = TPM_SHA256_DIGEST_SIZE;
+  symmetric.algorithm = TPM_ALG_NULL;
+
+  rc = TPM2_StartAuthSession (TPM_RH_NULL, TPM_RH_NULL, 0, &nonce, &salt,
+                             TPM_SE_TRIAL, &symmetric, TPM_ALG_SHA256,
+                             &session, NULL, 0);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr,
+              _("Failed to start trial policy session (TPM2_StartAuthSession: 
0x%x).\n"),
+              rc);
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  /* PCR Policy */
+  rc = TPM2_PolicyPCR (session, NULL, &pcr_digest, &pcr_sel, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR: 
0x%x).\n"),
+              rc);
+      err = GRUB_ERR_BAD_DEVICE;
+      goto error;
+    }
+
+  /* Retrieve Policy Digest */
+  rc = TPM2_PolicyGetDigest (session, NULL, &policy_digest, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest: 
0x%x).\n"),
+              rc);
+      err = GRUB_ERR_BAD_DEVICE;
+      goto error;
+    }
+
+  /* Epilogue */
+  *digest = policy_digest;
+  err = GRUB_ERR_NONE;
+
+error:
+  TPM2_FlushContext (session);
+
+  return err;
+}
+
+static grub_err_t
+grub_protect_tpm2_get_srk (struct grub_protect_args *args, TPM_HANDLE *srk)
+{
+  TPM_RC rc;
+  TPM2B_PUBLIC public;
+  TPMS_AUTH_COMMAND authCommand = { 0 };
+  TPM2B_SENSITIVE_CREATE inSensitive = { 0 };
+  TPM2B_PUBLIC inPublic = { 0 };
+  TPM2B_DATA outsideInfo = { 0 };
+  TPML_PCR_SELECTION creationPcr = { 0 };
+  TPM2B_PUBLIC outPublic = { 0 };
+  TPM2B_CREATION_DATA creationData = { 0 };
+  TPM2B_DIGEST creationHash = { 0 };
+  TPMT_TK_CREATION creationTicket = { 0 };
+  TPM2B_NAME srkName = { 0 };
+  TPM_HANDLE srkHandle;
+
+  if (args->tpm2_srk != 0)
+    {
+      /* Find SRK */
+      rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
+      if (rc == TPM_RC_SUCCESS)
+       {
+         printf (_("Read SRK from 0x%x\n"), args->tpm2_srk);
+         *srk = args->tpm2_srk;
+         return GRUB_ERR_NONE;
+       }
+
+      /* The handle exists but its public area could not be read. */
+      if ((rc & ~TPM_RC_N_MASK) != TPM_RC_HANDLE)
+       {
+         fprintf (stderr,
+                  _("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic: 
0x%x).\n"),
+                  args->tpm2_srk, rc);
+         return GRUB_ERR_BAD_DEVICE;
+       }
+    }
+
+  /* Create SRK */
+  authCommand.sessionHandle = TPM_RS_PW;
+  inPublic.publicArea.type = args->srk_type.type;
+  inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+  inPublic.publicArea.objectAttributes.restricted = 1;
+  inPublic.publicArea.objectAttributes.userWithAuth = 1;
+  inPublic.publicArea.objectAttributes.decrypt = 1;
+  inPublic.publicArea.objectAttributes.fixedTPM = 1;
+  inPublic.publicArea.objectAttributes.fixedParent = 1;
+  inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+  inPublic.publicArea.objectAttributes.noDA = 1;
+
+  switch (args->srk_type.type)
+    {
+    case TPM_ALG_RSA:
+      inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = 
TPM_ALG_AES;
+      inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+      inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = 
TPM_ALG_CFB;
+      inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+      inPublic.publicArea.parameters.rsaDetail.keyBits = 
args->srk_type.detail.rsa_bits;
+      inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+      break;
+
+    case TPM_ALG_ECC:
+      inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = 
TPM_ALG_AES;
+      inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+      inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = 
TPM_ALG_CFB;
+      inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+      inPublic.publicArea.parameters.eccDetail.curveID = 
args->srk_type.detail.ecc_curve;
+      inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+      break;
+
+    default:
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  rc = TPM2_CreatePrimary (TPM_RH_OWNER, &authCommand, &inSensitive, &inPublic,
+                          &outsideInfo, &creationPcr, &srkHandle, &outPublic,
+                          &creationData, &creationHash, &creationTicket,
+                          &srkName, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to create SRK (TPM2_CreatePrimary: 
0x%x).\n"), rc);
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  /* Persist SRK */
+  if (args->tpm2_srk != 0)
+    {
+      rc = TPM2_EvictControl (TPM_RH_OWNER, srkHandle, &authCommand,
+                             args->tpm2_srk, NULL);
+      if (rc == TPM_RC_SUCCESS)
+       {
+         TPM2_FlushContext (srkHandle);
+         srkHandle = args->tpm2_srk;
+       }
+      else
+       fprintf (stderr,
+                _("Warning: Failed to persist SRK (0x%x) (TPM2_EvictControl: 
0x%x\n). "
+                  "Continuing anyway...\n"), args->tpm2_srk, rc);
+    }
+
+  /* Epilogue */
+  *srk = srkHandle;
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_tpm2_seal (TPM2B_DIGEST *policyDigest, TPM_HANDLE srk,
+                       grub_uint8_t *clearText, grub_size_t clearTextLength,
+                       TPM2_SEALED_KEY *sealed_key)
+{
+  TPM_RC rc;
+  TPMS_AUTH_COMMAND authCommand = { 0 };
+  TPM2B_SENSITIVE_CREATE inSensitive = { 0 };
+  TPM2B_PUBLIC inPublic  = { 0 };
+  TPM2B_DATA outsideInfo = { 0 };
+  TPML_PCR_SELECTION pcr_sel = { 0 };
+  TPM2B_PRIVATE outPrivate = { 0 };
+  TPM2B_PUBLIC outPublic = { 0 };
+
+  /* Seal Data */
+  authCommand.sessionHandle = TPM_RS_PW;
+
+  inSensitive.sensitive.data.size = clearTextLength;
+  memcpy(inSensitive.sensitive.data.buffer, clearText, clearTextLength);
+
+  inPublic.publicArea.type = TPM_ALG_KEYEDHASH;
+  inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+  inPublic.publicArea.parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL;
+  inPublic.publicArea.authPolicy = *policyDigest;
+
+  rc = TPM2_Create (srk, &authCommand, &inSensitive, &inPublic, &outsideInfo,
+                   &pcr_sel, &outPrivate, &outPublic, NULL, NULL, NULL, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to seal key (TPM2_Create: 0x%x).\n"), rc);
+      return GRUB_ERR_BAD_DEVICE;
+    }
+
+  /* Epilogue */
+  sealed_key->public = outPublic;
+  sealed_key->private = outPrivate;
+
+  return GRUB_ERR_NONE;
+}
+
+extern asn1_static_node tpm2key_asn1_tab[];
+
+static grub_err_t
+grub_protect_tpm2_export_tpm2key (const struct grub_protect_args *args,
+                                 TPM2_SEALED_KEY *sealed_key)
+{
+  const char *sealed_key_oid = "2.23.133.10.1.5";
+  asn1_node asn1_def = NULL;
+  asn1_node tpm2key = NULL;
+  grub_uint32_t parent;
+  grub_uint32_t cmd_code;
+  struct grub_tpm2_buffer pol_buf;
+  TPML_PCR_SELECTION pcr_sel = {
+    .count = 1,
+    .pcrSelections = {
+      {
+       .hash = args->tpm2_bank,
+       .sizeOfSelect = 3,
+       .pcrSelect = { 0 }
+      },
+    }
+  };
+  struct grub_tpm2_buffer pub_buf;
+  struct grub_tpm2_buffer priv_buf;
+  void *der_buf = NULL;
+  int der_buf_size = 0;
+  int i;
+  int ret;
+  grub_err_t err;
+
+  for (i = 0; i < args->tpm2_pcr_count; i++)
+    TPMS_PCR_SELECTION_SelectPCR (&pcr_sel.pcrSelections[0], 
args->tpm2_pcrs[i]);
+
+  /*
+   * Prepare the parameters for TPM_CC_PolicyPCR:
+   * empty pcrDigest and the user selected PCRs
+   */
+  grub_tpm2_buffer_init (&pol_buf);
+  grub_tpm2_buffer_pack_u16 (&pol_buf, 0);
+  grub_tpm2_mu_TPML_PCR_SELECTION_Marshal (&pol_buf, &pcr_sel);
+
+  grub_tpm2_buffer_init (&pub_buf);
+  grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&pub_buf, &sealed_key->public);
+  grub_tpm2_buffer_init (&priv_buf);
+  grub_tpm2_mu_TPM2B_Marshal (&priv_buf, sealed_key->private.size,
+                             sealed_key->private.buffer);
+  if (pub_buf.error != 0 || priv_buf.error != 0)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  ret = asn1_array2tree (tpm2key_asn1_tab, &asn1_def, NULL);
+  if (ret != ASN1_SUCCESS)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  ret = asn1_create_element (asn1_def, "TPM2KEY.TPMKey" , &tpm2key);
+  if (ret != ASN1_SUCCESS)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  /* Set 'type' to "sealed key" */
+  ret = asn1_write_value (tpm2key, "type", sealed_key_oid, 1);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'type': 0x%u\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Set 'emptyAuth' to TRUE */
+  ret = asn1_write_value (tpm2key, "emptyAuth", "TRUE", 1);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'emptyAuth': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Set 'policy' */
+  ret = asn1_write_value (tpm2key, "policy", "NEW", 1);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'policy': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+  cmd_code = grub_cpu_to_be32 (TPM_CC_PolicyPCR);
+  ret = asn1_write_value (tpm2key, "policy.?LAST.CommandCode", &cmd_code,
+                         sizeof (cmd_code));
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'policy CommandCode': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+  ret = asn1_write_value (tpm2key, "policy.?LAST.CommandPolicy", &pol_buf.data,
+                         pol_buf.size);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'policy CommandPolicy': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Remove 'secret' */
+  ret = asn1_write_value (tpm2key, "secret", NULL, 0);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to remove 'secret': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Remove 'authPolicy' */
+  ret = asn1_write_value (tpm2key, "authPolicy", NULL, 0);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to remove 'authPolicy': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Remove 'description' */
+  ret = asn1_write_value (tpm2key, "description", NULL, 0);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to remove 'description': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /*
+   *  Use the SRK handle as the parent handle if specified
+   *  Otherwise, Use TPM_RH_OWNER as the default parent handle
+  */
+  if (args->tpm2_srk != 0)
+    parent = grub_cpu_to_be32 (args->tpm2_srk);
+  else
+    parent = grub_cpu_to_be32 (TPM_RH_OWNER);
+  ret = asn1_write_value (tpm2key, "parent", &parent, sizeof (parent));
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'parent': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /*
+   * Set 'rsaParent' to TRUE if the RSA SRK is specified and the SRK
+   * handle is not persistent. Otherwise, remove 'rsaParent'.
+   */
+  if (args->tpm2_srk == 0 && args->srk_type.type == TPM_ALG_RSA)
+    ret = asn1_write_value (tpm2key, "rsaParent", "TRUE", 1);
+  else
+    ret = asn1_write_value (tpm2key, "rsaParent", NULL, 0);
+
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'rsaParent': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Set the pubkey */
+  ret = asn1_write_value (tpm2key, "pubkey", pub_buf.data, pub_buf.size);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'pubkey': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Set the privkey */
+  ret = asn1_write_value (tpm2key, "privkey", priv_buf.data, priv_buf.size);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, _("Failed to set 'privkey': 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  /* Create the DER binary */
+  der_buf_size = 0;
+  ret = asn1_der_coding (tpm2key, "", NULL, &der_buf_size, NULL);
+  if (ret != ASN1_MEM_ERROR)
+    {
+      fprintf (stderr, _("Failed to get DER size: 0x%x\n"), ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  der_buf = grub_malloc (der_buf_size);
+  if (der_buf == NULL)
+    {
+      fprintf (stderr, _("Failed to allocate memory for DER encoding\n"));
+      err = GRUB_ERR_OUT_OF_MEMORY;
+      goto error;
+    }
+
+  ret = asn1_der_coding (tpm2key, "", der_buf, &der_buf_size, NULL);
+  if (ret != ASN1_SUCCESS)
+    {
+      fprintf (stderr, "DER coding error: 0x%x\n", ret);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto error;
+    }
+
+  err = grub_protect_write_file (args->tpm2_outfile, der_buf, der_buf_size);
+  if (err != GRUB_ERR_NONE)
+    fprintf (stderr, _("Could not write tpm2key file (Error: %u).\n"),
+            errno);
+
+error:
+  grub_free (der_buf);
+
+  if (tpm2key)
+    asn1_delete_structure (&tpm2key);
+
+  return err;
+}
+
+static grub_err_t
+grub_protect_tpm2_export_sealed_key (const char *filepath,
+                                    TPM2_SEALED_KEY *sealed_key)
+{
+  grub_err_t err;
+  struct grub_tpm2_buffer buf;
+
+  grub_tpm2_buffer_init (&buf);
+  grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&buf, &sealed_key->public);
+  grub_tpm2_mu_TPM2B_Marshal (&buf, sealed_key->private.size,
+                             sealed_key->private.buffer);
+  if (buf.error != 0)
+    return GRUB_ERR_BAD_ARGUMENT;
+
+  err = grub_protect_write_file (filepath, buf.data, buf.size);
+  if (err != GRUB_ERR_NONE)
+    fprintf (stderr, _("Could not write sealed key file (Error: %u).\n"),
+            errno);
+
+  return err;
+}
+
+static grub_err_t
+grub_protect_tpm2_add (struct grub_protect_args *args)
+{
+  grub_err_t err;
+  grub_uint8_t *key = NULL;
+  grub_size_t key_size;
+  TPM_HANDLE srk;
+  TPM2B_DIGEST policy_digest;
+  TPM2_SEALED_KEY sealed_key;
+
+  err = grub_protect_tpm2_open_device (args->tpm2_device);
+  if (err != GRUB_ERR_NONE)
+    return err;
+
+  err = grub_protect_read_file (args->tpm2_keyfile, (void **)&key, &key_size);
+  if (err != GRUB_ERR_NONE)
+    goto exit1;
+
+  if (key_size > TPM_MAX_SYM_DATA)
+  {
+    fprintf (stderr,
+            _("Input key is too long, maximum allowed size is %u bytes.\n"),
+            TPM_MAX_SYM_DATA);
+    err = GRUB_ERR_OUT_OF_RANGE;
+    goto exit2;
+  }
+
+  err = grub_protect_tpm2_get_srk (args, &srk);
+  if (err != GRUB_ERR_NONE)
+    goto exit2;
+
+  err = grub_protect_tpm2_get_policy_digest (args, &policy_digest);
+  if (err != GRUB_ERR_NONE)
+    goto exit3;
+
+  err = grub_protect_tpm2_seal (&policy_digest, srk, key, key_size,
+                               &sealed_key);
+  if (err != GRUB_ERR_NONE)
+    goto exit3;
+
+  if (args->tpm2_tpm2key)
+    err = grub_protect_tpm2_export_tpm2key (args, &sealed_key);
+  else
+    err = grub_protect_tpm2_export_sealed_key (args->tpm2_outfile, 
&sealed_key);
+  if (err != GRUB_ERR_NONE)
+    goto exit3;
+
+exit3:
+  TPM2_FlushContext (srk);
+
+exit2:
+  grub_free (key);
+
+exit1:
+  grub_protect_tpm2_close_device ();
+
+  return err;
+}
+
+static grub_err_t
+grub_protect_tpm2_remove (struct grub_protect_args *args)
+{
+  TPM_RC rc;
+  TPM2B_PUBLIC public;
+  TPMS_AUTH_COMMAND authCommand = { 0 };
+  grub_err_t err;
+
+  if (args->tpm2_evict == 0)
+    {
+      printf (_("--tpm2-evict not specified, nothing to do.\n"));
+      return GRUB_ERR_NONE;
+    }
+
+  err = grub_protect_tpm2_open_device (args->tpm2_device);
+  if (err != GRUB_ERR_NONE)
+    return err;
+
+  /* Find SRK */
+  rc = TPM2_ReadPublic (args->tpm2_srk, NULL, &public);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr, _("SRK with handle 0x%x not found.\n"), args->tpm2_srk);
+      err = GRUB_ERR_BAD_ARGUMENT;
+      goto exit1;
+    }
+
+  /* Evict SRK */
+  authCommand.sessionHandle = TPM_RS_PW;
+
+  rc = TPM2_EvictControl (TPM_RH_OWNER, args->tpm2_srk, &authCommand,
+                         args->tpm2_srk, NULL);
+  if (rc != TPM_RC_SUCCESS)
+    {
+      fprintf (stderr,
+              _("Failed to evict SRK with handle 0x%x (TPM2_EvictControl: 
0x%x).\n"),
+              args->tpm2_srk, rc);
+      err = GRUB_ERR_BAD_DEVICE;
+      goto exit2;
+    }
+
+  err = GRUB_ERR_NONE;
+
+exit2:
+  TPM2_FlushContext (args->tpm2_srk);
+
+exit1:
+  grub_protect_tpm2_close_device ();
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_tpm2_run (struct grub_protect_args *args)
+{
+  switch (args->action)
+    {
+    case GRUB_PROTECT_ACTION_ADD:
+      return grub_protect_tpm2_add (args);
+
+    case GRUB_PROTECT_ACTION_REMOVE:
+      return grub_protect_tpm2_remove (args);
+
+    default:
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+}
+
+static grub_err_t
+grub_protect_tpm2_args_verify (struct grub_protect_args *args)
+{
+  switch (args->action)
+    {
+    case GRUB_PROTECT_ACTION_ADD:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_EVICT)
+       {
+         fprintf (stderr,
+                  _("--tpm2-evict is invalid when --action is 'add'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->tpm2_keyfile == NULL)
+       {
+         fprintf (stderr, _("--tpm2-keyfile must be specified.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->tpm2_outfile == NULL)
+       {
+         fprintf (stderr, _("--tpm2-outfile must be specified.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->tpm2_device == NULL)
+       args->tpm2_device = "/dev/tpm0";
+
+      if (args->tpm2_pcr_count == 0)
+       {
+         args->tpm2_pcrs[0] = 7;
+         args->tpm2_pcr_count = 1;
+       }
+
+      if (args->srk_type.type == TPM_ALG_ERROR)
+       {
+         args->srk_type.type = TPM_ALG_ECC;
+         args->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256;
+       }
+
+      if (args->tpm2_bank == TPM_ALG_ERROR)
+       args->tpm2_bank = TPM_ALG_SHA256;
+
+      break;
+
+    case GRUB_PROTECT_ACTION_REMOVE:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_ASYMMETRIC)
+       {
+         fprintf (stderr,
+                  _("--tpm2-asymmetric is invalid when --action is 
'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->args & GRUB_PROTECT_ARG_TPM2_BANK)
+       {
+         fprintf (stderr,
+                  _("--tpm2-bank is invalid when --action is 'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->args & GRUB_PROTECT_ARG_TPM2_KEYFILE)
+       {
+         fprintf (stderr,
+                  _("--tpm2-keyfile is invalid when --action is 'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->args & GRUB_PROTECT_ARG_TPM2_OUTFILE)
+       {
+         fprintf (stderr,
+                  _("--tpm2-outfile is invalid when --action is 'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->args & GRUB_PROTECT_ARG_TPM2_PCRS)
+       {
+         fprintf (stderr,
+                  _("--tpm2-pcrs is invalid when --action is 'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->tpm2_srk == 0)
+       {
+         fprintf (stderr,
+                  _("--tpm2-srk is not specified when --action is 
'remove'.\n"));
+         return GRUB_ERR_BAD_ARGUMENT;
+       }
+
+      if (args->tpm2_device == NULL)
+       args->tpm2_device = "/dev/tpm0";
+
+      break;
+
+    default:
+      fprintf (stderr,
+              _("The TPM2 key protector only supports the following actions: "
+                "add, remove.\n"));
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static error_t
+grub_protect_argp_parser (int key, char *arg, struct argp_state *state)
+{
+  grub_err_t err;
+  struct grub_protect_args *args = state->input;
+
+  switch (key)
+    {
+    case GRUB_PROTECT_OPT_ACTION:
+      if (args->args & GRUB_PROTECT_ARG_ACTION)
+       {
+         fprintf (stderr, _("--action|-a can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      if (grub_strcmp (arg, "add") == 0)
+       args->action = GRUB_PROTECT_ACTION_ADD;
+      else if (grub_strcmp (arg, "remove") == 0)
+       args->action = GRUB_PROTECT_ACTION_REMOVE;
+      else
+       {
+         fprintf (stderr, _("'%s' is not a valid action.\n"), arg);
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_ACTION;
+      break;
+
+    case GRUB_PROTECT_OPT_PROTECTOR:
+      if (args->args & GRUB_PROTECT_ARG_PROTECTOR)
+       {
+         fprintf (stderr, _("--protector|-p can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      if (grub_strcmp (arg, "tpm2") == 0)
+       args->protector = GRUB_PROTECT_TYPE_TPM2;
+      else
+       {
+         fprintf (stderr, _("'%s' is not a valid protector.\n"), arg);
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_PROTECTOR;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_DEVICE:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_DEVICE)
+       {
+         fprintf (stderr, _("--tpm2-device can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      args->tpm2_device = xstrdup(arg);
+      args->args |= GRUB_PROTECT_ARG_TPM2_DEVICE;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_PCRS:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_PCRS)
+       {
+         fprintf (stderr, _("--tpm2-pcrs can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      err = grub_tpm2_protector_parse_pcrs (arg, args->tpm2_pcrs,
+                                           &args->tpm2_pcr_count);
+      if (err != GRUB_ERR_NONE)
+       {
+         if (grub_errno != GRUB_ERR_NONE)
+           grub_print_error ();
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_TPM2_PCRS;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_SRK:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_SRK)
+       {
+         fprintf (stderr, _("--tpm2-srk can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      err = grub_tpm2_protector_parse_tpm_handle (arg, &args->tpm2_srk);
+      if (err != GRUB_ERR_NONE)
+       {
+         if (grub_errno != GRUB_ERR_NONE)
+           grub_print_error ();
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_TPM2_SRK;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_ASYMMETRIC:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_ASYMMETRIC)
+       {
+         fprintf (stderr, _("--tpm2-asymmetric can only be specified 
once.\n"));
+         return EINVAL;
+       }
+
+      err = grub_tpm2_protector_parse_asymmetric (arg, &args->srk_type);
+      if (err != GRUB_ERR_NONE)
+       {
+         if (grub_errno != GRUB_ERR_NONE)
+           grub_print_error ();
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_TPM2_ASYMMETRIC;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_BANK:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_BANK)
+       {
+         fprintf (stderr, _("--tpm2-bank can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      err = grub_tpm2_protector_parse_bank (arg, &args->tpm2_bank);
+      if (err != GRUB_ERR_NONE)
+       {
+         if (grub_errno != GRUB_ERR_NONE)
+           grub_print_error ();
+         return EINVAL;
+       }
+
+      args->args |= GRUB_PROTECT_ARG_TPM2_BANK;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_KEYFILE:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_KEYFILE)
+       {
+         fprintf (stderr, _("--tpm2-keyfile can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      args->tpm2_keyfile = xstrdup(arg);
+      args->args |= GRUB_PROTECT_ARG_TPM2_KEYFILE;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_OUTFILE:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_OUTFILE)
+       {
+         fprintf (stderr, _("--tpm2-outfile can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      args->tpm2_outfile = xstrdup(arg);
+      args->args |= GRUB_PROTECT_ARG_TPM2_OUTFILE;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_EVICT:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_EVICT)
+       {
+         fprintf (stderr, _("--tpm2-evict can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      args->tpm2_evict = 1;
+      args->args |= GRUB_PROTECT_ARG_TPM2_EVICT;
+      break;
+
+    case GRUB_PROTECT_OPT_TPM2_TPM2KEY:
+      if (args->args & GRUB_PROTECT_ARG_TPM2_TPM2KEY)
+       {
+         fprintf (stderr, _("--tpm2-tpm2key can only be specified once.\n"));
+         return EINVAL;
+       }
+
+      args->tpm2_tpm2key = 1;
+      args->args |= GRUB_PROTECT_ARG_TPM2_TPM2KEY;
+      break;
+
+    default:
+      return ARGP_ERR_UNKNOWN;
+    }
+
+  return 0;
+}
+
+static grub_err_t
+grub_protect_args_verify (struct grub_protect_args *args)
+{
+  if (args->action == GRUB_PROTECT_ACTION_ERROR)
+    {
+      fprintf (stderr, "--action is mandatory.\n");
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  /* At the moment, the only configurable key protector is the TPM2 one, so it
+   * is the only key protector supported by this tool. */
+  if (args->protector != GRUB_PROTECT_TYPE_TPM2)
+    {
+      fprintf (stderr,
+              _("--protector is mandatory and only 'tpm2' is currently "
+                "supported.\n"));
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  switch (args->protector)
+    {
+    case GRUB_PROTECT_TYPE_TPM2:
+      return grub_protect_tpm2_args_verify (args);
+    default:
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_protect_dispatch (struct grub_protect_args *args)
+{
+  switch (args->protector)
+    {
+    case GRUB_PROTECT_TYPE_TPM2:
+      return grub_protect_tpm2_run (args);
+    default:
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+}
+
+static void
+grub_protect_init (int *argc, char **argv[])
+{
+  grub_util_host_init (argc, argv);
+
+  grub_util_biosdisk_init (NULL);
+
+  grub_init_all ();
+
+  grub_lvm_fini ();
+  grub_mdraid09_fini ();
+  grub_mdraid1x_fini ();
+  grub_diskfilter_fini ();
+  grub_diskfilter_init ();
+  grub_mdraid09_init ();
+  grub_mdraid1x_init ();
+  grub_lvm_init ();
+}
+
+static void
+grub_protect_fini (void)
+{
+  grub_fini_all ();
+  grub_util_biosdisk_fini ();
+}
+
+static struct argp grub_protect_argp =
+{
+  .options     = grub_protect_options,
+  .parser      = grub_protect_argp_parser,
+  .args_doc    = NULL,
+  .doc         =
+    N_("Protect a cleartext key using a GRUB key protector that can retrieve "
+       "the key during boot to unlock fully-encrypted disks automatically."),
+  .children    = NULL,
+  .help_filter = NULL,
+  .argp_domain = NULL
+};
+
+int
+main (int argc, char *argv[])
+{
+  grub_err_t err;
+  struct grub_protect_args args = { 0 };
+
+  if (argp_parse (&grub_protect_argp, argc, argv, 0, 0, &args) != 0)
+    {
+      fprintf (stderr, _("Could not parse arguments.\n"));
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  grub_protect_init (&argc, &argv);
+
+  err = grub_protect_args_verify (&args);
+  if (err != GRUB_ERR_NONE)
+    goto exit;
+
+  err = grub_protect_dispatch (&args);
+  if (err != GRUB_ERR_NONE)
+    goto exit;
+
+exit:
+  grub_protect_fini ();
+
+  return err;
+}
-- 
2.35.3




reply via email to

[Prev in Thread] Current Thread [Next in Thread]