[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 0/5] Automatic TPM Disk Unlock
|
From: |
Max Vohra |
|
Subject: |
Re: [PATCH v2 0/5] Automatic TPM Disk Unlock |
|
Date: |
Thu, 22 Sep 2022 21:16:28 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 |
I really like the "key protector" interface as more of a generic
provider interface. It seems like a great way to extend and create new
unlock scenarios such as using security tokens, or chaining
cryptographic features. If the interface is stable enough, it allows
third party projects to create their own protector modules, so we don't
wind up with people having to maintain full forks as happened with
TrustedGrub.
To support this extensibility, I think labels for providers should be
user-defined. The following is just scratching the surface of what's
possible:
tpm2_key_provider --name=platform --keyfile=/path/to/key
passphrase_key_provider --name=pass
xor_key_provider --name=combined --provider=platform --provider=pass
cryptomount DISK1 --provider=combined
This would retrieve a key from the TPM, ask the user for a passphrase
and then combine the two keys using xor, using the result to unlock the
device. More advanced examples could use HSMs or biometric interfaces.
I think there only needs to be a few small changes to the interface
(currently grub_key_protector) for this to happen:
1. It should be designed to store a reference to the context object
2. It should contain a function to cleanup the context object, wiping
any sensitive data.
3. It should contain a user supplied label, and all key protector
commands should require a user supplied label if they are registered.
4. The current name field should be renamed to 'module_name', for
removing entries when the module is unloaded.
Basically something like:
struct grub_key_producer
{
struct grub_key_producer *next;
struct grub_key_producer **prev;
const char *name;
const char *module_name;
void * ctx;
grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size);
grub_err_t (*destroy_ctx) (void * ctx);
};
I'll try and get a patch against master out this weekend supporting
passphrase/keyfile providers.
--
Max Vohra
On 2/1/22 05:02, Hernan Gatta wrote:
Updates since v1:
1. One key can unlock multiple disks:
It is now possible to use key protectors with cryptomount's -a and -b
options.
2. No passphrase prompt on error if key protector(s) specified:
cryptomount no longer prompts for a passphrase if key protectors are
specified but fail to provide a working unlock key seeing as the user
explicitly requested unlocking via key protectors.
3. Key protector parameterization is separate:
Previously, one would parameterize a key protector via a colon-separated
argument list nested within a cryptomount argument. Now, key protectors are
expected to provide an initialization function, if necessary.
As such, instead of:
cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...
one now writes:
tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
cryptomount -k tpm2
Additionally, one may write:
cryptomount -k protector_1 -k protector_2 ...
where cryptomount will try each in order on failure.
4. Standard argument parsing:
The TPM2 key protector now uses 'struct grub_arg_option' and the
grub-protect
tool uses 'struct argp_option'. Additionally, common argument parsing
functionality is now shared between the module and the tool.
5. More useful messages:
Both the TPM2 module and the grub-protect tool now provide more useful
messages to help the user learn how to use their functionality (--help and
--usage) as well as to determine what is wrong, if anything. Furthermore,
the
module now prints additional debug output to help diagnose problems.
I forgot to mention last time that this patch series intends to address:
https://bugzilla.redhat.com/show_bug.cgi?id=1854177
Previous series:
https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html
Thank you,
Hernan
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Hernan Gatta (5):
protectors: Add key protectors framework
tpm2: Add TPM Software Stack (TSS)
protectors: Add TPM2 Key Protector
cryptodisk: Support key protectors
util/grub-protect: Add new tool
.gitignore | 1 +
Makefile.util.def | 19 +
configure.ac | 1 +
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 11 +
grub-core/disk/cryptodisk.c | 166 +++-
grub-core/kern/protectors.c | 75 ++
grub-core/tpm2/args.c | 129 ++++
grub-core/tpm2/buffer.c | 145 ++++
grub-core/tpm2/module.c | 710 +++++++++++++++++
grub-core/tpm2/mu.c | 807 ++++++++++++++++++++
grub-core/tpm2/tcg2.c | 143 ++++
grub-core/tpm2/tpm2.c | 711 +++++++++++++++++
include/grub/cryptodisk.h | 14 +
include/grub/protector.h | 48 ++
include/grub/tpm2/buffer.h | 65 ++
include/grub/tpm2/internal/args.h | 39 +
include/grub/tpm2/internal/functions.h | 117 +++
include/grub/tpm2/internal/structs.h | 675 ++++++++++++++++
include/grub/tpm2/internal/types.h | 372 +++++++++
include/grub/tpm2/mu.h | 292 +++++++
include/grub/tpm2/tcg2.h | 34 +
include/grub/tpm2/tpm2.h | 38 +
util/grub-protect.c | 1314 ++++++++++++++++++++++++++++++++
24 files changed, 5897 insertions(+), 30 deletions(-)
create mode 100644 grub-core/kern/protectors.c
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/buffer.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/mu.c
create mode 100644 grub-core/tpm2/tcg2.c
create mode 100644 grub-core/tpm2/tpm2.c
create mode 100644 include/grub/protector.h
create mode 100644 include/grub/tpm2/buffer.h
create mode 100644 include/grub/tpm2/internal/args.h
create mode 100644 include/grub/tpm2/internal/functions.h
create mode 100644 include/grub/tpm2/internal/structs.h
create mode 100644 include/grub/tpm2/internal/types.h
create mode 100644 include/grub/tpm2/mu.h
create mode 100644 include/grub/tpm2/tcg2.h
create mode 100644 include/grub/tpm2/tpm2.h
create mode 100644 util/grub-protect.c
--
Max Vohra
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [PATCH v2 0/5] Automatic TPM Disk Unlock,
Max Vohra <=