Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for d

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for d

From:	Gary Lin
Subject:	Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption
Date:	Tue, 12 Mar 2024 15:28:25 +0800

On Tue, Mar 12, 2024 at 11:03:17AM +0800, Hyman Huang wrote:
Hi Hyman,

> This patchset aims to supplement James's previous work, please refer to
> the following link for details:
> https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00257.html
> 
> The alterations listed below were made in light of earlier research:
> 1. As Glenn advised, remove the first commit ([PATCH v3 1/3] cryptodisk:
>    make the password getter and additional argument to recover_key) while
>    maintaining the original recover key function declaration.
> 
> 2. To decrypt the disk, use the password that was retrieved from the EFI
>    secret area and store it in the key_data field of the
>    grub_cryptomount_args_t. Then, pass the password to the
>    grub_cryptodisk_scan_device function.
> 
> 3. Modify the put method's function definition in struct
>    grub_secret_entry, and use grub_errno to log method errors.
> 
> We uploaded this series with the intention of receiving feedback, as
> the title suggests. Any suggestions and feedback regarding this patchset
> are welcom. 
> 
I'm working on disk unlocking with TPM2 and it's a bit similar to your
work. Here is my v9 patchset:
https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00007.html

The original patch author, Herman, introduced the key protectors
framework, and it may be useful in your case:

- key protectors framework
  https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00014.html
- cryptodisk change
  https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00016.html
- TPM2 key protector
  https://lists.gnu.org/archive/html/grub-devel/2024-02/msg00017.html

In short, it unlocks the disk with the commands like this:

  tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
  cryptomount -u <PART1_UUID> -P tpm2

Maybe we can work together to support various disk unlocking mechanisms.

Cheers,

Gary Lin

> Thanks,
> 
> Yong
> 
> Hyman Huang (2):
>   cryptodisk: add OS provided secret support
>   efi: Add API for retrieving the EFI secret for cryptodisk
> 
>  grub-core/Makefile.core.def    |   8 +++
>  grub-core/disk/cryptodisk.c    |  49 ++++++++++++-
>  grub-core/disk/efi/efisecret.c | 123 +++++++++++++++++++++++++++++++++
>  include/grub/cryptodisk.h      |  14 ++++
>  include/grub/efi/api.h         |  15 ++++
>  5 files changed, 206 insertions(+), 3 deletions(-)
>  create mode 100644 grub-core/disk/efi/efisecret.c
> 
> -- 
> 2.39.3
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption, Hyman Huang, 2024/03/12
- [PATCH RFC 2/2] efi: Add API for retrieving the EFI secret for cryptodisk, Hyman Huang, 2024/03/12
- [PATCH RFC 1/2] cryptodisk: add OS provided secret support, Hyman Huang, 2024/03/12
- Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption, Gary Lin <=
  - Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption, Yong Huang, 2024/03/12
    - Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption, Gary Lin, 2024/03/12

Prev by Date: [PATCH RFC 1/2] cryptodisk: add OS provided secret support
Next by Date: Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption
Previous by thread: [PATCH RFC 1/2] cryptodisk: add OS provided secret support
Next by thread: Re: [PATCH RFC 0/2] use confidential computing provisioned secrets for disk decryption
Index(es):
- Date
- Thread