[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v17 11/20] key_protector: Add TPM2 Key Protector
|
From: |
Gary Lin |
|
Subject: |
Re: [PATCH v17 11/20] key_protector: Add TPM2 Key Protector |
|
Date: |
Thu, 20 Jun 2024 15:35:32 +0800 |
On Wed, Jun 19, 2024 at 06:34:13PM +0200, Daniel Kiper wrote:
> On Fri, Jun 14, 2024 at 02:45:44PM +0800, Gary Lin wrote:
> > From: Hernan Gatta <hegatta@linux.microsoft.com>
> >
> > The TPM2 key protector is a module that enables the automatic retrieval
> > of a fully-encrypted disk's unlocking key from a TPM 2.0.
> >
> > The theory of operation is such that the module accepts various
> > arguments, most of which are optional and therefore possess reasonable
> > defaults. One of these arguments is the keyfile/tpm2key parameter, which
> > is mandatory. There are two supported key formats:
> >
> > 1. Raw Sealed Key (--keyfile)
> > When sealing a key with TPM2_Create, the public portion of the sealed
> > key is stored in TPM2B_PUBLIC, and the private portion is in
> > TPM2B_PRIVATE. The raw sealed key glues the fully marshalled
> > TPM2B_PUBLIC and TPM2B_PRIVATE into one file.
> >
> > 2. TPM 2.0 Key (--tpm2key)
> > The following is the ASN.1 definition of TPM 2.0 Key File:
> >
> > TPMPolicy ::= SEQUENCE {
> > CommandCode [0] EXPLICIT INTEGER
> > CommandPolicy [1] EXPLICIT OCTET STRING
> > }
> >
> > TPMAuthPolicy ::= SEQUENCE {
> > Name [0] EXPLICIT UTF8STRING OPTIONAL
> > Policy [1] EXPLICIT SEQUENCE OF TPMPolicy
> > }
> >
> > TPMKey ::= SEQUENCE {
> > type OBJECT IDENTIFIER
> > emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL
> > policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
> > secret [2] EXPLICIT OCTET STRING OPTIONAL
> > authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL
> > description [4] EXPLICIT UTF8String OPTIONAL,
> > rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
> > parent INTEGER
> > pubkey OCTET STRING
> > privkey OCTET STRING
> > }
> >
> > The TPM2 key protector only expects a "sealed" key in DER encoding,
> > so 'type' is always 2.23.133.10.1.5, 'emptyAuth' is 'TRUE', and
> > 'secret' is empty. 'policy' and 'authPolicy' are the possible policy
> > command sequences to construst the policy digest to unseal the key.
> > Similar to the raw sealed key, the public portion (TPM2B_PUBLIC) of
> > the sealed key is stored in 'pubkey', and the private portion
> > (TPM2B_PRIVATE) is in 'privkey'.
> >
> > For more details:
> > https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
> >
> > This sealed key file is created via the grub-protect tool. The tool
> > utilizes the TPM's sealing functionality to seal (i.e., encrypt) an
> > unlocking key using a Storage Root Key (SRK) to the values of various
> > Platform Configuration Registers (PCRs). These PCRs reflect the state
> > of the system as it boots. If the values are as expected, the system
> > may be considered trustworthy, at which point the TPM allows for a
> > caller to utilize the private component of the SRK to unseal (i.e.,
> > decrypt) the sealed key file. The caller, in this case, is this key
> > protector.
> >
> > The TPM2 key protector registers two commands:
> >
> > - tpm2_key_protector_init: Initializes the state of the TPM2 key
> > protector for later usage, clearing any
> > previous state, too, if any.
> >
> > - tpm2_key_protector_clear: Clears any state set by tpm2_key_protector_init.
> >
> > The way this is expected to be used requires the user to, either
> > interactively or, normally, via a boot script, initialize/configure
> > the key protector and then specify that it be used by the 'cryptomount'
> > command (modifications to this command are in a different patch).
> >
> > For instance, to unseal the raw sealed key file:
> >
> > tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-1.key
> > cryptomount -u <PART1_UUID> -P tpm2
> >
> > tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub2/sealed-2.key
> > --pcrs=7,11
> > cryptomount -u <PART2_UUID> -P tpm2
> >
> > Or, to unseal the TPM 2.0 Key file:
> >
> > tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-1.tpm
> > cryptomount -u <PART1_UUID> -P tpm2
> >
> > tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub2/sealed-2.tpm
> > --pcrs=7,11
> > cryptomount -u <PART2_UUID> -P tpm2
> >
> > If a user does not initialize the key protector and attempts to use it
> > anyway, the protector returns an error.
> >
> > Before unsealing the key, the TPM2 key protector follows the "TPMPolicy"
> > sequences to enforce the TPM policy commands to construct a valid policy
> > digest to unseal the key.
> >
> > For the TPM 2.0 Key files, 'authPolicy' may contain multiple "TPMPolicy"
> > sequences, the TPM2 key protector iterates 'authPolicy' to find a valid
> > sequence to unseal key. If 'authPolicy' is empty or all sequences in
> > 'authPolicy' fail, the protector tries the one from 'policy'. In case
> > 'policy' is also empty, the protector creates a "TPMPolicy" sequence
> > based on the given PCR selection.
> >
> > For the raw sealed key, the TPM2 key protector treats the key file as a
> > TPM 2.0 Key file without 'authPolicy' and 'policy', so the "TPMPolicy"
> > sequence is always based on the PCR selection from the command
> > parameters.
> >
> > This commit only supports one policy command: TPM2_PolicyPCR. The
> > command set will be extended to support advanced features, such as
> > authorized policy, in the later commits.
> >
> > Cc: Stefan Berger <stefanb@linux.ibm.com>
> > Cc: James Bottomley <jejb@linux.ibm.com>
> > Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> > grub-core/Makefile.core.def | 14 +
> > grub-core/tpm2/args.c | 140 ++++
> > grub-core/tpm2/module.c | 1225 +++++++++++++++++++++++++++++
> > grub-core/tpm2/tpm2key.asn | 33 +
> > grub-core/tpm2/tpm2key.c | 475 +++++++++++
> > grub-core/tpm2/tpm2key_asn1_tab.c | 45 ++
> > include/grub/tpm2/internal/args.h | 49 ++
> > include/grub/tpm2/tpm2key.h | 86 ++
> > 8 files changed, 2067 insertions(+)
> > create mode 100644 grub-core/tpm2/args.c
> > create mode 100644 grub-core/tpm2/module.c
> > create mode 100644 grub-core/tpm2/tpm2key.asn
> > create mode 100644 grub-core/tpm2/tpm2key.c
> > create mode 100644 grub-core/tpm2/tpm2key_asn1_tab.c
> > create mode 100644 include/grub/tpm2/internal/args.h
> > create mode 100644 include/grub/tpm2/tpm2key.h
> >
> > diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> > index 457eb2e41..4adfbd175 100644
> > --- a/grub-core/Makefile.core.def
> > +++ b/grub-core/Makefile.core.def
> > @@ -2566,6 +2566,20 @@ module = {
> > enable = efi;
> > };
> >
> > +module = {
> > + name = tpm2;
> > + common = tpm2/args.c;
> > + common = tpm2/buffer.c;
> > + common = tpm2/module.c;
> > + common = tpm2/mu.c;
> > + common = tpm2/tpm2.c;
> > + common = tpm2/tpm2key.c;
> > + common = tpm2/tpm2key_asn1_tab.c;
> > + efi = tpm2/tcg2.c;
> > + enable = efi;
> > + cppflags = '-I$(srcdir)/lib/libtasn1-grub';
> > +};
> > +
>
> I think the TPM2 key protector should be in separate GRUB module,
> i.e. not integrated with tss2 and tpm2 modules.
>
Hmmm, I'm thinking about putting the tss2 parts in grub-core/lib/ since
buffer.c/mu.c/tpm2.c/tcg2 do not provide any grub commands and are more
like a library.
> > module = {
> > name = tr;
> > common = commands/tr.c;
> > diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
> > new file mode 100644
> > index 000000000..c11280ab9
> > --- /dev/null
> > +++ b/grub-core/tpm2/args.c
> > @@ -0,0 +1,140 @@
> > +/*
> > + * GRUB -- GRand Unified Bootloader
> > + * Copyright (C) 2022 Microsoft Corporation
> > + *
> > + * GRUB is free software: you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation, either version 3 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * GRUB is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License
> > + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> > + */
> > +
> > +#include <grub/err.h>
> > +#include <grub/mm.h>
> > +#include <grub/misc.h>
> > +#include <grub/tpm2/internal/args.h>
> > +
> > +grub_err_t
> > +grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs,
> > + grub_uint8_t *pcr_count)
> > +{
> > + char *current_pcr = value;
> > + char *next_pcr;
> > + unsigned long pcr;
> > + grub_uint8_t i;
> > +
> > + if (grub_strlen (value) == 0)
> > + return GRUB_ERR_BAD_ARGUMENT;
> > +
> > + *pcr_count = 0;
> > + for (i = 0; i < TPM_MAX_PCRS; i++)
> > + {
> > + next_pcr = grub_strchr (current_pcr, ',');
> > + if (next_pcr == current_pcr)
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Empty entry in PCR list"));
> > + if (next_pcr)
> > + *next_pcr = '\0';
> > +
> > + grub_errno = GRUB_ERR_NONE;
> > + pcr = grub_strtoul (current_pcr, NULL, 10);
> > + if (grub_errno != GRUB_ERR_NONE)
>
> This check is unreliable. Please take a look at commit ac8a37dda
> (net/http: Allow use of non-standard TCP/IP ports) how is should
> be done properly.
>
Thanks for the hint. Will improve the check in v18.
> > + return grub_error (grub_errno,
> > + N_("Entry '%s' in PCR list is not a number"),
> > + current_pcr);
> > +
> > + if (pcr > TPM_MAX_PCRS)
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Entry %lu in PCR list is too large to be a PCR "
> > + "number, PCR numbers range from 0 to %u"),
> > + pcr, TPM_MAX_PCRS);
> > +
> > + pcrs[i] = (grub_uint8_t)pcr;
>
> Missing space after ")".
>
Will fix it in v18.
> > + *pcr_count += 1;
>
> ++(*pcr_count); ???
>
Those look the same to me here. Is there any functional difference?
> > +
> > + if (next_pcr == NULL)
> > + break;
> > +
> > + current_pcr = next_pcr + 1;
> > + if (*current_pcr == '\0')
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Trailing comma at the end of PCR list"));
> > + }
> > +
> > + if (i == TPM_MAX_PCRS)
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Too many PCRs in PCR list, the maximum number of "
> > + "PCRs is %u"), TPM_MAX_PCRS);
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > +
> > +grub_err_t
> > +grub_tpm2_protector_parse_asymmetric (const char *value,
> > + grub_srk_type_t *srk_type)
> > +{
> > + if (grub_strcasecmp (value, "ECC") == 0 ||
> > + grub_strcasecmp (value, "ECC_NIST_P256") == 0)
> > + {
> > + srk_type->type = TPM_ALG_ECC;
> > + srk_type->detail.ecc_curve = TPM_ECC_NIST_P256;
> > + }
> > + else if (grub_strcasecmp (value, "RSA") == 0 ||
> > + grub_strcasecmp (value, "RSA2048") == 0)
> > + {
> > + srk_type->type = TPM_ALG_RSA;
> > + srk_type->detail.rsa_bits = 2048;
> > + }
> > + else
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Value '%s' is not a valid asymmetric key type"),
> > + value);
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > +
> > +grub_err_t
> > +grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank)
> > +{
> > + if (grub_strcasecmp (value, "SHA1") == 0)
> > + *bank = TPM_ALG_SHA1;
> > + else if (grub_strcasecmp (value, "SHA256") == 0)
> > + *bank = TPM_ALG_SHA256;
> > + else if (grub_strcasecmp (value, "SHA384") == 0)
> > + *bank = TPM_ALG_SHA384;
> > + else if (grub_strcasecmp (value, "SHA512") == 0)
> > + *bank = TPM_ALG_SHA512;
> > + else
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Value '%s' is not a valid PCR bank"), value);
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > +
> > +grub_err_t
> > +grub_tpm2_protector_parse_tpm_handle (const char *value, TPM_HANDLE
> > *handle)
> > +{
> > + unsigned long num;
> > +
> > + grub_errno = GRUB_ERR_NONE;
> > + num = grub_strtoul (value, NULL, 0);
> > + if (grub_errno != GRUB_ERR_NONE)
>
> Again, please fix this check.
>
Got it.
> > + return grub_error (grub_errno, N_("TPM handle value '%s' is not a
> > number"),
> > + value);
> > +
> > + if (num > GRUB_UINT_MAX)
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Value %lu is too large to be a TPM handle, TPM "
> > + "handles are unsigned 32-bit integers"), num);
> > +
> > + *handle = (TPM_HANDLE)num;
>
> All casts should have space after last ")". Please fix this.
>
Ok.
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
> > new file mode 100644
> > index 000000000..d85e5fb8c
> > --- /dev/null
> > +++ b/grub-core/tpm2/module.c
> > @@ -0,0 +1,1225 @@
> > +/*
> > + * GRUB -- GRand Unified Bootloader
> > + * Copyright (C) 2022 Microsoft Corporation
> > + *
> > + * GRUB is free software: you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation, either version 3 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * GRUB is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License
> > + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> > + */
> > +
> > +#include <grub/dl.h>
> > +#include <grub/extcmd.h>
> > +#include <grub/file.h>
> > +#include <grub/list.h>
> > +#include <grub/misc.h>
> > +#include <grub/mm.h>
> > +#include <grub/key_protector.h>
> > +#include <grub/tpm2/buffer.h>
> > +#include <grub/tpm2/internal/args.h>
> > +#include <grub/tpm2/internal/types.h>
> > +#include <grub/tpm2/mu.h>
> > +#include <grub/tpm2/tpm2.h>
> > +#include <grub/tpm2/tpm2key.h>
> > +
> > +GRUB_MOD_LICENSE ("GPLv3+");
> > +
> > +typedef enum grub_tpm2_protector_mode
> > +{
> > + GRUB_TPM2_PROTECTOR_MODE_UNSET,
> > + GRUB_TPM2_PROTECTOR_MODE_SRK,
> > + GRUB_TPM2_PROTECTOR_MODE_NV
> > +} grub_tpm2_protector_mode_t;
> > +
> > +enum grub_tpm2_protector_options
> > +{
> > + OPTION_MODE,
> > + OPTION_PCRS,
> > + OPTION_BANK,
> > + OPTION_TPM2KEY,
> > + OPTION_KEYFILE,
> > + OPTION_SRK,
> > + OPTION_ASYMMETRIC,
> > + OPTION_NVINDEX
> > +};
> > +
> > +struct grub_tpm2_protector_context
> > +{
> > + grub_tpm2_protector_mode_t mode;
> > + grub_uint8_t pcrs[TPM_MAX_PCRS];
> > + grub_uint8_t pcr_count;
> > + grub_srk_type_t srk_type;
> > + TPM_ALG_ID bank;
> > + const char *tpm2key;
> > + const char *keyfile;
> > + TPM_HANDLE srk;
> > + TPM_HANDLE nv;
> > +};
> > +
> > +static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[]
> > =
> > + {
> > + /* Options for all modes */
> > + {
> > + .longarg = "mode",
> > + .shortarg = 'm',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("Unseal key using SRK ('srk') (default) or retrieve it from an NV "
> > + "Index ('nv')."),
> > + },
> > + {
> > + .longarg = "pcrs",
> > + .shortarg = 'p',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("Comma-separated list of PCRs used to authorize key release "
> > + "e.g., '7,11'. (default: 7)"),
> > + },
> > + {
> > + .longarg = "bank",
> > + .shortarg = 'b',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("Bank of PCRs used to authorize key release: "
> > + "SHA1, SHA256, SHA384 or SHA512. (default: SHA256)"),
> > + },
> > + /* SRK-mode options */
> > + {
> > + .longarg = "tpm2key",
> > + .shortarg = 'T',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("In SRK mode, path to the key file in the TPM 2.0 Key File format "
> > + "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.tpm)."),
> > + },
> > + {
> > + .longarg = "keyfile",
> > + .shortarg = 'k',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("In SRK mode, path to the key file in the raw format to unseal "
> > + "using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.key). "
> > + "(Mainly for backward compatibility. Please use '--tpm2key'.)"),
> > + },
> > + {
> > + .longarg = "srk",
> > + .shortarg = 's',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("In SRK mode, the SRK handle if the SRK is persistent."),
> > + },
> > + {
> > + .longarg = "asymmetric",
> > + .shortarg = 'a',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
> > + "(default: ECC)"),
> > + },
> > + /* NV Index-mode options */
> > + {
> > + .longarg = "nvindex",
> > + .shortarg = 'n',
> > + .flags = 0,
> > + .arg = NULL,
> > + .type = ARG_TYPE_STRING,
> > + .doc =
> > + N_("Required in NV Index mode, the NV handle to read which must "
> > + "readily exist on the TPM and which contains the key."),
> > + },
> > + /* End of list */
> > + {0, 0, 0, 0, 0, 0}
> > + };
> > +
> > +static grub_extcmd_t grub_tpm2_protector_init_cmd;
> > +static grub_extcmd_t grub_tpm2_protector_clear_cmd;
> > +static struct grub_tpm2_protector_context grub_tpm2_protector_ctx = { 0 };
>
> s/ 0 /0/
Will fix it in v18.
>
> > +
> > +static grub_err_t
> > +grub_tpm2_protector_srk_read_file (const char *filepath, void **buffer,
> > + grub_size_t *buffer_size)
> > +{
> > + grub_file_t file;
> > + grub_off_t file_size;
> > + void *read_buffer;
> > + grub_off_t read_n;
> > + grub_err_t err;
> > +
> > + /* Using GRUB_FILE_TYPE_SIGNATURE ensures we do not hash the keyfile
> > into PCR9
> > + * otherwise we'll never be able to predict the value of PCR9 at unseal
> > time */
> > + file = grub_file_open (filepath, GRUB_FILE_TYPE_SIGNATURE);
> > + if (file == NULL)
> > + {
> > + /* Push errno from grub_file_open() into the error message stack */
> > + grub_error_push();
> > + err = grub_error (GRUB_ERR_FILE_NOT_FOUND,
> > + N_("Could not open file: %s\n"),
> > + filepath);
> > + goto error;
> > + }
> > +
> > + file_size = grub_file_size (file);
> > + if (file_size == 0)
> > + {
> > + err = grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Could not read file size: %s"),
> > + filepath);
> > + goto error;
> > + }
> > +
> > + read_buffer = grub_malloc (file_size);
> > + if (read_buffer == NULL)
> > + {
> > + err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
> > + N_("Could not allocate buffer for %s"),
> > + filepath);
> > + goto error;
> > + }
> > +
> > + read_n = grub_file_read (file, read_buffer, file_size);
> > + if (read_n != file_size)
> > + {
> > + grub_free (read_buffer);
> > + err = grub_error (GRUB_ERR_FILE_READ_ERROR,
> > + N_("Could not retrieve file contents: %s"),
> > + filepath);
>
> I would avoid wrapping lines in many places to increase readability of
> this patch set, e.g.:
>
> err = grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Could not retrieve file
> contents: %s"), filepath);
>
> In general I am OK with lines (a bit) longer than 80.
>
Alright. I'll check the wrapping lines.
> > + goto error;
> > + }
> > +
> > + *buffer = read_buffer;
> > + *buffer_size = file_size;
> > +
> > + err = GRUB_ERR_NONE;
> > +
> > +error:
> > + if (file != NULL)
> > + grub_file_close (file);
> > +
> > + return err;
> > +}
> > +
> > +static grub_err_t
> > +grub_tpm2_protector_srk_unmarshal_keyfile (void *sealed_key,
> > + grub_size_t sealed_key_size,
> > + TPM2_SEALED_KEY *sk)
> > +{
> > + struct grub_tpm2_buffer buf;
> > +
> > + grub_tpm2_buffer_init (&buf);
> > + if (sealed_key_size > buf.cap)
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
> > + buf.cap);
> > +
> > + grub_memcpy (buf.data, sealed_key, sealed_key_size);
> > + buf.size = sealed_key_size;
> > +
> > + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
> > + grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
> > +
> > + if (buf.error)
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key
> > file"));
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > +
> > +static grub_err_t
> > +grub_tpm2_protector_srk_unmarshal_tpm2key (void *sealed_key,
> > + grub_size_t sealed_key_size,
> > + tpm2key_policy_t *policy_seq,
> > + tpm2key_authpolicy_t *authpol_seq,
> > + grub_uint8_t *rsaparent,
> > + grub_uint32_t *parent,
> > + TPM2_SEALED_KEY *sk)
> > +{
> > + asn1_node tpm2key = NULL;
> > + grub_uint8_t rsaparent_tmp;
> > + grub_uint32_t parent_tmp;
> > + void *sealed_pub = NULL;
> > + grub_size_t sealed_pub_size;
> > + void *sealed_priv = NULL;
> > + grub_size_t sealed_priv_size;
> > + struct grub_tpm2_buffer buf;
> > + grub_err_t err;
> > +
> > + /*
> > + * Start to parse the tpm2key file
> > + * TPMKey ::= SEQUENCE {
> > + * type OBJECT IDENTIFIER,
> > + * emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
> > + * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
> > + * secret [2] EXPLICIT OCTET STRING OPTIONAL,
> > + * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
> > + * description [4] EXPLICIT UTF8String OPTIONAL,
> > + * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
> > + * parent INTEGER,
> > + * pubkey OCTET STRING,
> > + * privkey OCTET STRING
> > + * }
> > + */
> > + err = grub_tpm2key_start_parsing (&tpm2key, sealed_key, sealed_key_size);
> > + if (err != GRUB_ERR_NONE)
> > + return err;
> > +
> > + /*
> > + * Retrieve the policy sequence from 'policy'
> > + * policy_seq will be NULL when 'policy' is not available
> > + */
> > + err = grub_tpm2key_get_policy_seq (tpm2key, policy_seq);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + /*
> > + * Retrieve the authpolicy sequence from 'authPolicy'
> > + * authpol_seq will be NULL when 'authPolicy' is not available
> > + */
> > + err = grub_tpm2key_get_authpolicy_seq (tpm2key, authpol_seq);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + /* Retrieve rsaParent */
> > + err = grub_tpm2key_get_rsaparent (tpm2key, &rsaparent_tmp);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + *rsaparent = rsaparent_tmp;
> > +
> > + /* Retrieve the parent handle */
> > + err = grub_tpm2key_get_parent (tpm2key, &parent_tmp);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + /* The parent handle should be either PERMANENT or PERSISTENT. */
> > + if (!TPM_HT_IS_PERMANENT (parent_tmp) && !TPM_HT_IS_PERSISTENT
> > (parent_tmp))
> > + {
> > + err = GRUB_ERR_OUT_OF_RANGE;
> > + goto error;
> > + }
> > +
> > + *parent = parent_tmp;
> > +
> > + /* Retrieve the public part of the sealed key */
> > + err = grub_tpm2key_get_pubkey (tpm2key, &sealed_pub, &sealed_pub_size);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + /* Retrieve the private part of the sealed key */
> > + err = grub_tpm2key_get_privkey (tpm2key, &sealed_priv,
> > &sealed_priv_size);
> > + if (err != GRUB_ERR_NONE)
> > + goto error;
> > +
> > + /* Unmarshal the sealed key */
> > + grub_tpm2_buffer_init (&buf);
> > + if (sealed_pub_size + sealed_priv_size > buf.cap)
> > + {
> > + err = grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Sealed key larger than %" PRIuGRUB_SIZE " bytes"),
> > + buf.cap);
> > + goto error;
> > + }
> > +
> > + grub_tpm2_buffer_pack (&buf, sealed_pub, sealed_pub_size);
> > + grub_tpm2_buffer_pack (&buf, sealed_priv, sealed_priv_size);
> > +
> > + buf.offset = 0;
> > +
> > + grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
> > + grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
> > +
> > + if (buf.error)
> > + {
> > + err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM 2.0 key
> > file"));
> > + goto error;
> > + }
> > +
> > + err = GRUB_ERR_NONE;
> > +
> > +error:
> > + /* End the parsing */
> > + grub_tpm2key_end_parsing (tpm2key);
> > + grub_free (sealed_pub);
> > + grub_free (sealed_priv);
> > +
> > + return err;
> > +}
> > +
> > +/* Check if the SRK exists in the specified handle */
> > +static grub_err_t
> > +grub_tpm2_protector_srk_check (const TPM_HANDLE srk_handle)
> > +{
> > + TPM_RC rc;
> > + TPM2B_PUBLIC public;
> > +
> > + /* Find SRK */
> > + rc = TPM2_ReadPublic (srk_handle, NULL, &public);
> > + if (rc == TPM_RC_SUCCESS)
> > + return GRUB_ERR_NONE;
> > +
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic:
> > 0x%x)"),
> > + srk_handle, rc);
> > +}
> > +
> > +/* Get the SRK with the template */
> > +static grub_err_t
> > +grub_tpm2_protector_srk_get (const grub_srk_type_t srk_type,
> > + const TPM_HANDLE parent,
> > + TPM_HANDLE *srk_handle)
> > +{
> > + TPM_RC rc;
> > + TPMT_PUBLIC_PARMS parms = { 0 };
>
> s/ 0 /0/ and in general everywhere please...
>
Ok.
> > + TPMS_AUTH_COMMAND authCommand = { 0 };
> > + TPM2B_SENSITIVE_CREATE inSensitive = { 0 };
> > + TPM2B_PUBLIC inPublic = { 0 };
> > + TPM2B_DATA outsideInfo = { 0 };
> > + TPML_PCR_SELECTION creationPcr = { 0 };
> > + TPM2B_PUBLIC outPublic = { 0 };
> > + TPM2B_CREATION_DATA creationData = { 0 };
> > + TPM2B_DIGEST creationHash = { 0 };
> > + TPMT_TK_CREATION creationTicket = { 0 };
> > + TPM2B_NAME srkName = { 0 };
> > + TPM_HANDLE tmp_handle = 0;
> > +
> > + inPublic.publicArea.type = srk_type.type;
> > + inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
> > + inPublic.publicArea.objectAttributes.restricted = 1;
> > + inPublic.publicArea.objectAttributes.userWithAuth = 1;
> > + inPublic.publicArea.objectAttributes.decrypt = 1;
> > + inPublic.publicArea.objectAttributes.fixedTPM = 1;
> > + inPublic.publicArea.objectAttributes.fixedParent = 1;
> > + inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
> > + inPublic.publicArea.objectAttributes.noDA = 1;
> > +
> > + if (srk_type.type == TPM_ALG_RSA)
> > + {
> > + inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm =
> > TPM_ALG_AES;
> > + inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
> > + inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes =
> > TPM_ALG_CFB;
> > + inPublic.publicArea.parameters.rsaDetail.scheme.scheme =
> > TPM_ALG_NULL;
> > + inPublic.publicArea.parameters.rsaDetail.keyBits =
> > srk_type.detail.rsa_bits;
> > + inPublic.publicArea.parameters.rsaDetail.exponent = 0;
> > + }
> > + else if (srk_type.type == TPM_ALG_ECC)
> > + {
> > + inPublic.publicArea.parameters.eccDetail.symmetric.algorithm =
> > TPM_ALG_AES;
> > + inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
> > + inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes =
> > TPM_ALG_CFB;
> > + inPublic.publicArea.parameters.eccDetail.scheme.scheme =
> > TPM_ALG_NULL;
> > + inPublic.publicArea.parameters.eccDetail.curveID =
> > srk_type.detail.ecc_curve;
> > + inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
> > + }
> > + else
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm"));
> > +
> > + /* Test the parameters before SRK generation */
> > + parms.type = srk_type.type;
> > + grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters,
> > + sizeof (TPMU_PUBLIC_PARMS));
> > +
> > + rc = TPM2_TestParms (&parms, NULL);
> > + if (rc != TPM_RC_SUCCESS)
> > + return grub_error (GRUB_ERR_BAD_ARGUMENT,
> > + N_("Unsupported SRK template (TPM2_TestParms: 0x%x)"),
> > + rc);
> > +
> > + /* Create SRK */
> > + authCommand.sessionHandle = TPM_RS_PW;
> > + rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
> > + &outsideInfo, &creationPcr, &tmp_handle, &outPublic,
> > + &creationData, &creationHash, &creationTicket,
> > + &srkName, NULL);
> > + if (rc != TPM_RC_SUCCESS)
> > + return grub_error (GRUB_ERR_BAD_DEVICE,
> > + N_("Could not create SRK (TPM2_CreatePrimary: 0x%x)"),
> > + rc);
> > +
> > + *srk_handle = tmp_handle;
> > +
> > + return GRUB_ERR_NONE;
> > +}
> > +
> > +/* Load the SRK from the persistent handle or create one with a given type
> > of
> > + template, and then associate the sealed key with the SRK
> > + Return values:
> > + * GRUB_ERR_NONE: Everything is fine.
> > + * GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one.
> > + * Other: Something went wrong.
> > +*/
>
> Wrong coding style for comments. Please take a look here [1].
>
Will fix it in v18.
> > +static grub_err_t
> > +grub_tpm2_protector_srk_load (const grub_srk_type_t srk_type,
> > + const TPM2_SEALED_KEY *sealed_key,
> > + const TPM_HANDLE parent,
> > + TPM_HANDLE *sealed_handle,
> > + TPM_HANDLE *srk_handle)
> > +{
> > + TPMS_AUTH_COMMAND authCmd = { 0 };
> > + TPM2B_NAME name = { 0 };
> > + TPM_RC rc;
> > + grub_err_t err;
> > +
> > + if (srk_handle == NULL)
> > + return GRUB_ERR_BUG;
> > +
> > + if (*srk_handle != 0)
> > + {
> > + err = grub_tpm2_protector_srk_check (*srk_handle);
> > + if (err != GRUB_ERR_NONE)
> > + return err;
> > + }
> > + else
> > + {
> > + err = grub_tpm2_protector_srk_get (srk_type, parent, srk_handle);
> > + if (err != GRUB_ERR_NONE)
> > + return err;
> > + }
> > +
> > + /* Load the sealed key and associate it with the SRK */
> > + authCmd.sessionHandle = TPM_RS_PW;
> > + rc = TPM2_Load (*srk_handle, &authCmd, &sealed_key->private,
> > &sealed_key->public,
> > + sealed_handle, &name, NULL);
> > + /* If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it
> > + implies the wrong SRK is used. */
>
> Ditto.
>
> > + if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1))
> > + {
> > + err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("SRK not matched"));
> > + goto error;
> > + }
> > + else if (rc != TPM_RC_SUCCESS)
> > + {
> > + err = grub_error (GRUB_ERR_BAD_DEVICE,
> > + N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
> > + rc);
> > + goto error;
> > + }
> > +
> > + return GRUB_ERR_NONE;
> > +
> > +error:
> > + if (!TPM_HT_IS_PERSISTENT (*srk_handle))
> > + TPM2_FlushContext (*srk_handle);
> > +
> > + return err;
> > +}
> > +
> > +static const char *
> > +srk_type_to_name (grub_srk_type_t srk_type)
> > +{
> > + if (srk_type.type == TPM_ALG_ECC)
> > + {
> > + switch (srk_type.detail.ecc_curve)
> > + {
> > + case TPM_ECC_NIST_P256:
> > + return "ECC_NIST_P256";
> > + }
>
> I would use "if" instead of "switch" here.
>
Ok.
> > + }
> > + else if (srk_type.type == TPM_ALG_RSA)
> > + {
> > + switch (srk_type.detail.rsa_bits)
> > + {
> > + case 2048:
> > + return "RSA2048";
>
> Ditto.
>
> > + }
> > + }
> > +
> > + return "Unknown";
> > +}
>
> [...]
>
> > +static grub_err_t
> > +grub_tpm2_protector_simple_policy_seq (const struct
> > grub_tpm2_protector_context *ctx,
> > + tpm2key_policy_t *policy_seq)
> > +{
> > + tpm2key_policy_t policy = NULL;
> > + struct grub_tpm2_buffer buf;
> > + TPML_PCR_SELECTION pcr_sel = {
> > + .count = 1,
> > + .pcrSelections = {
> > + {
> > + .hash = ctx->bank,
> > + .sizeOfSelect = 3,
> > + .pcrSelect = { 0 }
> > + },
> > + }
> > + };
> > + grub_uint8_t i;
> > + grub_err_t err;
> > +
> > + if (policy_seq == NULL)
> > + return GRUB_ERR_BAD_ARGUMENT;
> > +
> > + grub_tpm2_buffer_init (&buf);
> > +
> > + for (i = 0; i < ctx->pcr_count; i++)
> > + TPMS_PCR_SELECTION_SelectPCR (&pcr_sel.pcrSelections[0], ctx->pcrs[i]);
> > +
> > + grub_tpm2_buffer_pack_u16 (&buf, 0);
> > + grub_tpm2_mu_TPML_PCR_SELECTION_Marshal (&buf, &pcr_sel);
> > +
> > + if (buf.error)
>
> If you define buf.error as a bool please use "if (buf.error == true)",
> etc. for checks.
>
Ok.
> > + return GRUB_ERR_BAD_ARGUMENT;
> > +
> > + policy = grub_malloc (sizeof(struct tpm2key_policy));
> > + if (policy == NULL)
> > + {
> > + err = GRUB_ERR_OUT_OF_MEMORY;
> > + goto error;
> > + }
> > + policy->cmd_code = TPM_CC_PolicyPCR;
> > + policy->cmd_policy = grub_malloc (buf.size);
> > + if (policy->cmd_policy == NULL)
> > + {
> > + err = GRUB_ERR_OUT_OF_MEMORY;
> > + goto error;
> > + }
> > + grub_memcpy (policy->cmd_policy, buf.data, buf.size);
> > + policy->cmd_policy_len = buf.size;
> > +
> > + grub_list_push (GRUB_AS_LIST_P (policy_seq), GRUB_AS_LIST (policy));
> > +
> > + return GRUB_ERR_NONE;
> > +
> > +error:
> > + grub_free (policy);
> > +
> > + return err;
> > +}
>
> [...]
>
> > +static grub_err_t
> > +grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context
> > *ctx,
> > + grub_uint8_t **key, grub_size_t *key_size)
> > +{
> > + (void)ctx;
> > + (void)key;
> > + (void)key_size;
>
> "__attribute__ ((unused)" is your friend.
>
> > +
> > + return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
> > + N_("NV Index mode is not implemented yet"));
> > +}
>
> [...]
>
> > +GRUB_MOD_FINI (tpm2)
> > +{
> > + grub_free ((void *) grub_tpm2_protector_ctx.keyfile);
> > + grub_memset (&grub_tpm2_protector_ctx, 0, sizeof
> > (grub_tpm2_protector_ctx));
>
> I think this grub_memset() is redundant just before module unload.
>
Yeah, there is nothing confidential in the struct. This one is not
necessary.
> > + grub_key_protector_unregister (&grub_tpm2_key_protector);
> > + grub_unregister_extcmd (grub_tpm2_protector_clear_cmd);
> > + grub_unregister_extcmd (grub_tpm2_protector_init_cmd);
> > +}
> > diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
> > new file mode 100644
> > index 000000000..7ad4b6a2a
> > --- /dev/null
> > +++ b/grub-core/tpm2/tpm2key.asn
> > @@ -0,0 +1,33 @@
>
> Missing license...
>
Will add the license in v18.
> > +--
> > +-- TPM 2.0 key file format
> > +-- To generate tpm2key_asn1_tab.c: asn1Parser tpm2key.asn
> > +--
> > +TPM2KEY {}
> > +DEFINITIONS IMPLICIT TAGS ::=
> > +
> > +BEGIN
> > +
> > +TPMPolicy ::= SEQUENCE {
> > + CommandCode [0] EXPLICIT INTEGER,
> > + CommandPolicy [1] EXPLICIT OCTET STRING
> > +}
> > +
> > +TPMAuthPolicy ::= SEQUENCE {
> > + Name [0] EXPLICIT UTF8String OPTIONAL,
> > + Policy [1] EXPLICIT SEQUENCE OF TPMPolicy
> > +}
> > +
> > +TPMKey ::= SEQUENCE {
> > + type OBJECT IDENTIFIER,
> > + emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
> > + policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
> > + secret [2] EXPLICIT OCTET STRING OPTIONAL,
> > + authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
> > + description [4] EXPLICIT UTF8String OPTIONAL,
> > + rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
> > + parent INTEGER,
> > + pubkey OCTET STRING,
> > + privkey OCTET STRING
> > +}
> > +
> > +END
> > diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
> > new file mode 100644
> > index 000000000..5972a40a9
> > --- /dev/null
> > +++ b/grub-core/tpm2/tpm2key.c
> > @@ -0,0 +1,475 @@
> > +/*
> > + * GRUB -- GRand Unified Bootloader
> > + * Copyright (C) 2023 SUSE LLC
> > + *
> > + * GRUB is free software: you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License as published by
> > + * the Free Software Foundation, either version 3 of the License, or
> > + * (at your option) any later version.
> > + *
> > + * GRUB is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License
> > + * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
> > + */
> > +
> > +#include <grub/list.h>
> > +#include <grub/misc.h>
> > +#include <grub/mm.h>
> > +#include <grub/tpm2/buffer.h>
> > +#include <grub/tpm2/tpm2key.h>
> > +
> > +extern asn1_static_node tpm2key_asn1_tab[];
> > +const char *sealed_key_oid = "2.23.133.10.1.5";
> > +
> > +static int
> > +asn1_allocate_and_read (asn1_node node, const char *name, void **content,
> > grub_size_t *content_size)
> > +{
> > + grub_uint8_t *tmpstr = NULL;
> > + int tmpstr_size = 0;
> > + int ret;
> > +
> > + if (content == NULL)
> > + return ASN1_MEM_ERROR;
> > +
> > + ret = asn1_read_value (node, name, NULL, &tmpstr_size);
> > + if (ret != ASN1_MEM_ERROR)
> > + return ret;
> > +
> > + tmpstr = grub_malloc (tmpstr_size);
> > + if (tmpstr == NULL)
> > + return ASN1_MEM_ERROR;
> > +
> > + ret = asn1_read_value (node, name, tmpstr, &tmpstr_size);
> > + if (ret != ASN1_SUCCESS)
> > + return ret;
> > +
> > + *content = tmpstr;
> > + *content_size = tmpstr_size;
> > +
> > + return ASN1_SUCCESS;
> > +}
> > +
> > +static int
> > +asn1_read_uint32 (asn1_node node, const char *name, grub_uint32_t *out)
> > +{
> > + grub_uint32_t tmp = 0;
> > + grub_uint8_t *ptr;
> > + void *data = NULL;
> > + grub_size_t data_size;
> > + int ret;
> > +
> > + ret = asn1_allocate_and_read (node, name, &data, &data_size);
> > + if (ret != ASN1_SUCCESS)
> > + return ret;
> > +
> > + if (data_size > 4)
>
> Is it possible to get 3 or less here? If yes then we should check for
> this too. Or s/>/!=/...
>
ASN.1 encoding only tells the number of octects for the integer so there
could be 1 to hundreds of octects. Here we want a UINT32, so 1~4 octects
are valid.
> > + {
> > + ret = ASN1_MEM_ERROR;
> > + goto error;
> > + }
> > +
> > + /* convert the big-endian integer to host uint32 */
> > + ptr = (grub_uint8_t *)&tmp + (4 - data_size);
> > + grub_memcpy (ptr, data, data_size);
>
> Could you explain this? Why grub_be_to_cpu32() is not enough?
> Is it related to alignment? If yes you could use grub_get_unaligned32().
>
The data_size could 1 to 4, so I have to copy data to tmp to make it a
big-endian uint32 and convert it.
> > + tmp = grub_be_to_cpu32 (tmp);
> > +
> > + *out = tmp;
> > +error:
> > + if (data)
> > + grub_free (data);
> > + return ret;
> > +}
>
> [...]
>
> > +grub_err_t
> > +grub_tpm2key_get_authpolicy_seq (asn1_node tpm2key, tpm2key_authpolicy_t
> > *authpol_seq)
> > +{
> > + tpm2key_authpolicy_t tmp_seq = NULL;
> > + tpm2key_authpolicy_t authpol = NULL;
> > + int authpol_n;
> > + char authpol_pol[AUTHPOLICY_POL_MAX];
> > + int i;
> > + int ret;
> > + grub_err_t err;
> > +
> > + ret = asn1_number_of_elements (tpm2key, "authPolicy", &authpol_n);
> > + if (ret == ASN1_ELEMENT_NOT_FOUND)
> > + {
> > + /* "authPolicy" is optional, so it may not be available */
> > + *authpol_seq = NULL;
> > + return GRUB_ERR_NONE;
> > + }
> > + else if (ret != ASN1_SUCCESS)
> > + return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve
> > authPolicy"));
> > +
> > + /* Limit the number of authPolicy elements to two digits (99) */
> > + if (authpol_n > 100 || authpol_n < 1)
>
> I would define high/low policy limits as constants and use them everywhere.
>
At least 1 elements is expected, so we only need to define the upper
limit.
> > + return grub_error (GRUB_ERR_OUT_OF_RANGE,
> > + N_("Invalid number of authPolicy elements"));
> > +
> > + /*
> > + * Iterate the authPolicy elements backwards since grub_list_push()
> > prepends
> > + * the item into the list.
> > + */
> > + for (i = authpol_n; i >= 1; i--) {
> > + authpol = grub_zalloc (sizeof (struct tpm2key_authpolicy));
> > + if (authpol == NULL)
> > + {
> > + err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
> > + N_("Failed to allocate memory for authPolicy"));
> > + goto error;
> > + }
> > + grub_snprintf (authpol_pol, AUTHPOLICY_POL_MAX,
> > "authPolicy.?%d.Policy", i);
> > +
> > + ret = tpm2key_get_policy_seq (tpm2key, authpol_pol,
> > &authpol->policy_seq);
> > + if (ret != ASN1_SUCCESS)
> > + {
> > + err = grub_error (GRUB_ERR_READ_ERROR,
> > + N_("Failed to retrieve policy from authPolicy"));
> > + goto error;
> > + }
> > +
> > + /* Prepend the authPolicy element into the sequence */
> > + grub_list_push (GRUB_AS_LIST_P (&tmp_seq), GRUB_AS_LIST (authpol));
> > + }
> > +
> > + *authpol_seq = tmp_seq;
> > +
> > + return GRUB_ERR_NONE;
> > +
> > +error:
> > + if (authpol)
> > + {
> > + grub_tpm2key_free_policy_seq (authpol->policy_seq);
> > + grub_free (authpol);
> > + }
> > +
> > + grub_tpm2key_free_authpolicy_seq (tmp_seq);
> > +
> > + return err;
> > +}
> > +
> > +void
> > +grub_tpm2key_free_authpolicy_seq (tpm2key_authpolicy_t authpol_seq)
> > +{
> > + tpm2key_authpolicy_t authpol;
> > + tpm2key_authpolicy_t next;
> > +
> > + if (authpol_seq == NULL)
> > + return;
> > +
> > + FOR_LIST_ELEMENTS_SAFE (authpol, next, authpol_seq)
> > + {
> > + grub_tpm2key_free_policy_seq (authpol->policy_seq);
> > + grub_free (authpol);
> > + }
> > +}
> > diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c
> > b/grub-core/tpm2/tpm2key_asn1_tab.c
> > new file mode 100644
> > index 000000000..8710c7ae9
> > --- /dev/null
> > +++ b/grub-core/tpm2/tpm2key_asn1_tab.c
> > @@ -0,0 +1,45 @@
>
> Missing license here.
>
Will add the license in v18.
Gary Lin
> > +/*
> > + * This file is generated by 'asn1Parser tpm2key.asn' and the '#include'
> > + * headers are replaced with the ones in grub2.
> > + * - 'grub/mm.h' for the definition of 'NULL'
> > + * - 'libtasn1.h' for the definition of 'asn1_static_node'
> > + */
> > +
> > +#include <grub/mm.h>
> > +#include <libtasn1.h>
> > +
> > +const asn1_static_node tpm2key_asn1_tab[] = {
> > + { "TPM2KEY", 536875024, NULL },
> > + { NULL, 1073741836, NULL },
> > + { "TPMPolicy", 1610612741, NULL },
> > + { "CommandCode", 1610620931, NULL },
> > + { NULL, 2056, "0"},
> > + { "CommandPolicy", 536879111, NULL },
> > + { NULL, 2056, "1"},
> > + { "TPMAuthPolicy", 1610612741, NULL },
> > + { "Name", 1610637346, NULL },
> > + { NULL, 2056, "0"},
> > + { "Policy", 536879115, NULL },
> > + { NULL, 1073743880, "1"},
> > + { NULL, 2, "TPMPolicy"},
> > + { "TPMKey", 536870917, NULL },
> > + { "type", 1073741836, NULL },
> > + { "emptyAuth", 1610637316, NULL },
> > + { NULL, 2056, "0"},
> > + { "policy", 1610637323, NULL },
> > + { NULL, 1073743880, "1"},
> > + { NULL, 2, "TPMPolicy"},
> > + { "secret", 1610637319, NULL },
> > + { NULL, 2056, "2"},
> > + { "authPolicy", 1610637323, NULL },
> > + { NULL, 1073743880, "3"},
> > + { NULL, 2, "TPMAuthPolicy"},
> > + { "description", 1610637346, NULL },
> > + { NULL, 2056, "4"},
> > + { "rsaParent", 1610637316, NULL },
> > + { NULL, 2056, "5"},
> > + { "parent", 1073741827, NULL },
> > + { "pubkey", 1073741831, NULL },
> > + { "privkey", 7, NULL },
> > + { NULL, 0, NULL }
> > +};
>
> Daniel
>
> [1] https://www.gnu.org/software/grub/manual/grub-dev/grub-dev.html#Comments
- Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS), (continued)
Re: [PATCH v17 10/20] tpm2: Add TPM Software Stack (TSS), Daniel Kiper, 2024/06/18
[PATCH v17 11/20] key_protector: Add TPM2 Key Protector, Gary Lin, 2024/06/14
[PATCH v17 12/20] cryptodisk: Support key protectors, Gary Lin, 2024/06/14
[PATCH v17 13/20] util/grub-protect: Add new tool, Gary Lin, 2024/06/14
[PATCH v17 14/20] tpm2: Support authorized policy, Gary Lin, 2024/06/14
[PATCH v17 15/20] tpm2: Implement NV index, Gary Lin, 2024/06/14
[PATCH v17 16/20] cryptodisk: Fallback to passphrase, Gary Lin, 2024/06/14
[PATCH v17 17/20] cryptodisk: wipe out the cached keys from protectors, Gary Lin, 2024/06/14
[PATCH v17 18/20] diskfilter: look up cryptodisk devices first, Gary Lin, 2024/06/14
[PATCH v17 19/20] tpm2: Enable tpm2 module for grub-emu, Gary Lin, 2024/06/14
[PATCH v17 20/20] tests: Add tpm2_test, Gary Lin, 2024/06/14