[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/5] Automatic TPM Disk Unlock

From: Hernan Gatta
Subject: [PATCH 0/5] Automatic TPM Disk Unlock
Date: Mon, 24 Jan 2022 06:12:13 -0800

This patch series adds support for automatically unlocking fully-encrypted disks
using a TPM 2.0.

Currently, when GRUB encounters a fully-encrypted disk that it must access, its
corresponding cryptodisk module (LUKS 1, LUKS2, or GELI) interactively prompts
the user for a passphrase. An improvement to the boot process would be for GRUB
to automatically retrieve the unlocking key for fully-encrypted disks from a
protected location and to unlock these transparently. To this end, a TPM may be
used to protect the unlocking key to a known-good state of the platform. Once
the key is protected in this way, assuming that the platform remains
trustworthy, GRUB can then utilize the TPM to release the key during boot and
thus unlock fully-encrypted disks without user interaction. Such a model would
not only be more convenient for end-users but also for virtual machines in cloud
environments where no user is ever present.


This patchset first adds a key protectors framework. This framework allows for
key protector modules to register when loaded. A key protector is defined as a
module that knows how to retrieve an unlocking key from a specific source. This
patchset adds a single such key protector module that understands how to
retrieve an unlocking key from a TPM 2.0 by unsealing a sealed key file via a
Storage Root Key (SRK).

Additionally, this patchset expands the cryptomount command to accept a key
protector parameter. This parameter carries the information necessary to select
and parameterize a key protector to be used to retrieve an unlocking key for the
disk in question. That is, given an invocation of cryptomount to mount a
specific disk (e.g., "cryptomount (hd0,gpt2)", "cryptomount -u UUID"), a key
protector can be used to automatically retrieve an unlocking key without an
interactive prompt.

Lastly, this patchset also includes a new tool, grub-protect, that allows the
user to seal a key file against a set of Platform Configuration Registers (PCRs)
using an SRK. This sealed key file is expected to be stored in an unencrypted
partition, such as the EFI System Partition (ESP), where GRUB can read it. The
sealed key is then unsealed by the TPM2 key protector automatically, provided
that the PCRs selected match on subsequent boots.

Signed-off-by: Hernan Gatta <>

Hernan Gatta (5):
  protectors: Add key protectors framework
  tpm2: Add TPM Software Stack (TSS)
  protectors: Add TPM2 Key Protector
  cryptodisk: Support key protectors
  util/grub-protect: Add new tool

 .gitignore                             |    1 +
 Makefile.util.def                      |   17 +                           |    1 +
 grub-core/                  |    1 +
 grub-core/Makefile.core.def            |   10 +
 grub-core/disk/cryptodisk.c            |   21 +-
 grub-core/kern/protectors.c            |   98 +++
 grub-core/tpm2/buffer.c                |  145 ++++
 grub-core/tpm2/module.c                |  742 ++++++++++++++++++
 grub-core/tpm2/mu.c                    |  807 +++++++++++++++++++
 grub-core/tpm2/tcg2.c                  |  143 ++++
 grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
 include/grub/protector.h               |   55 ++
 include/grub/tpm2/buffer.h             |   65 ++
 include/grub/tpm2/internal/functions.h |  117 +++
 include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
 include/grub/tpm2/internal/types.h     |  372 +++++++++
 include/grub/tpm2/mu.h                 |  292 +++++++
 include/grub/tpm2/tcg2.h               |   34 +
 include/grub/tpm2/tpm2.h               |   38 +
 util/grub-protect.c                    | 1344 ++++++++++++++++++++++++++++++++
 21 files changed, 5688 insertions(+), 1 deletion(-)
 create mode 100644 grub-core/kern/protectors.c
 create mode 100644 grub-core/tpm2/buffer.c
 create mode 100644 grub-core/tpm2/module.c
 create mode 100644 grub-core/tpm2/mu.c
 create mode 100644 grub-core/tpm2/tcg2.c
 create mode 100644 grub-core/tpm2/tpm2.c
 create mode 100644 include/grub/protector.h
 create mode 100644 include/grub/tpm2/buffer.h
 create mode 100644 include/grub/tpm2/internal/functions.h
 create mode 100644 include/grub/tpm2/internal/structs.h
 create mode 100644 include/grub/tpm2/internal/types.h
 create mode 100644 include/grub/tpm2/mu.h
 create mode 100644 include/grub/tpm2/tcg2.h
 create mode 100644 include/grub/tpm2/tpm2.h
 create mode 100644 util/grub-protect.c


reply via email to

[Prev in Thread] Current Thread [Next in Thread]