-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new pcrlock tool for generating signed PCR policies for PCR 0, 1, 4, … #28891
Commits on Nov 3, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 981f762 - Browse repository at this point
Copy the full SHA 981f762View commit details -
Configuration menu - View commit details
-
Copy full SHA for a63b260 - Browse repository at this point
Copy the full SHA a63b260View commit details -
Configuration menu - View commit details
-
Copy full SHA for f88f929 - Browse repository at this point
Copy the full SHA f88f929View commit details -
Configuration menu - View commit details
-
Copy full SHA for 199d758 - Browse repository at this point
Copy the full SHA 199d758View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8f3f9c2 - Browse repository at this point
Copy the full SHA 8f3f9c2View commit details -
tpm2-util: add helpers for marshalling public/private keys
Note: we export these new symbols for now. A later commit in this PR will make them static again. The only reason they are exported here is to make sure gcc doesn't complain about unused static symbols, and I really wanted to commit them in a separate commit.
Configuration menu - View commit details
-
Copy full SHA for 9fe3b63 - Browse repository at this point
Copy the full SHA 9fe3b63View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3600620 - Browse repository at this point
Copy the full SHA 3600620View commit details -
Configuration menu - View commit details
-
Copy full SHA for f7be7a2 - Browse repository at this point
Copy the full SHA f7be7a2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 34657b1 - Browse repository at this point
Copy the full SHA 34657b1View commit details -
tpm2-util: add calls for calculating/submitting PolicyAuthorizeNV + P…
…olicyOR TPM2 policies
Configuration menu - View commit details
-
Copy full SHA for 2cd8f75 - Browse repository at this point
Copy the full SHA 2cd8f75View commit details -
tpm2-util: add helper for creating/removing/updating NV index with st…
…ored policy This is the primary core of what pcrlock is supposed to do eventually: maintain a TPM2 policy hash inside an NV index which we then can reference via a PolicyAuthorizeNV expression to lock other objects against it.
Configuration menu - View commit details
-
Copy full SHA for 48d0605 - Browse repository at this point
Copy the full SHA 48d0605View commit details -
tpm2-util: add generic helpers for sealing/unsealing data
These helpers tpm2_seal_data()/tpm2_unseal_data() are useful for sealing/unsealing data without any further semantics around them. This is different from the existing tpm2_seal()/tpm2_unseal() which seal with a specific policy and serialize in a specific way, as we use it for disk encryption. These new helpers are more generic, they do not serialize in a specific way or imply policy, they are just the core of the sealing/unsealing. (We should look into porting tpm2_seal()/tpm2_unseal() onto these new helpers, but this isn#t trivial, since the classic serialization we use uses a merged marshalling of private/public key, which we'd have to change in one way or another)
Configuration menu - View commit details
-
Copy full SHA for ce80da0 - Browse repository at this point
Copy the full SHA ce80da0View commit details -
tpm2-util: make various marshalling/unmarshalling calls static, as we…
… only use them internally in tpm2-util.c Note, some of these were just added in this same PR. We only exported them initially to make sure gcc doesn't complained about unused local symbols.
Configuration menu - View commit details
-
Copy full SHA for 40ce732 - Browse repository at this point
Copy the full SHA 40ce732View commit details -
tpm2-util: add common array for TPM2 hash algorithms
This is useful to enumerate all hash algorithms we want to predict measurements for.
Configuration menu - View commit details
-
Copy full SHA for b52e950 - Browse repository at this point
Copy the full SHA b52e950View commit details -
Configuration menu - View commit details
-
Copy full SHA for a434270 - Browse repository at this point
Copy the full SHA a434270View commit details -
tree-wide: hook everything up with pcrlock policy
Make sure cryptenroll and repart can enroll TPM2 policies with pcrlock logic. Make sure cryptsetup can unlock TPM2 policies with pcrlock in effect.
Configuration menu - View commit details
-
Copy full SHA for 404aea7 - Browse repository at this point
Copy the full SHA 404aea7View commit details -
pcrlock: add pre-defined pcrlock files
These cover well-known measurements done by the UEFI firmware or systemd.
Configuration menu - View commit details
-
Copy full SHA for 8e35338 - Browse repository at this point
Copy the full SHA 8e35338View commit details -
units: add units that put together and install a TPM2 PCR policy at boot
(This is disabled by default, for now)
Configuration menu - View commit details
-
Copy full SHA for 809def1 - Browse repository at this point
Copy the full SHA 809def1View commit details -
Configuration menu - View commit details
-
Copy full SHA for e206210 - Browse repository at this point
Copy the full SHA e206210View commit details -
test: add pcrlock integration test
(Contains various test additions added by @mrc0mmand)
Configuration menu - View commit details
-
Copy full SHA for 3e6a25a - Browse repository at this point
Copy the full SHA 3e6a25aView commit details -
Configuration menu - View commit details
-
Copy full SHA for e43f87a - Browse repository at this point
Copy the full SHA e43f87aView commit details