tpm2_key_protector: Add tpm2_dump_pcr command

The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new tpm2_dump_pcr command is added to print all PCRs of the
specified bank.

Also update the document for the new command.

Signed-off-by: Gary Lin <glin@suse.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/docs/grub.texi b/docs/grub.texi
index d9b26fa36dd1cafbf67f364792c77ebd5dd0227e..54d3ab52f26c9169a5d1beae573992fa29195e15 100644 (file)
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6488,6 +6488,7 @@ you forget a command, you can run the command @command{help}
 * test::                        Check file types and compare values
 * tpm2_key_protector_init::     Initialize the TPM2 key protector
 * tpm2_key_protector_clear::    Clear the TPM2 key protector
+* tpm2_dump_pcr::               Dump TPM2 PCRs
 * true::                        Do nothing, successfully
 * trust::                       Add public key to list of trusted keys
 * unset::                       Unset an environment variable
@@ -8104,6 +8105,18 @@ key and unseal it with the given PCR list and bank.
 Clear the TPM2 key protector if previously initialized.
 @end deffn
 
+@node tpm2_dump_pcr
+@subsection tpm2_dump_pcr
+
+@deffn Command tpm2_dump_pcr [@var{bank}]
+Print all PCRs of the specified TPM 2.0 @var{bank}. The supported banks are
+@samp{sha1}, @samp{sha256}, @samp{sha384}, and @samp{sha512}. If @var{bank}
+is not specified, @samp{sha256} is chosen by default.
+
+Since GRUB measures every command into PCR 8, invoking @command{tpm2_dump_pcr}
+also extends PCR 8, so PCR 8 will not be a stable value in GRUB shell.
+@end deffn
+
 @node true
 @subsection true
 

diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index d5e530f77ae41de9b762037bc92816777e7f73cc..0a5d81e4c7f7b516ebac50b98df74d1cf326d28b 100644 (file)
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -160,6 +160,8 @@ static grub_extcmd_t tpm2_protector_init_cmd;
 static grub_extcmd_t tpm2_protector_clear_cmd;
 static tpm2_protector_context_t tpm2_protector_ctx = {0};
 
+static grub_command_t tpm2_dump_pcr_cmd;
+
 static grub_err_t
 tpm2_protector_srk_read_file (const char *filepath, void **buffer, grub_size_t *buffer_size)
 {
@@ -1315,6 +1317,33 @@ static struct grub_key_protector tpm2_key_protector =
     .recover_key = tpm2_protector_recover_key
   };
 
+static grub_err_t
+tpm2_dump_pcr (grub_command_t cmd __attribute__((__unused__)),
+              int argc, char *argv[])
+{
+  TPM_ALG_ID_t pcr_bank;
+
+  if (argc == 0)
+    pcr_bank = TPM_ALG_SHA256;
+  else if (grub_strcmp (argv[0], "sha1") == 0)
+    pcr_bank = TPM_ALG_SHA1;
+  else if (grub_strcmp (argv[0], "sha256") == 0)
+    pcr_bank = TPM_ALG_SHA256;
+  else if (grub_strcmp (argv[0], "sha384") == 0)
+    pcr_bank = TPM_ALG_SHA384;
+  else if (grub_strcmp (argv[0], "sha512") == 0)
+    pcr_bank = TPM_ALG_SHA512;
+  else
+    {
+      grub_printf ("Unknown PCR bank\n");
+      return GRUB_ERR_BAD_ARGUMENT;
+    }
+
+  tpm2_protector_dump_pcr (pcr_bank);
+
+  return GRUB_ERR_NONE;
+}
+
 GRUB_MOD_INIT (tpm2_key_protector)
 {
   tpm2_protector_init_cmd =
@@ -1336,6 +1365,10 @@ GRUB_MOD_INIT (tpm2_key_protector)
                          N_("Clear the TPM2 key protector if previously initialized."),
                          NULL);
   grub_key_protector_register (&tpm2_key_protector);
+
+  tpm2_dump_pcr_cmd =
+    grub_register_command ("tpm2_dump_pcr", tpm2_dump_pcr, N_("Dump TPM2 PCRs"),
+                          N_("Print all PCRs of the specified TPM 2.0 bank"));
 }
 
 GRUB_MOD_FINI (tpm2_key_protector)
@@ -1345,4 +1378,6 @@ GRUB_MOD_FINI (tpm2_key_protector)
   grub_key_protector_unregister (&tpm2_key_protector);
   grub_unregister_extcmd (tpm2_protector_clear_cmd);
   grub_unregister_extcmd (tpm2_protector_init_cmd);
+
+  grub_unregister_command (tpm2_dump_pcr_cmd);
 }