From: Gary Lin <glin@suse.com>
Date: Fri, 13 Jun 2025 07:02:34 +0000 (+0800)
Subject: tpm2_key_protector: Dump the PCR bank for key unsealing
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=451e227e530e765d4af1960b9795d8987ea6ee78;p=thirdparty%2Fgrub.git

tpm2_key_protector: Dump the PCR bank for key unsealing

TPM 2.0 Key File format stores the PCR selection in the parameters
for TPM2_PolicyPCR and it already contains the selected PCR bank.
Currently, tpm2_key_protector dumped the PCR bank specified by the
--bank option, and it may not be the PCR bank for key unsealing.

To dump the real PCR bank for key unsealing, this commit records the PCR
bank used by TPM2_PolicyPCR and dumps PCR values from that bank when
necessary.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index 857f3753f..b84c2234f 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -162,6 +162,8 @@ static tpm2_protector_context_t tpm2_protector_ctx = {0};
 
 static grub_command_t tpm2_dump_pcr_cmd;
 
+static TPM_ALG_ID_t tpm2_dump_bank;
+
 static grub_err_t
 tpm2_protector_srk_read_file (const char *filepath, void **buffer, grub_size_t *buffer_size)
 {
@@ -654,6 +656,9 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffe
   if (cmd_buf->error != 0)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal commandPolicy for TPM2_PolicyPCR");
 
+  /* Record the chosen PCR bank. */
+  tpm2_dump_bank = pcr_sel.pcrSelections[0].hash;
+
   rc = grub_tpm2_policypcr (session, NULL, &pcr_digest, &pcr_sel, NULL);
   if (rc != TPM_RC_SUCCESS)
     return grub_error (GRUB_ERR_BAD_DEVICE, "failed to submit PCR policy (TPM2_PolicyPCR: 0x%x)", rc);
@@ -1091,7 +1096,7 @@ tpm2_protector_key_from_buffer (const tpm2_protector_context_t *ctx,
   if (dump_pcr == true)
     {
       grub_printf ("PCR Mismatch! Check firmware and bootloader before typing passphrase!\n");
-      tpm2_protector_dump_pcr (ctx->bank);
+      tpm2_protector_dump_pcr (tpm2_dump_bank);
     }
 
  exit2:
@@ -1151,7 +1156,7 @@ tpm2_protector_load_persistent (const tpm2_protector_context_t *ctx, TPM_HANDLE_
   if (dump_pcr == true)
     {
       grub_printf ("PCR Mismatch! Check firmware and bootloader before typing passphrase!\n");
-      tpm2_protector_dump_pcr (ctx->bank);
+      tpm2_protector_dump_pcr (tpm2_dump_bank);
     }
 
  exit:
@@ -1273,6 +1278,8 @@ tpm2_protector_check_args (tpm2_protector_context_t *ctx)
   if (ctx->bank == TPM_ALG_ERROR)
     ctx->bank = TPM_ALG_SHA256;
 
+  tpm2_dump_bank = ctx->bank;
+
   if (ctx->pcr_count == 0)
     {
       ctx->pcrs[0] = 7;