tss2: Introduce grub_tcg2_cap_pcr()

This commit introduces the definition of grub_tcg2_cap_pcr(), a new
function designed to enhance the security of sealed keys. Its primary
purpose is to "cap" a specific PCR by extending it with an EV_SEPARATOR
event. This action cryptographically alters the PCR value, making it
impossible to unseal any key that was previously sealed to the original
PCR state. Consequently, the sealed key remains protected against
unauthorized unsealing attempts until the associated PCRs are reset to
their initial configuration, typically occurring during a subsequent
system boot.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/lib/tss2/tcg2.h b/grub-core/lib/tss2/tcg2.h
index 3d26373ddf8c2060050fc2e99aa5b5b7fad103ab..ba3d112783638d744684aaaf7bf36dc18b712686 100644 (file)
--- a/grub-core/lib/tss2/tcg2.h
+++ b/grub-core/lib/tss2/tcg2.h
@@ -23,6 +23,8 @@
 #include <grub/err.h>
 #include <grub/types.h>
 
+#define GRUB_EV_SEPARATOR 0x04
+
 extern grub_err_t
 grub_tcg2_get_max_output_size (grub_size_t *size);
 
@@ -32,4 +34,7 @@ grub_tcg2_submit_command (grub_size_t input_size,
                          grub_size_t output_size,
                          grub_uint8_t *output);
 
+extern grub_err_t
+grub_tcg2_cap_pcr (grub_uint8_t pcr);
+
 #endif /* ! GRUB_TPM2_TCG2_HEADER */