File 0001-Improve-TPM-key-protection-on-boot-interruptions.patch of Package grub2

From 7b6cdb8ff71e43f95de9cefc19a7949e924c2be9 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 17 Nov 2023 12:32:59 +0800
Subject: [PATCH 1/2] Improve TPM key protection on boot interruptions

The unattended boot process for full disk encryption relies on an
authorized TPM policy to ensure the system's integrity before releasing
the key to grub. Subsequently, grub assumes responsibility for securing
the boot process, directing it towards a trusted default without any
expected interruptions. Any interruption during this process indicates
potential modification attempts, and releasing the obtained key to the
next stage should not occur in such cases.

This commit addresses a vulnerability associated with interrupted boot
processes that could potentially enable malicious modifications to the
default or trusted boot target. To reinforce system security, the code
has been updated to incorporate measures that discard the TPM protected
key in the event of boot interruptions.

Furthermore, this patch aims to enhance code readability by renaming
structures and function names related to cryptographic keys, improving
clarity and maintainability.

By implementing these changes, this enhancement seeks to fortify the
protection of TPM keys, thereby ensuring a more robust defense against
potential unauthorized modifications during the boot process.

v2: erase cached credentials in grub_cryptodisk_erasesecrets

Signed-Off-by Michael Chang <mchang@suse.com>
---
 grub-core/commands/crypttab.c | 38 ++++++++++++++++++++++++++---------
 grub-core/disk/cryptodisk.c   | 10 ++++++++-
 grub-core/loader/linux.c      |  6 +++---
 grub-core/normal/main.c       |  2 +-
 grub-core/normal/menu.c       |  7 +++++++
 grub-core/normal/menu_entry.c |  2 +-
 include/grub/crypttab.h       | 18 ++++++++++-------
 7 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
index c2217ca980..9397bede9e 100644
--- a/grub-core/commands/crypttab.c
+++ b/grub-core/commands/crypttab.c
@@ -9,17 +9,20 @@
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
-struct grub_key_publisher *kpuber;
+grub_crypto_key_list_t *cryptokey_lst;
 
 grub_err_t
-grub_initrd_publish_key (const char *uuid, const char *key, grub_size_t key_len, const char *path)
+grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key_len, const char *path, int is_tpmkey)
 {
-  struct grub_key_publisher *cur = NULL;
+  grub_crypto_key_list_t *cur = NULL;
 
-  FOR_LIST_ELEMENTS (cur, kpuber)
+  FOR_LIST_ELEMENTS (cur, cryptokey_lst)
     if (grub_uuidcasecmp (cur->name, uuid, sizeof (cur->name)) == 0)
       break;
 
+  if (!cur && !uuid)
+    return GRUB_ERR_NONE;
+
   if (!cur)
     cur = grub_zalloc (sizeof (*cur));
   if (!cur)
@@ -44,21 +47,24 @@ grub_initrd_publish_key (const char *uuid, const char *key, grub_size_t key_len,
       cur->path = grub_strdup (path);
     }
 
+  if (is_tpmkey >= 0)
+    cur->is_tpmkey = is_tpmkey;
+
   if (!cur->name)
     {
       cur->name = grub_strdup (uuid);
-      grub_list_push (GRUB_AS_LIST_P (&kpuber), GRUB_AS_LIST (cur));
+      grub_list_push (GRUB_AS_LIST_P (&cryptokey_lst), GRUB_AS_LIST (cur));
     }
 
   return GRUB_ERR_NONE;
 }
 
 void
-grub_initrd_discard_key (void)
+grub_cryptokey_discard (void)
 {
-  struct grub_key_publisher *cur, *nxt;
+  grub_crypto_key_list_t *cur, *nxt;
 
-  FOR_LIST_ELEMENTS_SAFE (cur, nxt, kpuber)
+  FOR_LIST_ELEMENTS_SAFE (cur, nxt, cryptokey_lst)
 	{
 	  grub_list_remove (GRUB_AS_LIST (cur));
 	  grub_memset (cur->key, 0, cur->key_len);
@@ -69,6 +75,20 @@ grub_initrd_discard_key (void)
 	}
 }
 
+void
+grub_cryptokey_tpmkey_discard (void)
+{
+  grub_crypto_key_list_t *cur = NULL;
+
+  FOR_LIST_ELEMENTS (cur, cryptokey_lst)
+    if (cur->is_tpmkey)
+      break;
+
+  /* Discard all keys if any of them is tpm */
+  if (cur)
+    grub_cryptokey_discard();
+}
+
 static grub_err_t
 grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
 	       int argc, char **argv)
@@ -92,7 +112,7 @@ grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
     }
 
   /*FIXME: Validate UUID string*/
-  return grub_initrd_publish_key (argv[1], NULL, 0, path);
+  return grub_cryptokey_add_or_update (argv[1], NULL, 0, path, -1);
 }
 
 static grub_command_t cmd;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index cb87d337ac..5fd68f4549 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name,
   struct cryptodisk_read_hook_ctx read_hook_data = {0};
   int askpass = 0;
   char *part = NULL;
+#ifndef GRUB_UTIL
+  int is_tpmkey = 0;
+#endif
 
   dev = grub_cryptodisk_get_by_source_disk (source);
 
@@ -1185,6 +1188,7 @@ grub_cryptodisk_scan_device_real (const char *name,
 	        goto error;
 #ifndef GRUB_UTIL
 	      grub_cli_set_auth_needed ();
+	      is_tpmkey = 1;
 #endif
 	      goto cleanup;
 	    }
@@ -1247,7 +1251,7 @@ grub_cryptodisk_scan_device_real (const char *name,
 
 #ifndef GRUB_UTIL
   if (cargs->key_data && dev)
-    grub_initrd_publish_key (dev->uuid, (const char *)cargs->key_data, cargs->key_len, NULL);
+    grub_cryptokey_add_or_update (dev->uuid, (const char *)cargs->key_data, cargs->key_len, NULL, is_tpmkey);
 #endif
   if (askpass)
     {
@@ -1792,6 +1796,10 @@ grub_cryptodisk_erasesecrets (void)
   grub_cryptodisk_t i;
   grub_uint8_t *buf;
 
+#ifndef GRUB_UTIL
+  grub_cryptokey_discard ();
+#endif
+
   buf = grub_zalloc (GRUB_CRYPTODISK_MAX_KEYLEN);
   if (buf == NULL)
     grub_fatal ("grub_cryptodisk_erasesecrets: cannot allocate memory");
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 9ee8f37907..e5e7929581 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -226,13 +226,13 @@ grub_initrd_init (int argc, char *argv[],
   int i;
   int newc = 0;
   struct dir *root = 0;
-  struct grub_key_publisher *pk;
+  grub_crypto_key_list_t *pk;
   int numkey = 0;
 
   initrd_ctx->nfiles = 0;
   initrd_ctx->components = 0;
 
-  FOR_LIST_ELEMENTS (pk, kpuber)
+  FOR_LIST_ELEMENTS (pk, cryptokey_lst)
     if (pk->key && pk->path)
       numkey++;
 
@@ -305,7 +305,7 @@ grub_initrd_init (int argc, char *argv[],
 	goto overflow;
     }
 
-  FOR_LIST_ELEMENTS (pk, kpuber)
+  FOR_LIST_ELEMENTS (pk, cryptokey_lst)
     if (pk->key && pk->path)
       {
 	grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx);
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 320adbe337..343cdbae2c 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -599,7 +599,7 @@ grub_cmdline_run (int nested, int force_auth)
       return;
     }
 
-  grub_initrd_discard_key ();
+  grub_cryptokey_discard ();
   grub_normal_reader_init (nested);
 
   while (1)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index f243c5e0bd..897da6abac 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -32,6 +32,7 @@
 #include <grub/script_sh.h>
 #include <grub/gfxterm.h>
 #include <grub/dl.h>
+#include <grub/crypttab.h>
 #ifdef GRUB_MACHINE_IEEE1275
 #include <grub/ieee1275/ieee1275.h>
 #endif
@@ -769,6 +770,7 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot, int *notify_boot)
 	  if (grub_key_is_interrupt (key))
 	    {
 	      timeout = -1;
+	      grub_cryptokey_tpmkey_discard();
 	      break;
 	    }
 
@@ -851,6 +853,11 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot, int *notify_boot)
 	      clear_timeout ();
 	    }
 
+	  /* Timeout is interrupted by external input, Forget tpmkey if timeout
+	   * is not cut by enter */
+	  if (c != '\n' && c != '\r')
+	      grub_cryptokey_tpmkey_discard();
+
 	  switch (c)
 	    {
 	    case GRUB_TERM_KEY_HOME:
diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
index 38c958e657..bbd05e5638 100644
--- a/grub-core/normal/menu_entry.c
+++ b/grub-core/normal/menu_entry.c
@@ -1331,7 +1331,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
       return;
     }
 
-  grub_initrd_discard_key();
+  grub_cryptokey_discard();
 
   screen = make_screen (entry);
   if (! screen)
diff --git a/include/grub/crypttab.h b/include/grub/crypttab.h
index 113c53cfce..f86404686f 100644
--- a/include/grub/crypttab.h
+++ b/include/grub/crypttab.h
@@ -4,21 +4,25 @@
 #include <grub/types.h>
 #include <grub/err.h>
 
-struct grub_key_publisher
+typedef struct grub_crypto_key_list
 {
-  struct grub_key_publisher *next;
-  struct grub_key_publisher **prev;
+  struct grub_crypto_key_list *next;
+  struct grub_crypto_key_list **prev;
   char *name; /* UUID */
   char *path;
   char *key;
   grub_size_t key_len;
-};
+  int is_tpmkey;
+} grub_crypto_key_list_t;
 
-extern struct grub_key_publisher *EXPORT_VAR (kpuber);
+extern grub_crypto_key_list_t *EXPORT_VAR (cryptokey_lst);
 
 grub_err_t
-grub_initrd_publish_key (const char *uuid, const char *key, grub_size_t key_len, const char *path);
+grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key_len, const char *path, int is_tpmkey);
 
 void
-grub_initrd_discard_key (void);
+grub_cryptokey_discard (void);
+
+void
+grub_cryptokey_tpmkey_discard (void);
 #endif /* ! GRUB_CRYPTTAB_HEADER */
-- 
2.49.0