From 53c3dc557890466757090ee390a2c5d241e50483 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types

Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
to support those parameters.

Also prevent RSA SRK type from being overwritten when 'rsaparent' is set
in the key file.

Signed-off-by: Gary Lin <glin@suse.com>
---
 grub-core/tpm2/args.c   | 10 ++++++++++
 grub-core/tpm2/module.c | 18 +++++++++++++++---
 util/grub-protect.c                            |  4 ++--
 3 files changed, 27 insertions(+), 5 deletions(-)

Index: grub-2.12/grub-core/tpm2/args.c
===================================================================
--- grub-2.12.orig/grub-core/tpm2/args.c
+++ grub-2.12/grub-core/tpm2/args.c
@@ -92,6 +92,16 @@ grub_tpm2_protector_parse_asymmetric (co
       srk_type->type = TPM_ALG_RSA;
       srk_type->detail.rsa_bits = 2048;
     }
+  else if (grub_strcasecmp (value, "RSA3072") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 3072;
+    }
+  else if (grub_strcasecmp (value, "RSA4096") == 0)
+    {
+      srk_type->type = TPM_ALG_RSA;
+      srk_type->detail.rsa_bits = 4096;
+    }
   else
     return grub_error (GRUB_ERR_OUT_OF_RANGE,
 		       N_("Value '%s' is not a valid asymmetric key type"),
Index: grub-2.12/grub-core/tpm2/module.c
===================================================================
--- grub-2.12.orig/grub-core/tpm2/module.c
+++ grub-2.12/grub-core/tpm2/module.c
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub
       .arg      = NULL,
       .type     = ARG_TYPE_STRING,
       .doc      =
-	N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
-	   "(default: ECC)"),
+	N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+	  "and ECC (ECC_NIST_P256). (default: ECC)"),
     },
     /* NV Index-mode options */
     {
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_ty
 	{
 	  case 2048:
 	    return "RSA2048";
+	  case 3072:
+	    return "RSA3072";
+	  case 4096:
+	    return "RSA4096";
 	}
    }
 
@@ -563,6 +567,14 @@ grub_tpm2_protector_load_key (const stru
     },
     {
       .type = TPM_ALG_RSA,
+      .detail.rsa_bits = 4096,
+    },
+    {
+      .type = TPM_ALG_RSA,
+      .detail.rsa_bits = 3072,
+    },
+    {
+      .type = TPM_ALG_RSA,
       .detail.rsa_bits = 2048,
     },
     {
@@ -936,7 +948,7 @@ grub_tpm2_protector_srk_recover (const s
       if (err != GRUB_ERR_NONE)
 	goto exit1;
 
-      if (rsaparent == 1)
+      if (rsaparent == 1 && ctx->srk_type.type != TPM_ALG_RSA)
 	{
 	  struct grub_tpm2_protector_context *ctx_w;
 
Index: grub-2.12/util/grub-protect.c
===================================================================
--- grub-2.12.orig/util/grub-protect.c
+++ grub-2.12/util/grub-protect.c
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_o
       .arg   = "TYPE",
       .flags = 0,
       .doc   =
-	N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
-	   "(default: ECC)"),
+	N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+	   "and ECC (ECC_NIST_P256). (default: ECC)"),
       .group = 0
     },
     {