From adda59c6752719bb4cbbbfcd5268bff00df5bbdf Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 26 Mar 2024 14:20:48 -0400 Subject: [PATCH] LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key. Fixes linuxboot#1092. Supersedes linuxboot#1093 - Cherry-picks ed1c23a (credit to @hardened-vault) thank you!) - Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!) - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed. (linuxboot#1093 (comment)) - kexec-seal-key: Identical as in ed1c23a - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options) - Here, we cancel the diff output shown on screen linuxboot#1093 (comment) - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." Signed-off-by: Thierry Laurion --- initrd/bin/kexec-insert-key | 3 +++ initrd/bin/kexec-unseal-key | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index f06c5483..674aab4e 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -57,6 +57,9 @@ tpmr extend -ix 4 -ic generic || # Check to continue if [ "$unseal_failed" = "y" ]; then confirm_boot="n" + if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then + echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." + fi read \ -n 1 \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 3f18c435..6f5cbd9f 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -40,6 +40,14 @@ for tries in 1 2 3; do DEBUG $(pcrs) warn "Unable to unseal disk encryption key" + if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then + if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then + warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate." + fi + else + warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt" + warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu." + fi done die "Retry count exceeded..."