ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.

Browse Source 
Fixes linuxboot#1092.
Supersedes linuxboot#1093

- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
  - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
    (linuxboot#1093 (comment))
  - kexec-seal-key: Identical as in ed1c23a
  - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
    (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
    and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
    - Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
    - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-03-26 14:20:48 -04:00
parent 8fcf1ddba8
commit adda59c675
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
initrd/bin/kexec-insert-key
View File

@ -57,6 +57,9 @@ tpmr extend -ix 4 -ic generic ||
# Check to continue # Check to continue
if [ "$unseal_failed" = "y" ]; then if [ "$unseal_failed" = "y" ]; then
confirm_boot="n" confirm_boot="n"
if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
fi
read \ read \
-n 1 \ -n 1 \
-p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \

8
initrd/bin/kexec-unseal-key
View File

@ -40,6 +40,14 @@ for tries in 1 2 3; do
DEBUG $(pcrs) DEBUG $(pcrs)
warn "Unable to unseal disk encryption key" warn "Unable to unseal disk encryption key"
if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then
if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate."
fi
else
warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt"
warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu."
fi
done done
die "Retry count exceeded..." die "Retry count exceeded..."