ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key

Browse Source 
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-03-27 10:04:10 -04:00
parent adda59c675
commit f6232aa70f
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
7 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
FAQ.md
View File

@ -112,8 +112,8 @@ your disk password, which is perhaps an improvement.
Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase? Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase?
--- ---
Depends on your threat model. With the disk key in the TPM an attacker Depends on your threat model. With the Disk Unlock Key in the TPM an
would need to have the entire machine (or a backdoor in the TPM) attacker would need to have the entire machine (or a backdoor in the TPM)
to get the key and their attempts to unlock it can be rate limited to get the key and their attempts to unlock it can be rate limited
by the TPM hardware. by the TPM hardware.

14
initrd/bin/kexec-insert-key
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Unseal a disk key from TPM and add to a new initramfs # Unseal a LUKS Disk Unlock Key from TPM and add to a new initramfs
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
@ -28,7 +28,7 @@ if [ -r "$TMP_KEY_LVM" ]; then
die "$VOLUME_GROUP: unable to activate volume group" die "$VOLUME_GROUP: unable to activate volume group"
fi fi
# Measure the LUKS headers before we unseal the disk key # Measure the LUKS headers before we unseal the LUKS Disk Unlock Key from TPM
cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks || cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks ||
die "LUKS measure failed" die "LUKS measure failed"
@ -40,13 +40,13 @@ SECRET_CPIO=/tmp/secret/initrd.cpio
bootdir=$(dirname "$INITRD") bootdir=$(dirname "$INITRD")
mkdir -p "$INITRD_DIR/etc" mkdir -p "$INITRD_DIR/etc"
# Attempt to unseal the disk key from the TPM # Attempt to unseal the Disk Unlok Key from the TPM
# should we give this some number of tries? # should we give this some number of tries?
unseal_failed="n" unseal_failed="n"
if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
unseal_failed="y" unseal_failed="y"
echo echo
echo "!!! Failed to unseal the TPM LUKS disk key" echo "!!! Failed to unseal the TPM LUKS Disk Unlock Key"
fi fi
# Override PCR 4 so that user can't read the key # Override PCR 4 so that user can't read the key
@ -57,8 +57,8 @@ tpmr extend -ix 4 -ic generic ||
# Check to continue # Check to continue
if [ "$unseal_failed" = "y" ]; then if [ "$unseal_failed" = "y" ]; then
confirm_boot="n" confirm_boot="n"
if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then if cmp -s "$bootdir/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." echo "Encrypted disk keys(s) have not been changed since sealed in TPM Disk Unlock Key"
fi fi
read \ read \
-n 1 \ -n 1 \
@ -69,7 +69,7 @@ if [ "$unseal_failed" = "y" ]; then
-a "$confirm_boot" != 'Y' \ -a "$confirm_boot" != 'Y' \
-a -n "$confirm_boot" ] \ -a -n "$confirm_boot" ] \
; then ; then
die "!!! Aborting boot due to failure to unseal TPM disk key" die "!!! Aborting boot due to failure to unseal TPM Disk Unlock Key"
fi fi
fi fi

2
initrd/bin/kexec-save-default
View File

@ -195,7 +195,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES" DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES"
read \ read \
-n 1 \ -n 1 \
-p "Do you want to reseal a disk key to the TPM [y/N]: " \ -p "Do you want to reseal a Disk Unlock Key in the TPM [y/N]: " \
change_key_confirm change_key_confirm
echo echo

4
initrd/bin/kexec-select-boot
View File

@ -70,6 +70,8 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
else else
warn "Hash of TPM2 primary key handle does not exist" warn "Hash of TPM2 primary key handle does not exist"
warn "Please rebuild the boot hash tree" warn "Please rebuild the boot hash tree"
warn "Select Options-> Update checksums and sign all files in /boot"
#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
default_failed="y" default_failed="y"
DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE" DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
fi fi
@ -340,7 +342,7 @@ do_boot() {
fi fi
kexec-insert-key $INITRD || kexec-insert-key $INITRD ||
die "!!! Failed to insert disk key into a new initrd" die "!!! Failed to prepare TPM Disk Unlock Key for boot"
kexec-boot -b "$bootdir" -e "$option" \ kexec-boot -b "$bootdir" -e "$option" \
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" || -a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" ||

13
initrd/bin/kexec-unseal-key
View File

@ -38,15 +38,14 @@ for tries in 1 2 3; do
exit 0 exit 0
fi fi
DEBUG $(pcrs) warn "Unable to unseal LUKS Disk Unlock Key from TPM"
warn "Unable to unseal disk encryption key" if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then
if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then warn "Encrypted disk keys(s) have changed since sealed in TPM Disk Unlock Key. You might want to investigate."
warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate."
fi fi
else else
warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt" warn "Could not check for tampering of Encrypted disk keys(s)"
warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu." warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)."
fi fi
done done

2
initrd/bin/oem-factory-reset
View File

@ -893,7 +893,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo "Each prompt requires a single letter answer: eg. (Y/n)." echo "Each prompt requires a single letter answer: eg. (Y/n)."
echo -e "If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above.\n" echo -e "If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above.\n"
# Re-ownership of encrypted disk key, content and passphrase # Re-ownership of LUKS encrypted Disk: key, content and passphrase
echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: " echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: "
read -n 1 prompt_output read -n 1 prompt_output
echo echo

2
initrd/init
View File

@ -12,7 +12,7 @@ export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
# running out of the ram disk. There are no fileysstems mounted. # running out of the ram disk. There are no fileysstems mounted.
# It is important to have a way to invoke a recovery shell in case # It is important to have a way to invoke a recovery shell in case
# the boot scripts are messed up, but also important to modify the # the boot scripts are messed up, but also important to modify the
# PCRs if this happens to prevent the TPM disk keys from being revealed. # PCRs if this happens to prevent the TPM Disk Unlock Keys from being revealed.
# First thing it is vital to mount the /dev and other system directories # First thing it is vital to mount the /dev and other system directories
mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&- mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-