开源软件名称(OpenSource Name):fox-it/linux-luks-tpm-boot开源软件地址(OpenSource Url):https://github.com/fox-it/linux-luks-tpm-boot开源编程语言(OpenSource Language):Shell 100.0%开源软件介绍(OpenSource Introduction):linux-luks-tpm-bootMovedThis repository is maintained by the original author at https://github.com/morbitzer/linux-luks-tpm-boot Please open any new issues/PRs here. The original guide is below for reference. IntroductionIn my two and a half years as penetration tester, I had to learn the lesson that nowadays, physical access to a system doesn't necessarily mean access to all its secret data. I'm not much of a Windows guy, but I have to admit that Microsoft’s Bitlocker does a nice job with encrypting the harddisk and decrypting it at boot time without the user even noticing. If something in the boot-process is changed by an attacker, the system won't start up without having received the correct Bitlocker recovery key. This makes it more difficult (I'm not saying impossible) for an attacker to gain access to a system for which he doesn't know the password, even though the system isn't asking for anything during boot time. All this is achieved with the help of a little chip on the mainboard, the Trusted Platform Module (TPM). Being a Linux guy myself, I wanted to achieve with my favorite OS what Windows was already capable of. I was not able to find a full guide how to use LUKS or any other disk-encryption in combination with the TPM under Linux, thus motivating me to investigate and describe this process. Everything that is needed already exists, but it took me quite a while to have everything set up correctly. I hope that with this guide I can save some people that work. So, let's get started. Make sure you are using BIOS, not UEFIUnfortunately, the TrustedGRUB2 bootloader we will be using doesn't yet support UEFI, so make sure you are using the classical BIOS. You can follow updates on the UEFI support of TrustedGRUB2 here Install the distro of your choicePersonally, I prefer Debian. The installer allows you to encrypt everything except the /boot partition with LUKS ( Configuring your TPMYou'll have to take ownership of your TPM in case you haven't done so yet. You might be required to clear your TPM before you do this. Unfortunately, there is no defined way of how to do this, it depends on the hardware you are using. You'll probably be able to reset the TPM in your BIOS – for the systems I have seen so far, you can find the TPM settings under First, install
Afterwards, you can take ownership of the TPM:
The Install TrustedGRUB2Installing TrustedGRUB2 can be done by simply following the readme: git clone https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2
cd TrustedGRUB2
sudo aptitude install autogen autoconf automake gcc bison flex
./autogen.sh
./configure --prefix=INSTALLDIR --target=i386 -with-platform=pc
make
sudo make install
sudo ./sbin/grub-install --directory=INSTALLDIR/lib/grub/i386-pc /dev/sda Where During the install, you might get a warning that the directory /share/locale is missing. You can solve this issue by copying the folder from
Now you can reboot to see if everything works. In your GRUB-selection screen, the title should now say
If TrustedGRUB2 works, you'll see that besides PCRs 0-7, which have been measured by the BIOS, also PCRs 8-13 contain measurements. The exception here is PCR-12, which normally contains the measurement of the LUKS header. However, since there is no decryption being done in the bootloader, this register stays empty. For the curious, this is what measurements the single PCRs contain (taken from the TrustedGRUB2 readme):
Add key file to LUKSNext, we are going to create a key file, which we will be add to our keys for the LUKS-encryption partition. Afterwards, we will store this key file in the TPMs NVRAM to use for decryption during boot time. First, create a key file. I am using
Make sure it's not readable for users:
Then, add the keyfile to LUKS:
NOTE: Some people might not like the idea of the keyfile being (temporary) stored on the harddisk. Personally, I don't really see a problem with that, since it is stored on an encrypted harddisk. If an attacker is able to read the keyfile from your encrypted harddisk, you are in much bigger trouble anyway. Also, what's the purpose of the whole disk-encryption idea? Stopping an attacker with physical access to your machine from reading your files. So, in case somebody can read your /secret.bin, he or she has defeated or bypassed your disk encryption anyway. (And also has root access to your machine... ) Further, if we do not store or wipe the keyfile, we would be required to create a new LUKS key and remove the old one each time there was for example a kernel update. For all those reasons, I currently don't see a reason for not storing the keyfile on your harddisk. However, I might still add this functionality at some point in time for the sake of it. In case I forgot to consider something important in this decision, please let me know! [^note on /dev/random]: Compared to /dev/random, /dev/urandom will block if the entropy pool is exhausted, so creation of your keyfile will probably take longer by using /dev/random. However, you could also use your TPM to increase the speed of your /dev/random Install necessary scriptsWe will store the secret directly in the TPM - in its NVRAM. There's a tool for that called tpm-luks, but it seemed to be a bit too much for what I needed (and only works with dracut), so I created my own bash scripts. First, to make things easier, I've created sudo mv seal-nvram.sh /sbin/
sudo chmod +x /sbin/seal-nvram.sh
Further, I have created a script that gets the content out of the NVRAM. This script will only be able to read the secret from NVRAM once, since it afterwards blocks further reads by reading 0 bits from the NVRAM area (see READ_STCLEAR). Again, it's a bit hacky, but it does its job: sudo mv getsecret.sh /sbin/
sudo chmod +x /sbin/getsecret.sh Now you can use sudo /sbin/seal-nvram.sh -z
sudo /sbin/getsecret.sh | hexdump -C
sudo hexdump -C /secret.bin The last two commands should produce the same output. While Changing /etc/crypttabWhen this all works, you can adapt your
Add the keyscript parameter, so that your system will know to get the key file from the standard output of
Configuring the initramfsWe are nearly done. The only thing left is to add some things to the initrd, so that we are able to communicate with the TPM while in the initrd. But before we mess around with our initrd, let's make a backup of the one we have:
Afterwards, we create a hook for the initramfs-tools. This is a script that adds the additional files to the initrd that we will need to talk to the TPM within the initrd. So download sudo mv tpm-hook /etc/initramfs-tools/hooks/
sudo chmod +x /etc/initramfs-tools/hooks/tpm-hook We also need a second script that starts up the tcsd daemon that communicates with the TPM in the initrd, sudo mv tpm-script /etc/initramfs-tools/scripts/init-premount/
sudo chmod +x /etc/initramfs-tools/scripts/init-premount/tpm-script NOTE: To write those scripts, I did take a massive amount of inspiration from this and that post on the TrouSers mailing list as well as from this script. Also, we need to tell the initrd to load the TPM modules. For this, add these two lines to
Now you are ready to create a new initrd:
Finally, you are ready to reboot your system. If everything went well, you should not be asked for a password during boottime. In case something went wrong, press E in the TrustedGRUB2 boot menu. Then, append Sealing the NVRAMNow that you rebooted, your PCRs contain the up to date values from your new configuration that reads the keyfile from NVRAM during boottime. This means that you are now able to seal the NVRAM, meaning the NVRAM index can't be read if something is changed in the boot process (kernel, initrd, grub-modules, grub-arguments, etc… )
Checking if it worksIf you now reboot again, your system shouldn't boot up when you edit for example the boot menu entries. Just give it a try, press E in the TrustedGRUB2 boot menu. Then edit for example one of the The system still boots up, although it shouldn't? Have a look at the next step… Setting the nvLocked bitOn one of my test systems, I had the problem that the secret stored in the NVRAM could be read even when the PCRs it was sealed to had changed. It took me quite a long time to figure out what went wrong: Apparently, the TPM manufacturer didn't set the You'll have to define an area the size 0 at position
This solved the problem for me. Afterwards, my sealed NVRAM areas couldn't be read anymore if the PCRs it was sealed to had changed, and my system was finally save again. As Ken Goldman correctly pointed out:
Thanks a lot to Frank Grötzner and Ken Goldman! Booting if something went wrong (or if there was a kernel update)As described earlier, in case something went wrong within this process, or if there was a kernel update and your system won't read the contents of the NVRAM because the kernel-checksum has changed, press E in the TrustedGRUB2 boot menu. Then, append an ".orig" on the line were the initrd is specified. Now press F10 to boot. This allows you to boot the “normal” way, by providing a passphrase. NOTE: This is why I recommend not to remove the passphrase from your LUKS partition! Kernel updateThe section above explains you how to be able to boot your system after a kernel update. Once you booted up, you can run TODO: Encrypting /bootSince version 2.02, the default installation of GRUB2 can also handle an encrypted /boot partition . Therefore, you would also be able to encrypt your /boot partition, as show for example by Pavel Kogan here and here TrustedGRUB2 can be installed if However, I did have issues using shpedoikal's tpm-sealdata-raw-branch of tpm-tools which would provide the If you would like to read further on this topic, follow these links: issue 5, [issue 22] (Rohde-Schwarz/TrustedGRUB2#22) |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论