Skip to content
Snippets Groups Projects
Verified Commit 2f2a0cb7 authored by Robotka István Adrián's avatar Robotka István Adrián
Browse files

add files

parents
Branches
Tags
No related merge requests found
data
# Setup TPM2 for LUKS
Source: https://threat.tevora.com/secure-boot-tpm-2/
## Install
```
./setup-tpm.sh
cp passphrase-from-tpm /usr/local/bin/passphrase-from-tpm
cp initramfs-hook /etc/initramfs-tools/hooks/tpm2
nano /etc/crypttab
update-initramfs -u
```
## PCR values
0 BIOS
1 BIOS configuration
2 Option ROMs
3 Option ROM configuration
4 MBR (master boot record)
5 MBR configuration
6 State transitions and wake events
7 Platform manufacturer specific measurements
8-10 OS values (8-15 originally)
Could easily change:
1 bios conf
4 MBR
8,9,10 OS
I suggest to use these values: 0,7,5
#!/bin/sh -e
# This script runs on the creation of the initramfs image.
# NOT on boot time
if [ "$1" = "prereqs" ]; then exit 0; fi
. /usr/share/initramfs-tools/hook-functions
copy_exec /usr/local/bin/tpm2_unseal
copy_exec /usr/local/lib/libtss2-tcti-device.so
#!/bin/sh
set -e
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/usr/local/bin/tpm2_unseal --object-context 0x81000000 --auth pcr:sha256:0,5,7
[ $? -eq 0 ] && exit # successful TPM unseal
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
#!/bin/bash
# Author: Adrian Robotka <robotka@sch.bme.hu>
# Credits: `man` and https://threat.tevora.com/secure-boot-tpm-2/
# halt on errors
set -e
#sudo apt install tpm2-tools
##################### CONFIG #####################
# IMPORTANT variable, RTFM
PCR_LIST="sha256:0,5,7"
####### Files to store data
BASE="data/"
PCR_BIN="${BASE}pcrs.bin"
POLICY="${BASE}policy.digest"
PRIMARY_CONTEXT="${BASE}primary.ctx"
LUKS_PASS="${BASE}luks.pass"
LUKS_PASS_CHECK="${LUKS_PASS}.check"
LUKS_PASS_PUB="${LUKS_PASS}.pub"
LUKS_PASS_PRIV="${LUKS_PASS}.priv"
LOAD_CONTEXT="${BASE}load.ctx"
mkdir -p $BASE
##################### METHODS #####################
log() {
echo
echo "################################"
echo "Progress: $*"
echo "################################"
}
gen_luks_pass() {
log "Generate a password (for LUKS)"
cat /dev/urandom \
| tr -dc 'a-zA-Z0-9' \
| fold -w 64 \
| head -n 1 \
> $LUKS_PASS
}
pcr_read() {
log "Save our list of PCRs"
tpm2_pcrread \
$PCR_LIST \
--output $PCR_BIN
}
create_policy() {
log "Create PCR Policy"
tpm2_createpolicy \
--policy-pcr \
--pcr-list $PCR_LIST \
--pcr $PCR_BIN \
--policy $POLICY
}
create_primary() {
log "Create primary TPM object"
# o == TPM_RH_OWNER
tpm2_createprimary \
--hierarchy o \
--key-context $PRIMARY_CONTEXT
}
create_child() {
log "Create TPM Object with Secret"
tpm2_create \
--parent-context $PRIMARY_CONTEXT \
--policy $POLICY \
--sealing-input $LUKS_PASS \
--public $LUKS_PASS_PUB \
--private $LUKS_PASS_PRIV \
--attributes "noda|adminwithpolicy|fixedparent|fixedtpm"
}
load_object() {
log "Load object into the TPM"
tpm2_load \
--parent-context $PRIMARY_CONTEXT \
--public $LUKS_PASS_PUB \
--private $LUKS_PASS_PRIV \
--key-context $LOAD_CONTEXT
}
persist_key() {
log "Make TPM Object Persistant"
tpm2_evictcontrol \
--object-context $LOAD_CONTEXT
}
##################### RUN #####################
[ ! -e "$LUKS_PASS" ] && gen_luks_pass
[ ! -e "$PCR_BIN" ] && pcr_read
[ ! -e "$POLICY" ] && create_policy
[ ! -e "$PRIMARY_CONTEXT" ] && create_primary
[ ! -e "$LUKS_PASS_PUB" ] && create_child
[ ! -e "$LOAD_CONTEXT" ] \
&& load_object && persist_key
log "Check"
tpm2_unseal \
--auth pcr:$PCR_LIST \
--object-context 0x81000000 \
--output $LUKS_PASS_CHECK
diff $LUKS_PASS_CHECK $LUKS_PASS
if [ $? = 0 ]; then
echo "Successful TPM key setup"
else
echo "Something went wrong"
echo "You can WIPE out your TPM with: tpm2_clear"
exit 1
fi
log "Profit"
echo "Generated LUKS key: $(cat $LUKS_PASS)"
echo "Run: cryptsetup luksAddKey /dev/sda42"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment