diff --git a/README.md b/README.md index 4289290..7b1a129 100644 --- a/README.md +++ b/README.md @@ -43,17 +43,19 @@ All of the below instructions should be executed as root: 2. Create a new secret for disk encryption: `tpm2_getrandom 32 -o /root/secret.bin` 3. Add the key to disk encryption -`cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin` -4. Install the tpm-script to initramfs +`cryptsetup luksAddKey /dev/nvme0n1p3 /root/keys/fde-secret.bin` +4. Create a primary key in the Endorsement Hierarchy +`mkdir -p /root/keys && tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context` +5. Install the tpm-script to initramfs `cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/` -5. The entry in /etc/crypttab should look like this: +6. The entry in /etc/crypttab should look like this: `dm_crypt-0 UUID= none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh` -6. Update initramfs +7. Update initramfs `update-initramfs -u -k all` -7. Create the Kernel Command Line +8. Create the Kernel Command Line `echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"` -8. Create unified Kernel +9. Create unified Kernel ``` mkdir -p /boot/efi/EFI/Linux objcopy \ @@ -63,21 +65,20 @@ objcopy \ --add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \ "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" ``` -9. Create a EFI Boot entry for the new unified kernel +10. Create a EFI Boot entry for the new unified kernel `efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose` -10. Reboot the machine -11. Store the secret key in the TPM and use the now valid PCRs as policy +11. Reboot the machine +12. Store the secret key in the TPM and use the now valid PCRs as policy ``` tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one -tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest -tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context -tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin -tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context -tpm2_evictcontrol -C o -c /root/load.context 0x81000000 -# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked -rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context +tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest +tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/keys/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/fde-secret.bin +tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context +tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000 +# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/keys/test.bin #proof that the persistence worked +rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest ``` -12. The next reboot should work without manual disk decryption +13. The next reboot should work without manual disk decryption ## Integrity Measurement Architecture (IMA) References for IMA: @@ -146,4 +147,4 @@ auditd is able to log every single syscall of a process. 4. find all accessed files with ``` grep -Eo "=/[[:graph:]/]*" /path/to/auditlog | grep -Eo "/[[:graph:]/]*" | sort | uniq > /path/to/fileaccesslog -``` \ No newline at end of file +``` diff --git a/create-luks-tpm.sh b/create-luks-tpm.sh index 535bc1f..4507fc9 100755 --- a/create-luks-tpm.sh +++ b/create-luks-tpm.sh @@ -4,9 +4,11 @@ set -e CRYPTFS=/dev/nvme0n1p3 echo "creating secret key" -tpm2_getrandom 32 -o /root/secret.bin -chmod 600 /root/secret.bin -cryptsetup luksAddKey $CRYPTFS /root/secret.bin +tpm2_getrandom 32 -o /root/keys/fde-secret.bin +chmod 600 /root/keys/fde-secret.bin +cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin +mkdir -p /root/keys +tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context # /usr/sbin/update-luks-tpm.sh #not reqired before reboot diff --git a/tags b/tags index bca2292..54b23e6 100644 --- a/tags +++ b/tags @@ -6,9 +6,13 @@ !_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/ !_TAG_PROGRAM_URL https://ctags.io/ /official site/ !_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/ -Details / manual installation README.md /^## Details \/ manual installation$/;" s +Details / manual installation of Trusted Boot README.md /^## Details \/ manual installation of Trusted Boot$/;" s +IMA file attributes README.md /^### IMA file attributes$/;" S Integrity Measurement Architecture (IMA) README.md /^## Integrity Measurement Architecture (IMA)$/;" s Manual installation README.md /^### Manual installation$/;" S +Prerequisities README.md /^## Prerequisities$/;" s Result README.md /^## Result$/;" s +Set IMA to enforcing README.md /^### Set IMA to enforcing$/;" S +Syscall logging with auditd README.md /^## Syscall logging with auditd$/;" s Usage README.md /^## Usage$/;" s trustedboot README.md /^# trustedboot$/;" c diff --git a/update-luks-tpm.sh b/update-luks-tpm.sh index b789ab2..59e9237 100755 --- a/update-luks-tpm.sh +++ b/update-luks-tpm.sh @@ -5,10 +5,9 @@ set +e tpm2_evictcontrol -C o -c 0x81000000 set -e -tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest -tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context -tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin -tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context -tpm2_evictcontrol -C o -c /root/load.context 0x81000000 +tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest +tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/secret.bin +tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context +tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000 # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked -rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context +rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest