preisacm
/
masterthesis-trustedboot
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

keep primary key persistent for use with ECDAA, moved working files to separate folder

master
Michael Preisach 5 years ago
parent
e61e3abb57
commit
7c7dc04fbd
4 changed files with 34 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 35
      README.md
  2. 8
      create-luks-tpm.sh
  3. 6
      tags
  4. 11
      update-luks-tpm.sh

35
README.md
View File

@ -43,17 +43,19 @@ All of the below instructions should be executed as root:
2. Create a new secret for disk encryption: 2. Create a new secret for disk encryption:
`tpm2_getrandom 32 -o /root/secret.bin` `tpm2_getrandom 32 -o /root/secret.bin`
3. Add the key to disk encryption 3. Add the key to disk encryption
`cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin` `cryptsetup luksAddKey /dev/nvme0n1p3 /root/keys/fde-secret.bin`
4. Install the tpm-script to initramfs 4. Create a primary key in the Endorsement Hierarchy
`mkdir -p /root/keys && tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context`
5. Install the tpm-script to initramfs
`cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/` `cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/`
5. The entry in /etc/crypttab should look like this: 6. The entry in /etc/crypttab should look like this:
`dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh` `dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh`
6. Update initramfs 7. Update initramfs
`update-initramfs -u -k all` `update-initramfs -u -k all`
7. Create the Kernel Command Line 8. Create the Kernel Command Line
`echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"` `echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"`
8. Create unified Kernel 9. Create unified Kernel
``` ```
mkdir -p /boot/efi/EFI/Linux mkdir -p /boot/efi/EFI/Linux
objcopy \ objcopy \
@ -63,21 +65,20 @@ objcopy \
--add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \ --add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \
"/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi"
``` ```
9. Create a EFI Boot entry for the new unified kernel 10. Create a EFI Boot entry for the new unified kernel
`efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose` `efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose`
10. Reboot the machine 11. Reboot the machine
11. Store the secret key in the TPM and use the now valid PCRs as policy 12. Store the secret key in the TPM and use the now valid PCRs as policy
``` ```
tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/keys/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/fde-secret.bin
tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context
tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000
tpm2_evictcontrol -C o -c /root/load.context 0x81000000 # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/keys/test.bin #proof that the persistence worked
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
``` ```
12. The next reboot should work without manual disk decryption 13. The next reboot should work without manual disk decryption
## Integrity Measurement Architecture (IMA) ## Integrity Measurement Architecture (IMA)
References for IMA: References for IMA:

8
create-luks-tpm.sh
View File

@ -4,9 +4,11 @@ set -e
CRYPTFS=/dev/nvme0n1p3 CRYPTFS=/dev/nvme0n1p3
echo "creating secret key" echo "creating secret key"
tpm2_getrandom 32 -o /root/secret.bin tpm2_getrandom 32 -o /root/keys/fde-secret.bin
chmod 600 /root/secret.bin chmod 600 /root/keys/fde-secret.bin
cryptsetup luksAddKey $CRYPTFS /root/secret.bin cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin
mkdir -p /root/keys
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context
# /usr/sbin/update-luks-tpm.sh #not reqired before reboot # /usr/sbin/update-luks-tpm.sh #not reqired before reboot

6
tags
View File

@ -6,9 +6,13 @@
!_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/ !_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/
!_TAG_PROGRAM_URL https://ctags.io/ /official site/ !_TAG_PROGRAM_URL https://ctags.io/ /official site/
!_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/ !_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/
Details / manual installation README.md /^## Details \/ manual installation$/;" s Details / manual installation of Trusted Boot README.md /^## Details \/ manual installation of Trusted Boot$/;" s
IMA file attributes README.md /^### IMA file attributes$/;" S
Integrity Measurement Architecture (IMA) README.md /^## Integrity Measurement Architecture (IMA)$/;" s Integrity Measurement Architecture (IMA) README.md /^## Integrity Measurement Architecture (IMA)$/;" s
Manual installation README.md /^### Manual installation$/;" S Manual installation README.md /^### Manual installation$/;" S
Prerequisities README.md /^## Prerequisities$/;" s
Result README.md /^## Result$/;" s Result README.md /^## Result$/;" s
Set IMA to enforcing README.md /^### Set IMA to enforcing$/;" S
Syscall logging with auditd README.md /^## Syscall logging with auditd$/;" s
Usage README.md /^## Usage$/;" s Usage README.md /^## Usage$/;" s
trustedboot README.md /^# trustedboot$/;" c trustedboot README.md /^# trustedboot$/;" c

11
update-luks-tpm.sh
View File

@ -5,10 +5,9 @@ set +e
tpm2_evictcontrol -C o -c 0x81000000 tpm2_evictcontrol -C o -c 0x81000000
set -e set -e
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/secret.bin
tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context
tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000
tpm2_evictcontrol -C o -c /root/load.context 0x81000000
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest

Write Preview
Loading…
Cancel
Save