preisacm
/
masterthesis-trustedboot
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

keep primary key persistent for use with ECDAA, moved working files to separate folder

master
Michael Preisach 5 years ago
parent
e61e3abb57
commit
7c7dc04fbd
4 changed files with 34 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 35
      README.md
  2. 8
      create-luks-tpm.sh
  3. 6
      tags
  4. 11
      update-luks-tpm.sh

35
README.md
View File

@ -43,17 +43,19 @@ All of the below instructions should be executed as root:
2. Create a new secret for disk encryption:
`tpm2_getrandom 32 -o /root/secret.bin`
3. Add the key to disk encryption
`cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin`
4. Install the tpm-script to initramfs
`cryptsetup luksAddKey /dev/nvme0n1p3 /root/keys/fde-secret.bin`
4. Create a primary key in the Endorsement Hierarchy
`mkdir -p /root/keys && tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context`
5. Install the tpm-script to initramfs
`cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/`
5. The entry in /etc/crypttab should look like this:
6. The entry in /etc/crypttab should look like this:
`dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh`
6. Update initramfs
7. Update initramfs
`update-initramfs -u -k all`
7. Create the Kernel Command Line
8. Create the Kernel Command Line
`echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"`
8. Create unified Kernel
9. Create unified Kernel
```
mkdir -p /boot/efi/EFI/Linux
objcopy \
@ -63,21 +65,20 @@ objcopy \
--add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \
"/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi"
```
9. Create a EFI Boot entry for the new unified kernel
10. Create a EFI Boot entry for the new unified kernel
`efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose`
10. Reboot the machine
11. Store the secret key in the TPM and use the now valid PCRs as policy
11. Reboot the machine
12. Store the secret key in the TPM and use the now valid PCRs as policy
```
tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
tpm2_evictcontrol -C o -c /root/load.context 0x81000000
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest
tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/keys/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/fde-secret.bin
tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context
tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/keys/test.bin #proof that the persistence worked
rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest
```
12. The next reboot should work without manual disk decryption
13. The next reboot should work without manual disk decryption
## Integrity Measurement Architecture (IMA)
References for IMA:

8
create-luks-tpm.sh
View File

@ -4,9 +4,11 @@ set -e
CRYPTFS=/dev/nvme0n1p3
echo "creating secret key"
tpm2_getrandom 32 -o /root/secret.bin
chmod 600 /root/secret.bin
cryptsetup luksAddKey $CRYPTFS /root/secret.bin
tpm2_getrandom 32 -o /root/keys/fde-secret.bin
chmod 600 /root/keys/fde-secret.bin
cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin
mkdir -p /root/keys
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context
# /usr/sbin/update-luks-tpm.sh #not reqired before reboot

6
tags
View File

@ -6,9 +6,13 @@
!_TAG_PROGRAM_NAME Universal Ctags /Derived from Exuberant Ctags/
!_TAG_PROGRAM_URL https://ctags.io/ /official site/
!_TAG_PROGRAM_VERSION 0.0.0 /a3c87ab5/
Details / manual installation README.md /^## Details \/ manual installation$/;" s
Details / manual installation of Trusted Boot README.md /^## Details \/ manual installation of Trusted Boot$/;" s
IMA file attributes README.md /^### IMA file attributes$/;" S
Integrity Measurement Architecture (IMA) README.md /^## Integrity Measurement Architecture (IMA)$/;" s
Manual installation README.md /^### Manual installation$/;" S
Prerequisities README.md /^## Prerequisities$/;" s
Result README.md /^## Result$/;" s
Set IMA to enforcing README.md /^### Set IMA to enforcing$/;" S
Syscall logging with auditd README.md /^## Syscall logging with auditd$/;" s
Usage README.md /^## Usage$/;" s
trustedboot README.md /^# trustedboot$/;" c

11
update-luks-tpm.sh
View File

@ -5,10 +5,9 @@ set +e
tpm2_evictcontrol -C o -c 0x81000000
set -e
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
tpm2_evictcontrol -C o -c /root/load.context 0x81000000
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest
tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/secret.bin
tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context
tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest

Write Preview
Loading…
Cancel
Save