From e61e3abb578ec6cda64236abb718c01ac9b183de Mon Sep 17 00:00:00 2001 From: Michael Preisach Date: Tue, 11 Aug 2020 09:48:02 +0200 Subject: [PATCH] updated kernel parameter in manual installation instruction --- README.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index ffa3a7d..4289290 100644 --- a/README.md +++ b/README.md @@ -40,19 +40,20 @@ Furthermore I use the RNG on the TPM for secret generation and use SHA256 and EC All of the below instructions should be executed as root: 1. Install required tools `apt install binutils tpm2-tools` -1. Create a new secret for disk encryption: +2. Create a new secret for disk encryption: `tpm2_getrandom 32 -o /root/secret.bin` -2. Add the key to disk encryption +3. Add the key to disk encryption `cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin` -3. Install the tpm-script to initramfs +4. Install the tpm-script to initramfs `cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/` -4. The entry in /etc/crypttab should look like this: +5. The entry in /etc/crypttab should look like this: `dm_crypt-0 UUID= none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh` -5. Update initramfs +6. Update initramfs `update-initramfs -u -k all` -6. Create the Kernel Command Line -`echo "/vmlinuz-5.4.0-39-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ima_audit=1 ima_policy=appraise_tcb rootflags=i_version" > /boot/kernel-command-line.txt` -6. Create unified Kernel +7. Create the Kernel Command Line +`echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"` + +8. Create unified Kernel ``` mkdir -p /boot/efi/EFI/Linux objcopy \ @@ -62,10 +63,10 @@ objcopy \ --add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \ "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" ``` -7. Create a EFI Boot entry for the new unified kernel +9. Create a EFI Boot entry for the new unified kernel `efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose` -8. Reboot the machine -9. Store the secret key in the TPM and use the now valid PCRs as policy +10. Reboot the machine +11. Store the secret key in the TPM and use the now valid PCRs as policy ``` tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest @@ -76,7 +77,7 @@ tpm2_evictcontrol -C o -c /root/load.context 0x81000000 # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context ``` -10. The next reboot should work without manual disk decryption +12. The next reboot should work without manual disk decryption ## Integrity Measurement Architecture (IMA) References for IMA: