|
|
@ -40,19 +40,20 @@ Furthermore I use the RNG on the TPM for secret generation and use SHA256 and EC |
|
|
All of the below instructions should be executed as root: |
|
|
All of the below instructions should be executed as root: |
|
|
1. Install required tools |
|
|
1. Install required tools |
|
|
`apt install binutils tpm2-tools` |
|
|
`apt install binutils tpm2-tools` |
|
|
1. Create a new secret for disk encryption: |
|
|
2. Create a new secret for disk encryption: |
|
|
`tpm2_getrandom 32 -o /root/secret.bin` |
|
|
`tpm2_getrandom 32 -o /root/secret.bin` |
|
|
2. Add the key to disk encryption |
|
|
3. Add the key to disk encryption |
|
|
`cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin` |
|
|
`cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin` |
|
|
3. Install the tpm-script to initramfs |
|
|
4. Install the tpm-script to initramfs |
|
|
`cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/` |
|
|
`cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/` |
|
|
4. The entry in /etc/crypttab should look like this: |
|
|
5. The entry in /etc/crypttab should look like this: |
|
|
`dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh` |
|
|
`dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh` |
|
|
5. Update initramfs |
|
|
6. Update initramfs |
|
|
`update-initramfs -u -k all` |
|
|
`update-initramfs -u -k all` |
|
|
6. Create the Kernel Command Line |
|
|
7. Create the Kernel Command Line |
|
|
`echo "/vmlinuz-5.4.0-39-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ima_audit=1 ima_policy=appraise_tcb rootflags=i_version" > /boot/kernel-command-line.txt` |
|
|
`echo "/vmlinuz-5.4.0-39-generic ima_appraise=fix ima_policy=appraise_tcb ima_policy=tcb ima_hash=sha256 root=/dev/mapper/ubuntu--vg-ubuntu--lv ro rootflags=i_version"` |
|
|
6. Create unified Kernel |
|
|
|
|
|
|
|
|
8. Create unified Kernel |
|
|
``` |
|
|
``` |
|
|
mkdir -p /boot/efi/EFI/Linux |
|
|
mkdir -p /boot/efi/EFI/Linux |
|
|
objcopy \ |
|
|
objcopy \ |
|
|
@ -62,10 +63,10 @@ objcopy \ |
|
|
--add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \ |
|
|
--add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \ |
|
|
"/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" |
|
|
"/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" |
|
|
``` |
|
|
``` |
|
|
7. Create a EFI Boot entry for the new unified kernel |
|
|
9. Create a EFI Boot entry for the new unified kernel |
|
|
`efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose` |
|
|
`efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose` |
|
|
8. Reboot the machine |
|
|
10. Reboot the machine |
|
|
9. Store the secret key in the TPM and use the now valid PCRs as policy |
|
|
11. Store the secret key in the TPM and use the now valid PCRs as policy |
|
|
``` |
|
|
``` |
|
|
tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one |
|
|
tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one |
|
|
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest |
|
|
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest |
|
|
@ -76,7 +77,7 @@ tpm2_evictcontrol -C o -c /root/load.context 0x81000000 |
|
|
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked |
|
|
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked |
|
|
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context |
|
|
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context |
|
|
``` |
|
|
``` |
|
|
10. The next reboot should work without manual disk decryption |
|
|
12. The next reboot should work without manual disk decryption |
|
|
|
|
|
|
|
|
## Integrity Measurement Architecture (IMA) |
|
|
## Integrity Measurement Architecture (IMA) |
|
|
References for IMA: |
|
|
References for IMA: |
|
|
|
Michael Preisach
5 years ago