trustedboot

The utility installs a Disk encryption key in the TPM and unencrypts the disk automatically during boot. The settings for trusted boot differ for the various Linux distros and releases. This version is tested for Ubuntu 20.04 LTS. It requires TPM-Tools 4.x as the parameters completely changed from 3.x

Usage

1. Install Ubuntu 20.04 with Full Disk Encryption.
2. Execute install.sh
3. Reboot the machine, you will still be asked for your encryption passphrase
4. Update the TPM PCR policy with update-luks-tpm.sh
5. During the next reboot the encrypted disk will be opened automatically

Result

• Grub is still installed, but not used (as a fallback)
• The initial key for Disk Encryption is still valid (fallback for updates)
• Initramfs is updated with the script to ask the TPM for the passphrase
• A unified kernel is generated (kernel + command line parms + initramfs) as one large EFI blob
• Therefore during Boot only PCRs 0-7 are written (GRUB uses 8-9)
• IMA is activated and stores hashes for every accessed file. To enforce IMA, the kernel parameter should be set to ima_appraise=enforce. Attention! When IMA file hashes are not available, this option breaks the boot process and ends up in a Kernel panic!

Details / manual installation of Trusted Boot

Ideas taken from

• https://threat.tevora.com/secure-boot-tpm-2/
• https://medium.com/@pawitp/full-disk-encryption-on-arch-linux-backed-by-tpm-2-0-c0892cab9704
• https://medium.com/@pawitp/its-certainly-annoying-that-tpm2-tools-like-to-change-their-command-line-parameters-d5d0f4351206

I used the PCRs 0-7 as policy for unlocking disk encryption. The PCRs 2,3 and 6 have the same hash value and are therefore not used. However these PCRs are included as well (to prevent e.g. Option ROM DMA attacks). Furthermore I use the RNG on the TPM for secret generation and use SHA256 and ECC instead of SHA1 and RSA.

All of the below instructions should be executed as root:

1. Install required tools apt install binutils tpm2-tools
2. Create a new secret for disk encryption: tpm2_getrandom 32 -o /root/secret.bin
3. Add the key to disk encryption cryptsetup luksAddKey /dev/nvme0n1p3 /root/secret.bin
4. Install the tpm-script to initramfs cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/
5. The entry in /etc/crypttab should look like this: dm_crypt-0 UUID=<uuid> none luks,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh
6. Update initramfs update-initramfs -u -k all
7. Create the Kernel Command Line echo "/vmlinuz-5.4.0-39-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ima_audit=1 ima_policy=appraise_tcb rootflags=i_version" > /boot/kernel-command-line.txt
8. Create unified Kernel

mkdir -p /boot/efi/EFI/Linux
objcopy \
  --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
  --add-section .cmdline="/boot/kernel-command-line.txt" --change-section-vma .cmdline=0x30000 \
  --add-section .linux="/boot/vmlinuz-5.4.0-39-generic" --change-section-vma .linux=0x40000 \
  --add-section .initrd="/boot/initrd.img-5.4.0-39-generic" --change-section-vma .initrd=0x3000000 \
  "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi"

7. Create a EFI Boot entry for the new unified kernel efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose
8. Reboot the machine
9. Store the secret key in the TPM and use the now valid PCRs as policy

tpm2_evictcontrol -C o -c 0x81000000 #evict an old passphrase before writing the new one
tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/policy.digest
tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
tpm2_evictcontrol -C o -c /root/load.context 0x81000000
# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked
rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context

10. The next reboot should work without manual disk decryption

Integrity Measurement Architecture (IMA)

References for IMA:

• https://sourceforge.net/p/linux-ima/wiki/Home/
• https://wiki.gentoo.org/wiki/Integrity_Measurement_Architecture
• https://wiki.strongswan.org/projects/strongswan/wiki/IMA

Attention! The above Docs are written for different versions of IMA and the Linux Kernel. Some tools are not available/working on Ubuntu 20.04.

Manual installation

To enable IMA, the Kernel needs the corresponding parameters as follows:

• ima_appraise=
  • off - no files are checked
  • log - just log all measures files in the IMA log.
  • fix - save the file hash of each accessed file to the file attribute 'security.ima' (used)
  • enforce - only files with a valid 'security.ima' file hash can be accessed.
• ima_policy= (more than one policy possible, kernel uses union of all policies)
  • appraise_tcb - appraises all files owned by root (used)
  • tcb - measures all executables run, all memory mapped files for execution (such as shared libraries), all Kernel modules loaded, all firmware loaded, and all files opened for read by root. (used)
  • secure_boot - appraises all loaded modules, firmware, kexec'd Kernel, and IMA policies. It also requires them to have an IMA signature as well. This is normally used with the CONFIG_INTEGRITY_TRUSTED_KEYRING option in the Kernel in "secure boot" scenario, with the public key obtained from the OEM in firmware or via the MOK (Machine Owner Key) in shim.
• ima_hash= (used hash algorithm
  • sha1 (default)
  • sha256
  • sha512
  • ...
• ima_template=
  • ima-ng (used)
    • template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
    • filedata_hash=sha256(filedata)
  • ima-sig
    • template_hash=sha1(filedata-hash length, filedata-hash, pathname length, pathname)
    • filedata_hash=sha256(filedata)
    • append signature if present
  • ima
    • template_hash=sha1(filedata-hash, filename-hint)
    • filedata_hash=sha1(filedata)
• rootflags=i_version - files are only measured when they are updated on the file system.

The IMA log is a virtual file in /sys/kernel/security/ima/ascii_runtime_measurements.