luks-tpm2 icon indicating copy to clipboard operation
luks-tpm2 copied to clipboard

Published 20 hours ago verified publisher icon electrickite

Better explained guide

Open rLoka opened this issue 5 years ago • 4 comments

Hey there! First of all, thanks for all the work you have put into this!

So, this is not really an issue, but could you explain (maybe in a form of a wiki or additional MD) how would I use this on a typical case where automated fde unlock setup is required?

The thing is, I am searching for a method to autounlock fde using tpm2 on ubuntu 16.04/18.04 and I have already tried clevis but it did not work properly for me and I am sort of novice in this area.

Thanks for understanding and any help is much appreciated!

rLoka avatar Feb 25 '20 09:02 rLoka

@rLoka I think a better guide would be great - the issue is that the process of full disk encryption and unlock involves many components and there is no one size fits all solution. It will vary considerably based on you hardware, distribution, and threat model. The full process is outside of the scope of this tool.

However, I think it would be a good idea to collect examples in wiki pages here, to give users an idea of where to start. For instance, I do not have experience setting up FDE in Ubuntu, but I could post a write up of the process I use in Arch.

electrickite avatar Feb 25 '20 16:02 electrickite

Some areas that need an improvement I can think of are:

Before storing sealed key files on disk, you must create a parent encryption key on the TPM. In this example, we create a primary RSA key in the owner hierarchy and make it persistent at handle 0x81000001:

$ tpm2_createprimary -c primary.ctx $ tpm2_evictcontrol -c primary.ctx 0x81000001

We see 0x81000001 risen out of nowhere, the first question would be why 0x81000001? Maybe there should be some way to list those persistent handles before we proceed? Earlier there was a command tpm2_listpersistent, now it's non-existent.

Moving on to the next point which can be an obstacle: sha256 is used by default now, but what if tpm2_pcrread lists only sha1 entries, and sha256 are just empty? How to switch over to sha256 then? It's not like this project's README should explain these matters, but I just mean that such questions are likely to appear when setting this tool up for the first time.

Oh, and BTW: please adopt Arch's changes of Type = File to Type = Path in luks-tpm2.hook along with changing boot/vmlinuz-* to usr/lib/modules/*/vmlinuz.

Cheers!

openmindead avatar Feb 29 '20 08:02 openmindead

I would argue that such basic info should not be in the guide, but rather on the tpm2.0 library specification or somewhere else. Maybe a link to the spesification is sufficient, or a soon to be arch wiki page? :)

There is always Clevis that does it all for you. Just remember dracut instead for mkinitcpio. (Or create a hook that does it with mkinitcpio).

k6Q28k5w5eWuRuuzTg9j7GrKCbjt7 avatar Jun 06 '20 19:06 k6Q28k5w5eWuRuuzTg9j7GrKCbjt7

I didn't have any issues following the guide, but I was struggling to understand what to do next. Luckily a bit of googling got me to the mkinitcpio-tpm2-encrypt repo and everything clicked (some issues there as well but I not related to this project). So maybe a section to the README with links to next steps would help?

v3rm0n avatar Jan 04 '21 18:01 v3rm0n