sdm icon indicating copy to clipboard operation
sdm copied to clipboard
verified publisher icon gitbls

Integration with a TPM

Open ncul777 opened this issue 1 year ago • 2 comments

Hi There,

I successfully managed to encrypt the room partition (Raspberry Pi 4B) using your script https://github.com/gitbls/sdm/blob/master/Docs/Disk-Encryption.md. sudo sdm-cryptconfig --crypto xchacha

I'd like to use LetsTrust TPM to securely store the decryption key so that the root partition would auto decrypt/mount on boot (no need to manually enter password). https://thepihut.com/products/letstrust-tpm-for-raspberry-pi?srsltid=AfmBOorMdJljiZzFQb3_5Vs4V3cKBwqbeUDvbIbudr7b5chUJCCtwSd-

I've tried to get it working but boot either continues to ask for password or shows initramfs prompt (if I have used update-initramfs as per step 7). I had successfully used the TPM to auto decrypt an encrypted file on /root, so it should be along these lines (after root has already been encrypted using sdm):

  1. Enable the tpm in /boot/firmware/config.txt dtoverlay=tpm-slb9670

  2. Install tpm packages

sudo apt --yes install libtss2-* tpm-udev tpm2-abrmd tpm2-tools
sudo usermod --append --groups tss $(whoami)
sudo reboot

  1. Reboot sudo reboot

  2. Test tpm tpm2 getcap properties-fixed

  3. Enroll the disk with tpm sudo systemd-cryptenroll --tpm2-device=auto

  4. Update /etc/crypttab cryptroot /dev/mmcblk0p2 none tpm2-device=auto,discard

  5. Update initramfs sudo update-initramfs -u

Maybe I need to include some tpm modules in /etc/initramfs-tools/modules?

So wondering

  1. Any suggestions / ideas how to debug / resolve?
  2. Could support be integrated in your scripts.

Any help much appreciated

ncul777 avatar Dec 18 '24 11:12 ncul777

Ah, looks like it is related to this issue: https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1980018

Apparently works fine for non-root filesystems.

ncul777 avatar Dec 18 '24 14:12 ncul777

I've not looked at systemd-cryptenroll and friends, so not surprising that using systemd-cryptenroll doesn't work. It's really complex and touchy stuff, and it's a total PITA to debug. I actually acquired a Yubikey with the intent of adding support for it, but haven't had the inspiration to go back in there and subject myself to even more PITA.

If you're not good at intuiting WTF just happened, your chances of success decrease greatly.

I read through the launchpad bug report, and there still appear to be some significant issues in using the TPM with rootfs. The comment that stuck out to me:

"Be sure you understand the impact of the initrd not being measured before you deploy this solution on valuable data! My explanation is that it means anyone who can write to your /boot directory can replace your initrd with a modified/compromised version and then access unencrypted files without any password."

From my perspective that says "You might be able to make it work, but it's not really much more secure than using a USB keydisk so why bother?"

gitbls avatar Dec 18 '24 20:12 gitbls