kairos icon indicating copy to clipboard operation
kairos copied to clipboard

Published 20 hours ago verified publisher icon kairos-io

feat: check tpm unlocking signatures are valid on upgrade

Open Itxaka opened this issue 2 months ago • 1 comments

Part 2 of https://github.com/kairos-io/kairos/issues/2200

While we now should be checking the EFI signature to confirm it can boot, we are not checking if the measurements of the EFI file are able to unlock the encrypted parts.

we should try to add this as it could lead to confusing errors in which you upgrade and boot, but then you cant unlock the partitions so you cannot log in (and apparently the system booted just fine)

The idea would be:

  • extract the .pcrsign section fo the efi file as text
  • use that to try and unlock the partition

problems:

  • if partitions are unlocked, can we check if the key is valid?
    • check systemd-cryptattach to see if its possible
    • check cryptsetup luksAddKey as that first tries to unlock?

Itxaka avatar May 28 '24 08:05 Itxaka