linux-luks-tpm-boot
linux-luks-tpm-boot copied to clipboard
morbitzer
Improvements to initrd hooks
I think your initramfs hooks could be improved a bit—almost to the point of being able to just package this as a .deb and drop it into place on a system. I say almost because I don't know that tpm and tpm_tis are sufficient as kernel modules go to make sure TPM 1.2 devices are loaded and ready in the initramfs. On both my modern desktop (Ryzen 3700X) and my vintage soon-to-be file server (Ivy Bridge 🤣 surplus Whack-a-Dell mini thing connected to an eSATA enclosure), TPM devices already exist in /dev and the modules are loaded by systemd once it starts.
First, without doing anything:
root@rem:~# lsinitramfs /boot/initrd.img-5.10.0-19-amd64 | grep 'etc/\(passwd\|group\)'
etc/passwd
root@rem:~# lsinitramfs /boot/initrd.img-5.10.0-19-amd64 | grep '\(tcsd\|tpm\)'
root@rem:~#
Okay, so nothing TPM-related is getting into the initramfs, which means it's all being done by systemd after the fact. But /etc/passwd is getting created in the initrd for some purpose. Created or copied, I could figure that out, but I don't think I need to, since the remedy would be the same regardless. In tpm-hook, I see:
#create etc/passwd
groupid=`id -G tss`
userid=`id -u tss`
echo "root:x:0:0:root:/root:/bin/bash" > ${DESTDIR}/etc/passwd
echo "tss:x:$userid:$groupid::/var/lib/tpm:/bin/false" >> ${DESTDIR}/etc/passwd
#create etc/hosts
echo "127.0.0.1 localhost\n::1 localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n" > ${DESTDIR}/etc/hosts
#create etc/group
echo "root:x:0:" > ${DESTDIR}/etc/group
echo "tss:x:$groupid:" >> ${DESTDIR}/etc/group
Seems like it makes more sense to do something like…
#create etc/passwd entries
for user in root tss; do
if ! grep -q "^${user}:" ${DESTDIR}/etc/passwd 2>/dev/null; then
grep "^${user}:" /etc/passwd >> ${DESTDIR}/etc/passwd
fi
done
#create etc/hosts if not present
if [ ! -e ${DESTDIR}/etc/hosts ]; do
copy_file hostfile /etc/hosts
fi
#create etc/group entries
for group in root tss; do
if [ ! grep -q "^${group}:" ${DESTDIR}/etc/passwd 2>/dev/null; then
grep "^${group}:" /etc/group >> ${DESTDIR}/etc/group
fi
done
echo "root:x:0:" > ${DESTDIR}/etc/group
echo "tss:x:$groupid:" >> ${DESTDIR}/etc/group
That seems like it creates all three files if need be.
I started looking into this following a read through Glen Tomkowiak's page for how to set up an old machine's TPM (1.2) to store an unlock key, but his old guide does not describe adding this stuff to an initramfs. When someone asked him about a completely secure boot environment, he recommended this guide. He has a couple of things there you might want to incorporate into this guide. He uses /dev/shm/tmp_tpm.key for the key output, specifies -s 32 for the 32 character pwgen output he uses as an unlock key, zeroes the /dev/shm file out before deleting it to ensure the key doesn't linger in RAM once used, that sort of thing. Useful updates to this guide, I think.
My use of this is that I'm moving four HDs containing an encrypted LVM RAID media vault from my desktop (decrypt_keyctl on boot for all drives) to a dedicated media server. Nobody cares about my music/video/book collection, I could've decrypted the whole thing by now from backup. But this FDE/SecureBoot stuff is poorly understood by most, not well-integrated into Debian at this time, and worth learning about. It just so happens the machine I've got to play with uses TPM 1.2 because it's an Ivy Bridge (🤣) so I can't just throw clevis at it.
