On Tue, Aug 22, 2023 at 10:45 PM Aleksandar Kostadinov <akostadi@xxxxxxxxxx> wrote: > > On Tue, Aug 22, 2023 at 8:10 PM Lennart Poettering > <lennart@xxxxxxxxxxxxxx> wrote: > > On Di, 22.08.23 19:16, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote: > <...> > > > If attacker replaces volume with unencrypted one, and it boots without > > > messing up the sealing PCRs, then probably attacker can query the TPM > > > and obtain the encryption key. Despite the fact that this is not (yet) > > > implemented in cryptenroll. > > > > Sure, if you allow unencrypted systems to boot in your OS then all > > bets are off. You shouldn't do that of course. > > > > (in my model of mind, where automatic GPT image dissection is used the > > image dissection policies are how this should be locked down, see > > systemd.image-policy(7). You can confgure that via the kernel cmdline: > > in systemd.image_policy=. > > > > In systemd there's the "systemd-pcrfs@.service" and > > "systemd-pcrmachine.service" which will measure the identity of file > > systems and of /etc/machine-id into PCR 15. (systemd-cryptsetup also > > mesures a derivate of the volume key to PCR 15). PCR 15 is supposed to > > be an identifier of the OS instance. > > Wait. I was looking at this PCR. But wouldn't it be set only after the > volume has been unlocked? This means that before a volume is unlocked, > it cannot protect anything? Actually it may protect in case where > attacker replaced the volume with another encrypted volume. But not if > attacker replaced with a plain volume. > I try to understand this threat model. System will have kernel and initrd which are measured. Initrd will be configured to require encrypted volume with specific UUID. So if this encrypted volume is not available, booting fails. What happens depends on the exact initrd implementation. With dracut I think it will just hang indefinitely. So to boot into plain volume one needs to either replace initrd which invalidates measurements or use explicit command line parameters to override root device which hopefully is measured as well and so invalidates the measurements too. If initrd drops into the shell when the root device is missing then it could indeed offer the possibility to obtain a secret key. One possible mitigation is to extend PCR when an interactive shell is entered. Or do you have something different in mind?
Re: systemd-cryptenroll with TPM2
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd-cryptenroll with TPM2
- From: Andrei Borzenkov <arvidjaar@xxxxxxxxx>
- Date: Wed, 23 Aug 2023 10:49:03 +0300
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAPws7kb-BUoEj1LST+K_CnYGU6fe3VneUAiM9Nd+OR_Zg+m8yA@mail.gmail.com>
- References: <CAPws7kbVR7TJ1o=DmEwU61z8ZsOu4C-KkcqbmZTLwBzyQZpzGw@mail.gmail.com> <ZOSzNQUVuHHttXsl@gardel-login> <CAPws7kZM0JWGUBwqiSqqDhJzGowQ4ViQGAN1d9Qr0pb7tCrr5A@mail.gmail.com> <ZOTsGSJJGD+6D/XR@gardel-login> <CAPws7kb-BUoEj1LST+K_CnYGU6fe3VneUAiM9Nd+OR_Zg+m8yA@mail.gmail.com>
- Follow-Ups:
- Re: systemd-cryptenroll with TPM2
- From: Aleksandar Kostadinov
- Re: systemd-cryptenroll with TPM2
- References:
- systemd-cryptenroll with TPM2
- From: Aleksandar Kostadinov
- Re: systemd-cryptenroll with TPM2
- From: Lennart Poettering
- Re: systemd-cryptenroll with TPM2
- From: Aleksandar Kostadinov
- Re: systemd-cryptenroll with TPM2
- From: Lennart Poettering
- Re: systemd-cryptenroll with TPM2
- From: Aleksandar Kostadinov
- systemd-cryptenroll with TPM2
- Prev by Date: Re: systemd-cryptenroll with TPM2
- Next by Date: Re: systemd-cryptenroll with TPM2
- Previous by thread: Re: systemd-cryptenroll with TPM2
- Next by thread: Re: systemd-cryptenroll with TPM2
- Index(es):
 |