On 10/11/23 04:40, Aleksandar Kostadinov wrote:
Just FYI, in some situations it might be a security issue to allow
booting without decrypting root volume (I know you're not doing for
root). Just want to point out that it shouldn't be a default feature
to skip decrypting.
An example scenario where we shouldn't allow that would be where root
disk is decrypted automatically with TPM. If attacker replaces that
volume with a non-encrypted volume and skipping decryption is allowed,
then system may boot with PCRs in a state suitable for decrypting
other encypted volumes or extracting the original root volume
encryption key... unless user has setup decryption to depend on PCR 15
(setup with the encryption keys of already decrypted volumes) or the
boot phase as understood by systemd-stub (e.g. enter-initrd).
I hope I managed to explain.
I think I get what you're saying (I'm not too familiar with how TPMs
work). Thanks for the info! I believe allowing decryption skipping is
safe for my particular use case (the only acceptable form of encryption
key is a password, and attacks involving modification of the unencrypted
software on the disk are beyond what I want to protect from). But I can
see how it could be a security issue in other situations, so it makes
sense why systemd would require extra work to allow that sort of thing.
On Wed, Oct 11, 2023 at 4:52 AM Aaron Rainbolt <arraybolt3@xxxxxxxxx> wrote:
I figured out how to do this, sorta. I ended up bypassing the
systemd-cryptsetup mechanism entirely and instead wrote my own shell
script and systemd unit that did things exactly the way I wanted. Now if
the user provides the right password, their home dir is mounted, if they
type a wrong one they're asked for their password again, and if they
type "guest" the system boots without mounting the encrypted home dir
and uses the ramdisk-backed one instead.
In case anyone's interested, my systemd unit is:
[Unit]
Description=Mount encrypted home
Before=display-manager.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/bin/firebook_homemount.sh
[Install]
WantedBy=multi-user.target
And the corresponding script is:
#!/bin/bash
# Mounts an encrypted home dir (or fails gracefully)
while true; do
decryptPassword="$(systemd-ask-password --no-tty "Please provide
your user password (or type \"guest\" to enter guest mode)")"
if [ "${decryptPassword}" = "guest" ]; then
break
else
echo "${decryptPassword}" | cryptsetup luksOpen
/dev/disk/by-label/firebook-crypt firebook-home
if [ "$?" = "0" ]; then
mount /dev/mapper/firebook-home /home
break
fi
fi
done
I also masked systemd-ask-password-console.service and
systemd-ask-password-wall.service so that if the user enters a wrong
password, they're asked for their password within Plymouth repeatedly
(whereas originally if the user flunked their password at Plymouth,
systemd-ask-password would default to using
systemd-ask-password-wall.service next). This seems to be working so far.
On 10/9/23 02:10, Aaron Rainbolt wrote:
Good morning/evening, and thanks for your time.
I'm attempting to create a Fedora-based immutable distro (not based on
Silverblue) that stores user data in an encrypted /home partition. The
goal is to have something that behaves somewhat similar to Chrome OS.
One feature I'm attempting to implement is a "guest mode", whereby a
user can sign into the system without providing any password, but if
they do so they don't gain access to the system's owner's data and
virtually anything they do is erased upon shutdown.
In order to do this, I have two /home directories - one is part of the
(immutable) root filesystem, which can only be written to thanks to a
Dracut-created ramdisk overlay. The other is stored in an encrypted
partition. I'm using a crypttab line like this to prepare the
encrypted partition:
firebook-home LABEL=firebook-crypt none luks,discard,nofail
And I'm using an fstab line like this to mount it:
/dev/mapper/firebook-home /home ext4 defaults,nofail 0 0
Note that I've marked both of these with "nofail" - the goal is that
the user will be prompted for their password by systemd upon boot, but
if they do not provide the password (by intentionally providing a
wrong password three times), the encrypted drive should not be mounted
and the system should boot normally using the ephemeral home directory
provided by the root filesystem + ramdisk overlay.
This seems to be *almost* working, however if I intentionally provide
a wrong password to the password prompt a few times, it doesn't
actually "give up" on getting a password from me. What it does instead
is it stops asking me for the password at boot, but then rather than
starting GNOME it just leaves me at a console screen. If I am able to
get GDM to appear somehow, I can't sign in.
What I end up doing is switching to a TTY, signing in, and then
elevating to root to troubleshoot. Once I've elevated to root, I get a
`wall` message informing me that the system is *still waiting* for a
password and that I need to run `systemd-tty-ask-password-agent` (I
think?) to provide it. If I go ahead and do this, then restart GDM,
I'm able to sign in after that. (I could be wrong about what command
it's asking me to run, but I think it was
`systemd-tty-ask-password-agent`.)
From my research, it looks like systemd is refusing to ever truly
"give up" on getting the password for the encrypted /home directory,
despite the use of `nofail` in the fstab and crypttab files. I'm not
finding any documentation on how to get systemd to "give up" on
getting the password. For my particular use case, I'd like systemd to
just forget that the encrypted drive exists at all if the wrong
password is given. If the user wants to mount the encrypted drive
after that, they should either reboot or use cryptsetup manually.
Is there any way to make systemd "give up" on getting a password?
Thanks for your help!
Aaron