Re: Is tpm2-measure-pcr really an additional security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2025-03-10 18:25, Diorcet Yann wrote:
Le 10/03/2025 à 17:27, Adrian Vovk a écrit :

2) Just before opening the var LUKS:

PCR15=0 or something predictable

cryptsetup is used to open var and update PCR15 thanks to
tpm2-measure-pcr=yes. but in this case /dev/sda1 is replaced with the
original /dev/sda1 partition.

I think that you mean that /dev/sda2 (/var) is replaced with the original /dev/sda1 (rootfs), so mounting the original root in /var, right?

PCR15=hash1

3) initrd makes the mount of the fs, makes multiple measurements
(notably on PCR11 with leave-initrd) then chroots and executes
malicious init.


Is PCR15 checked against a pre-calculated value saved in the signed
initrd before leaving initrd? If it's not the case, then when
executing the init from the chrooted malicious partition, the original
/dev/sda1 LUKS will be opened and mounted as var.

You need a service in the initrd to do that. systemd AFAIK is not currently providing one, but the plumbing is there to bring your own.



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux