Re: Is tpm2-measure-pcr really an additional security?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di, 11.03.25 13:27, Lennart Poettering (lennart@xxxxxxxxxxxxxx) wrote:

> On Mo, 10.03.25 19:25, Diorcet Yann (diorcet.yann@xxxxxxxxx) wrote:
>
> > Is PCR15 checked against a pre-calculated value saved in the signed initrd
> > before leaving initrd? If it's not the case, then when executing the init
> > from the chrooted malicious partition, the original /dev/sda1 LUKS will be
> > opened and mounted as var.
>
> I think you are misunderstanding what PCR15 is supposed to be. it's
> not really supposed to be consumed for FDE, but simply populated by
> FDE. It's usecase was to later have PCR that identifies the local
> system, that we can lock encrypted credentials or systemd-confext
> images to.
>
> To protect the order of things use the "phase" logic, i.e. in PCR 15.
>
> And to say this very clearly: the model this is designed for assumes
> you have one encrypted fs not many. i.e. if everything checks out then
> you get access to it, and if it doesn't you don't. I am not sure I
> understand your scenario, but you appear to work with two encrypted
> disks, one for the rootfs and one for /var/? Yes, there is no
> protection for using them for the wrong purpose (ie. the root fs for
> /var/ or vice versa), because that was never in the picture of being
> an issue.
>
> If you want multiple encrypted partitions like that, then things are a
> lot more complicated, but let me ask you: why even? It makes sense to
> split up things so that you have various sets of data with different
> protections (i.e. some unprotected, some verity protected, some
> encrypted + tpm). But if you have multiple partitions protected the
> same way, why split them up, and why create such a headache then.

I prepped this now:

https://github.com/systemd/systemd/pull/36714

It should add protections that address the aforementioned issues with
"misusing" partitions at the wrong places.

Lennart

--
Lennart Poettering, Berlin



[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux