From: Felix Rubio Dalmau <felix at kngnt.org>
To: tpm2@lists.01.org
Subject: [tpm2] Re: System design question
Date: Sun, 28 Aug 2022 11:38:54 +0200 [thread overview]
Message-ID: <2843585.e9J7NaK4W3@polaris> (raw)
In-Reply-To: 1565210bf6090620e74aa012aa8e840de0aff6c1.camel@intel.com
[-- Attachment #1: Type: text/plain, Size: 2305 bytes --]
Hey William,
Thank you for your answer, I have just been playing with the tpm2_tools in
latest Debian 11.4, trying to follow your reasoning, but there is something I
am missing:
As secureboot does not check the initramfs, my approach is to make the full
disk encryption key depend on PCR registers 0,1,7 and 9 (for what I have read,
from kernel 5.13 on, the measurements of initramfs go to PCR 9), or a rescue
password. This approach implies having a script in place so that the first time
a new kernel + initramfs boot I will get those measurements somewhere and then
I can rebuild the policies with the correct contents (that is, until I find a
way to precalculate the value of PCR 9 out of the initramfs file itself...
assuming is possible).
In your email you say "[...]
> So really all that needs to occur is the code/script needs to be in
> place that does the normal PCR flow or rescue flow. The create call
> can be hardcoded to the known hash, that isn't changing and can be
> included in the filesystem when generated.
[...]" but I do not see how would that be achieved: my current normal PCR flow
goes like this:
tpm2_startauthsession -Q -S session.ctx --policy-session
tpm2_policypcr -Q -S session.ctx -l sha256:0,1,7,9
tpm2_policypassword -Q -S session.ctx
tpm2_policyor -Q -S session.ctx sha256:rescue.policy,regular.policy
SECRET=`tpm2_unseal -Q -c 0x81010001 -p "session:session.ctx+$REGULAR_PASS"`
tpm2_flushcontext -Q session.ctx
tpm2_pcrextend -Q 0:sha256=00000000000000000000000000000000000000000000000...
I think I understand, from user answer, that I should be able to replace
tpm2_policyor -Q -S session.ctx sha256:rescue.policy,regular.policy
by
tpm2_policyor -Q -S session.ctx <output of precalculated digest>
But still, this does not fix the issue: the moment I hardcode this value in my
initramfs, its measurement on PCR 9 will change. The only way out I see is to
avoid storing this information on the initramfs itself, and this is when the
nvram came into the picture. Given that nvram is scarce, maybe I can get away
by storing on it the digest of the policyor, and adding it somehow to the
session after reading it?
Regards, and thank you very much for giving this issue a thought!
Felix
next reply other threads:[~2022-08-28 9:38 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-28 9:38 Felix Rubio Dalmau [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-08-31 21:21 [tpm2] Re: System design question David Challener
2022-08-31 19:21 Roberts, William C
2022-08-22 16:02 Roberts, William C
2022-08-22 13:09 Roberts, William C
2022-08-22 13:08 Roberts, William C
2022-08-21 12:05 Felix Rubio Dalmau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2843585.e9J7NaK4W3@polaris \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox