This article demonstrates how to configure clevis and systemd-cryptenroll using a Trusted Platform Module 2 chip to automatically decrypt your LUKS-encrypted partitions at boot.<\/p>\n
<\/span> <\/p>\n If you just want to get automatic decryption going you may skip directly to the Prerequisites section.<\/p>\n Disk encryption protects your data (private keys and critical documents) through direct access of your hardware. Think of selling your notebook \/ smartphone or it being stolen by an opportunistic evil actor. Any data, even if “deleted”, is recoverable and hence may fall into the hands of an unknown third party.<\/p>\n Disk encryption does not<\/strong> protect your data from access on the running system. For example, disk encryption does not protect your data from access by malware running as your user or in kernel space. It’s already decrypted at that point.<\/p>\n Entering the passphrase to decrypt the disk at boot can become quite tedious. On modern systems a secure hardware chip called “TPM” (Trusted Platform Module) can store a secret and automatically decrypt your disk. This is an alternative<\/strong> factor, not a second<\/strong> factor. Keep that in mind. Done right, this is an alternative with a level of security similar to a passphrase.<\/p>\n A TPM2 chip is a little hardware module inside your device which basically provides APIs for either WRITE-only or READ-only information. This way you might write a secret onto it, but you can never read it out later (but the TPM may use it later internally). Or you write info at one point that you only read out later. The TPM2 provides something called PCRs (Platform Configuration Registers). These registers take SHA1 or SHA256 hashes and contain measurements<\/em> used to assert integrity of, for example, the UEFI configuration.<\/p>\n Enable or disable Secure Boot in the system’s UEFI. Among other things, Secure Boot computes hashes of every component in the boot chain (UEFI and its configuration, bootloader, etc.) and chains them together such that a change in one of those components changes the computed and stored hashes in all following PCRs. This way you can build up trust about the environment you are in. Having a measure of the trustworthiness of your environment is useful, for example, when decrypting your disk. The UEFI Secure Boot specification<\/a> defines PCRs 0 – 7. Everything beyond that is free for the OS and applications to use.<\/p>\n A tool called clevis<\/em> generates a new decryption secret for the LUKS encrypted disk, stores it in the TPM2 chip and configures the TPM2 to only return the secret if the PCR state matches the one at configuration time. Clevis will attempt to retrieve the secret and automatically decrypt the disk at boot time only if the state is as expected.<\/p>\n As you establish an alternative unlock method using only the on-board hardware of your platform, you have to trust your platform manufacturer to do their job right. This is a delicate topic. There is trust in a secure hardware and firmware design. Then there is trust that the UEFI, bootloader, kernel, initramfs, etc. are all unmodified. Combined you expect a trustworthy environment where it is OK to automatically decrypt the disk.<\/p>\n That being said you have to trust (or better, verify<\/em>) that the manufacturer did not mess anything up in the overall platform design for this to be considered a fairly safe decryption alternative. There are a range of cases where things did not work out as planned. For example, when security researches showed that BitLocker on a Lenovo notebook would use unencrypted SPI communication<\/a> with the TPM2 leaking the LUKS passphrase in plain text without even altering the system, or that BitLocker used the native encryption features of SSD drives that you can by-pass through factory reset<\/a>.<\/p>\n These examples are all about BitLocker but it should make it clear that if the overall design is broken, then the secret is accessible and this alternative method less secure than a passphrase only present in your head (and somewhere safe like a password manager). On the other hand, keep in mind that in most cases elaborate research and attacks to access a drive’s data are not worth the effort for an opportunistic bad actor. Additionally, not having to enter a passphrase on every boot should help adoption of this technology as it is transparent but adds additional hurdles to unwanted access.<\/p>\n First check that:<\/p>\n Clevis is where the magic happens. It’s a tool you use in the running OS to bind the TPM2 as an alternative<\/strong> decryption method and use it inside the initramfs<\/em> to read the decryption secret from the TPM2.<\/p>\n Check that secure boot is enabled. The output of dmesg<\/em> should look like this:<\/p>\n Check dmesg<\/em> for the presence of a TPM2 chip:<\/p>\n Install the clevis<\/em> dependencies and regenerate your initramfs using dracut<\/em>.<\/p>\n The reboot<\/strong> is important<\/strong> to get the correct PCR <\/strong>measurements based on the new initramfs image used for the next step.<\/p>\n To bind the LUKS-encrypted partition with the TPM2 chip. Point clevis to your (root) LUKS partition and specify the PCRs it should use.<\/p>\n Enter your current LUKS passphrase when asked. The process uses this to generate a new independent secret that will tie your LUKS partition to the TPM2 for use as an alternative<\/strong> decryption method. So if it does not work you will still have the option to enter your decryption passphrase directly.<\/p>\n As mentioned previously, PCRs 1, 4 and 5 change when booting into another system such as a live disk. PCR 7 tracks the current UEFI Secure Boot policy and PCR 9 changes if the initramfs loaded via EFI changes.<\/p>\n Note: If you just want to protect the LUKS passphrase from live images but don’t care about more “elaborate” attacks such as altering the unsigned initramfs on the unencrypted boot partition, then you might omit PCR 9 and save yourself the trouble of rebinding on updates.<\/p>\n In case of secondary encrypted partitions use \/etc\/crypttab<\/em>.<\/p>\n Use systemd-cryptenroll<\/em> to register the disk for systemd<\/em> to unlock:<\/p>\n Then reflect that config in your \/etc\/crypttab<\/em> by appending the options tpm2-device=auto,tpm2-pcrs=1,4,5,7,9<\/em>.<\/p>\n List all current bindings of a device<\/strong>:<\/p>\n Unbind a device<\/strong>:<\/p>\n The -s<\/strong> parameter specifies the slot of the alternative secret for this disk stored in the TPM. It should be 1 if you always unbind before binding again.<\/p>\n Regenerate binding, in case the PCRs have changed<\/strong>:<\/p>\n Edit the configuration of a device<\/strong>:<\/p>\n Disk decryption passphrase prompt shows at boot, but goes away after a while<\/strong>:<\/p>\n Add a sleep command to the systemd-ask-password-playmouth.service<\/em> file using systemctl edit<\/em> to avoid requests to the TPM before its kernel module is loaded:<\/p>\n Add the following to the config file \/etc\/dracut.conf.d\/systemd-ask-password-plymouth.conf<\/em>:<\/p>\n Then regenerate dracut<\/em> via sudo dracut -fv –regenerate-all<\/em>.<\/p>\n Reboot and then regenerate the binding:<\/p>\n This article demonstrates how to configure clevis and systemd-cryptenroll using a Trusted Platform Module 2 chip to automatically decrypt your LUKS-encrypted partitions at boot. If you just want to get automatic decryption going you may skip directly to the Prerequisites section. Motivation Disk encryption protects your data (private keys and critical documents) through direct access […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[1430,566,606,45,1431,46,47,1432,1433,1434],"class_list":["post-131561","post","type-post","status-publish","format-standard","hentry","category-fedora-os","tag-clevis","tag-encryption","tag-faqs-and-guides","tag-fedora","tag-luks","tag-magazine","tag-news","tag-secure-boot","tag-tpm","tag-tpm2"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131561"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131561\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Motivation<\/h2>\n
Background<\/h2>\n
A summary of what is measured into which PCRs according to the spec<\/h3>\n
\n
Some examples on what is measured into which PCR<\/h3>\n
\n
Security implications<\/h2>\n
Prerequisites<\/h2>\n
\n
$ dmesg | grep Secure\n[ 0.000000] secureboot: Secure boot enabled\n[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7\n[ 0.005537] secureboot: Secure boot enabled\n[ 1.582598] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'\n[ 35.382910] Bluetooth: hci0: Secure boot is enabled<\/pre>\n
$ dmesg | grep TPM\n[ 0.005598] ACPI: TPM2 0x000000005D757000 00004C (v04 DELL Dell Inc 00000002 01000013)<\/pre>\n
sudo dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd\nsudo dracut -fv --regenerate-all\nsudo systemctl reboot<\/pre>\n
Configure clevis<\/h2>\n
sudo clevis luks bind -d \/dev\/nvme... tpm2 '{\"pcr_ids\":\"1,4,5,7,9\"}'<\/pre>\nAutomatically decrypt additional partitions<\/h2>\n
sudo systemd-cryptenroll \/dev\/nvme0n1... --tpm2-device=auto --tpm2-pcrs=1,4,5,7,9<\/pre>\n
Unbind, rebind and edit<\/h2>\n
$ sudo clevis luks list -d \/dev\/nvme0n1... tpm2\n1: tpm2 '{\"hash\":\"sha256\",\"key\":\"ecc\",\"pcr_bank\":\"sha256\",\"pcr_ids\":\"0,1,2,3,4,5,7,9\"}'<\/pre>\nsudo clevis luks unbind -d \/dev\/nvme0n1... -s 1 tpm2<\/pre>\n
sudo clevis luks regen -d \/dev\/nvme0n1... -s 1 tpm2<\/pre>\n
sudo clevis luks edit -d \/dev\/nvme0n1... -s 1 -c '{\"pcr_ids\":\"0,1,2,3,4,5,7,9\"}'<\/pre>\nTroubleshooting<\/h2>\n
[Service]\nExecStartPre=\/bin\/sleep 10<\/pre>\n
install_items+=\" \/etc\/systemd\/system\/systemd-ask-password-plymouth.service.d\/override.conf \"<\/pre>\n
sudo systemctl reboot\n...\nsudo clevis luks regen -d \/dev\/nvme0n1... -s 1<\/pre>\n
Resources<\/h2>\n
\n