LUKS, TPM and full disk encryption
without password



Nikola Kolev
koue@chaosophia.net

OpenFest 2014

(page 1)
Introduction


(page 2)
LUKS (Linux Unified Key Setup)


(page 3)
TPM (Trusted Platform Module)


(page 4)
PCRs (Platform Configuration Registers)


(page 5)
PCRs


(page 6)
Sealed Storage


(page 7)
TrustedGrub


(page 8)
TrustedGrub
# cat /sys/class/misc/tpm0/device/pcrs

PCR-00: 86 41 67 5C B4 09 0F 7D 66 DE 1D 45 37 86 C1 07 BF 2F C9 7C 

PCR-01: A6 F6 5F C5 10 F0 01 5A 45 B4 CA D7 55 F5 95 DA CB 94 9A 75 

PCR-02: 1C 48 E4 34 AA 02 DD DC 15 C0 15 AB EB 0B 81 9A 6B 16 CA 9F 

PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 

PCR-04: A8 A7 2B EA A4 25 CD 94 93 1D C8 6A 8B C2 2C C6 9D E2 19 8F 

PCR-05: 9B 86 10 E8 E1 9A 4C 8B F3 DC 7D 38 77 3F 65 A1 46 63 4B F0 

PCR-06: 43 28 E5 B7 3A 73 5C 36 AD 7F C4 F7 F9 D1 38 94 E0 08 EB 40 

PCR-07: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 

PCR-08: 02 96 2F 2E AC D4 BF A7 60 C2 53 79 CD 4A BE BA FE F9 93 BA 

PCR-09: BE 43 3C 46 58 01 A1 55 8D B5 B4 88 FB 7B FD BE 09 53 16 1D 

PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

PCR-12: 2A C9 E8 00 2E F7 C6 4C 5F C3 B7 87 9E F7 F5 E3 21 F1 AB B4 

PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

PCR-14: AB 75 4A 86 72 A0 0D 08 4F C5 58 F2 14 35 43 90 00 92 95 C7 

PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 

PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

(page 9)
CentOS 6.5 example

  • Disk partition table
/dev/sda1 -> /boot
/dev/sda2 -> swap
/dev/sda3 -> / (encrypted)

  • Setup:
# yum install tpm-tools trousers
# /etc/init.d/tcsd start
# tpm_takeownership -z
Password:

(page 10)
CentOS 6.5 example

  • TrustedGrub build dependencies
# yum install automake gcc glibc-devel glibc-devel.i686 libgcc.i686

  • TrustedGrub installation
# lynx https://projects.sirrix.com/trac/trustedgrub/wiki/Documentation

  • tcsd needs tss ownership
# sed -i -e 's/cpio -R 0:0/cpio/' /sbin/dracut

(page 11)
CentOS 6.5 example

  • Change cryptroot-ask.sh to unseal the password
# ed /usr/share/dracut/modules.d/90crypt/cryptroot-ask.sh << END
104i
if [ \$ask_passphrase -ne 0 ]; then
/sbin/modprobe tpm_infineon
/bin/mknod -m 644 /dev/urandom c 1 9
ifconfig lo 127.0.0.1
/usr/sbin/tcsd -f &
sleep 3
mkdir /mnt
mount -t ext4 /dev/sda1 /mnt
/usr/bin/tpm_unsealdata -z -i /mnt/sealed_key | cryptsetup luksOpen "\$device" "\$luksname" && ask_passphrase=0
umount /mnt
fi
.
w
q
END

(page 12)
CentOS 6.5 example

  • Create new initramfs

# dracut --add-drivers tpm_infineon -I "/usr/sbin/tcsd \
/etc/tcsd.conf \
/usr/bin/tpm_unsealdata \
/var/lib/tpm/system.data \
/etc/passwd \
/etc/group \
/etc/nsswitch.conf \
/lib64/libnss_files.so.2 \
/etc/hosts \
/lib64/libnss_dns.so.2 \
/sbin/ifconfig" luks-`uname -r`.img

# cp luks-`uname -r`.img /boot

(page 13)
CentOS 6.5 example

  • Replace current initramfs with the new one
# sed -i -e 's/initramfs/luks/' /boot/grub/menu.lst
# reboot

  • Boot with new luks initramfs
Enter LUKS password

# killall tcsd
# /etc/init.d/tcsd start
# echo lukspassword | tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p 14 -o /boot/sealed_key
# reboot

(page 14)
Conclusions

(page 15)






Q & A
(page 16)