Re: [PATCH v2 0/5] Automatic TPM Disk Unlock

[Didier Spaier]

Hi,

pardon me to top post just once, the answer below was sent in reply to v1 but
seems not to have made through as I do not find it in the archives, and it is
about the proposal in general.

Here goes (initially posted on Tue, 25 Jan 2022):

Sorry for a newbie question (I plan to allow installing Slint on a Secure Boot
enabled machine if/when I can but know almost nothing yet on this topic).

Currently we allow in the "auto" mode of installation to install Slint in a
fully encrypted drive (minus the ESP and the BIOS Boot partition), the user
typing then a passphrase only once when politely requested by GRUB before
displaying its menu (without using LVM as we store a LUKS key in the initramfs).

The main purpose is to forbid access to the system when the machine is powered
off, for instance in case of a laptop stolen during a travel.

Would the feature you describe possibly allow to circumvent this protection?

Thanks,
Didier
--
Didier Spaier
Slint maintainer


Le 01/02/2022 à 14:02, Hernan Gatta a écrit :
> Updates since v1:
> 
> 1. One key can unlock multiple disks:
>    It is now possible to use key protectors with cryptomount's -a and -b
>    options.
> 
> 2. No passphrase prompt on error if key protector(s) specified:
>    cryptomount no longer prompts for a passphrase if key protectors are
>    specified but fail to provide a working unlock key seeing as the user
>    explicitly requested unlocking via key protectors.
> 
> 3. Key protector parameterization is separate:
>    Previously, one would parameterize a key protector via a colon-separated
>    argument list nested within a cryptomount argument. Now, key protectors are
>    expected to provide an initialization function, if necessary.
> 
>    As such, instead of:
> 
>    cryptomount -k tpm2:mode=srk:keyfile=KEYFILE:pcrs=7,11...
> 
>    one now writes:
> 
>    tpm2_key_protector_init --mode=srk --keyfile=KEYFILE --pcrs=7,11 ...
>    cryptomount -k tpm2
> 
>    Additionally, one may write:
> 
>    cryptomount -k protector_1 -k protector_2 ...
> 
>    where cryptomount will try each in order on failure.
> 
> 4. Standard argument parsing:
>    The TPM2 key protector now uses 'struct grub_arg_option' and the 
> grub-protect
>    tool uses 'struct argp_option'. Additionally, common argument parsing
>    functionality is now shared between the module and the tool.
> 
> 5. More useful messages:
>    Both the TPM2 module and the grub-protect tool now provide more useful
>    messages to help the user learn how to use their functionality (--help and
>    --usage) as well as to determine what is wrong, if anything. Furthermore, 
> the
>    module now prints additional debug output to help diagnose problems.
> 
> I forgot to mention last time that this patch series intends to address:
> https://bugzilla.redhat.com/show_bug.cgi?id=1854177
> 
> Previous series:
> https://lists.gnu.org/archive/html/grub-devel/2022-01/msg00125.html
> 
> Thank you,
> Hernan
> 
> Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
> 
> Hernan Gatta (5):
>   protectors: Add key protectors framework
>   tpm2: Add TPM Software Stack (TSS)
>   protectors: Add TPM2 Key Protector
>   cryptodisk: Support key protectors
>   util/grub-protect: Add new tool
> 
>  .gitignore                             |    1 +
>  Makefile.util.def                      |   19 +
>  configure.ac                           |    1 +
>  grub-core/Makefile.am                  |    1 +
>  grub-core/Makefile.core.def            |   11 +
>  grub-core/disk/cryptodisk.c            |  166 +++-
>  grub-core/kern/protectors.c            |   75 ++
>  grub-core/tpm2/args.c                  |  129 ++++
>  grub-core/tpm2/buffer.c                |  145 ++++
>  grub-core/tpm2/module.c                |  710 +++++++++++++++++
>  grub-core/tpm2/mu.c                    |  807 ++++++++++++++++++++
>  grub-core/tpm2/tcg2.c                  |  143 ++++
>  grub-core/tpm2/tpm2.c                  |  711 +++++++++++++++++
>  include/grub/cryptodisk.h              |   14 +
>  include/grub/protector.h               |   48 ++
>  include/grub/tpm2/buffer.h             |   65 ++
>  include/grub/tpm2/internal/args.h      |   39 +
>  include/grub/tpm2/internal/functions.h |  117 +++
>  include/grub/tpm2/internal/structs.h   |  675 ++++++++++++++++
>  include/grub/tpm2/internal/types.h     |  372 +++++++++
>  include/grub/tpm2/mu.h                 |  292 +++++++
>  include/grub/tpm2/tcg2.h               |   34 +
>  include/grub/tpm2/tpm2.h               |   38 +
>  util/grub-protect.c                    | 1314 
> ++++++++++++++++++++++++++++++++
>  24 files changed, 5897 insertions(+), 30 deletions(-)
>  create mode 100644 grub-core/kern/protectors.c
>  create mode 100644 grub-core/tpm2/args.c
>  create mode 100644 grub-core/tpm2/buffer.c
>  create mode 100644 grub-core/tpm2/module.c
>  create mode 100644 grub-core/tpm2/mu.c
>  create mode 100644 grub-core/tpm2/tcg2.c
>  create mode 100644 grub-core/tpm2/tpm2.c
>  create mode 100644 include/grub/protector.h
>  create mode 100644 include/grub/tpm2/buffer.h
>  create mode 100644 include/grub/tpm2/internal/args.h
>  create mode 100644 include/grub/tpm2/internal/functions.h
>  create mode 100644 include/grub/tpm2/internal/structs.h
>  create mode 100644 include/grub/tpm2/internal/types.h
>  create mode 100644 include/grub/tpm2/mu.h
>  create mode 100644 include/grub/tpm2/tcg2.h
>  create mode 100644 include/grub/tpm2/tpm2.h
>  create mode 100644 util/grub-protect.c
>