Comments (7)
My concern with not tying the disk key to the TPM is the ease of surreptitiously cloning the disk on the x230 -- one phillips screw and the SSD slides out -- followed by an offline (or shoulder-surfing) attack on the passphrase. If the key is derived from both the user passphrase and the TPM, then the attacker would need possession of the machine and the TPM can enforce rate limiting, etc.
from heads.
Once the kernel has been rebuilt, add the keys as before. Then check that it can be mounted with:
cryptsetup --keyfile /secret.key luksOpen /dev/dm-1 qubes-root
mount -o ro /dev/dm-3 /root
The key can be sealed and the stored in the NVRAM. The NVRAM space with the key should be password protected, which will require the user to input a password before the key can be unlocked. This will provide rate limiting.
On boot up the official initramfs can be copied to Heads' /tmp
, the key can be retrieved from the NVRAM (with the password) and unsealed (based on the PCRs). This can be put into a cpio file and appended to the official initramfs -- http://unix.stackexchange.com/questions/243657/appending-files-to-initramfs-image-reliable
The kernel boot parameters need to be amended to specify the rd.luks.keyfile=
for the partitions. This didn't work the first time; need to try again.
from heads.
Not sure about this. The Luks container should be verified against
tampering. The disk shouldn't be bound to a single computer.
from heads.
Hackish way to test it out -- extract Qubes initrd into /tmp/, chroot into it and activate the disk:
chroot /tmp/initrd
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
lvm lvchange -a y qubes_dom0
lvm lvscan
cryptsetup luksDump /dev/dm-0
cryptsetup luksAddKey /dev/dm-0 /secret.key
The setup fails since the Heads kernel doesn't have aes-xts-plain64 cipher support. (Issue #44)
The secret key is not the right size since sealfile2
fails on larger than 128 byte files. (Issue #45)
from heads.
The initramfs
file doesn't seem to be handled the way that I had hoped -- it doesn't decompress all of the pieces, so it is necessary to append to it. The wrap-cpio
program will merge multiple cpio files to install the ones that we want, but the other parts still need to be written.
from heads.
The keyfile parameter might be fixed in systemd: systemd/systemd@c802a73
from heads.
The systemd fix doesn't actually work -- only the root partition is decrypted with that parameter. Instead I've modified /boot/boot.sh
to generate /etc/crypttab
on every boot with a reference to /secret.key
. This is slow but effective.
from heads.
Related Issues (20)
- Force reboot between tpm reset+sign /boot and DUK for non-HOTP deployments ?
- Error message misleading HOT 1
- Language selection
- Programmer selection HOT 6
- Update nv41/ns50 intel_iommu=igfx_off (librem 11 = GOP igfx)
- Switch all Linux config schedulers out of performance schedulers
- Remove unneeded iotools
- nv41/ns50 boards: rebrand nitrokey boards as novacustom HOT 1
- kgpe-d16: Make sure those patches are under Heads
- Talos II - GPG prompts wait for input on BMC and timeouts, preventing signing from main console HOT 1
- Switch Haswell boards to NRI (Native Ram Initialization) when ready upstream HOT 9
- librem_14 ROM misfunction, no display or freeze then CPU hard LOCKUP HOT 34
- heads fail to take the right USB dongle when 2 are connected HOT 9
- Create CONTRIBUTING.md HOT 3
- Add more detailed maintainer notes under README.md (oldconfig->defconfig->oldconfig) HOT 2
- What to do after a Firmware flash?OEM Factory, Boot from usb stick or Clean Boot detected? HOT 5
- Why i have 6 Admins/User PINs counters after flashing the heads.rom (Connected device reported status in secure-shell) HOT 7
- Nlnet past funded work placeholder for Accessible Security project (2019) HOT 2
- New build regression with coreboot git forks >= 24.02.01 (purism + dasharo git forks impacted since 2024-07-16 upstream changes) HOT 3
- nix buildstack usage not clear enough for end users to use HOT 14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from heads.