Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better explained guide #9

Open
rLoka opened this issue Feb 25, 2020 · 4 comments
Open

Better explained guide #9

rLoka opened this issue Feb 25, 2020 · 4 comments

Comments

@rLoka
Copy link

rLoka commented Feb 25, 2020

Hey there! First of all, thanks for all the work you have put into this!

So, this is not really an issue, but could you explain (maybe in a form of a wiki or additional MD) how would I use this on a typical case where automated fde unlock setup is required?

The thing is, I am searching for a method to autounlock fde using tpm2 on ubuntu 16.04/18.04 and I have already tried clevis but it did not work properly for me and I am sort of novice in this area.

Thanks for understanding and any help is much appreciated!

@electrickite
Copy link
Owner

@rLoka I think a better guide would be great - the issue is that the process of full disk encryption and unlock involves many components and there is no one size fits all solution. It will vary considerably based on you hardware, distribution, and threat model. The full process is outside of the scope of this tool.

However, I think it would be a good idea to collect examples in wiki pages here, to give users an idea of where to start. For instance, I do not have experience setting up FDE in Ubuntu, but I could post a write up of the process I use in Arch.

@openmindead
Copy link

openmindead commented Feb 29, 2020

Some areas that need an improvement I can think of are:

Before storing sealed key files on disk, you must create a parent encryption key on the TPM. In this example, we create a primary RSA key in the owner hierarchy and make it persistent at handle 0x81000001:

$ tpm2_createprimary -c primary.ctx
$ tpm2_evictcontrol -c primary.ctx 0x81000001

We see 0x81000001 risen out of nowhere, the first question would be why 0x81000001? Maybe there should be some way to list those persistent handles before we proceed? Earlier there was a command tpm2_listpersistent, now it's non-existent.

Moving on to the next point which can be an obstacle: sha256 is used by default now, but what if tpm2_pcrread lists only sha1 entries, and sha256 are just empty? How to switch over to sha256 then? It's not like this project's README should explain these matters, but I just mean that such questions are likely to appear when setting this tool up for the first time.

Oh, and BTW: please adopt Arch's changes of Type = File to Type = Path in luks-tpm2.hook along with changing boot/vmlinuz-* to usr/lib/modules/*/vmlinuz.

Cheers!

@k6Q28k5w5eWuRuuzTg9j7GrKCbjt7
Copy link

k6Q28k5w5eWuRuuzTg9j7GrKCbjt7 commented Jun 6, 2020

I would argue that such basic info should not be in the guide, but rather on the tpm2.0 library specification or somewhere else. Maybe a link to the spesification is sufficient, or a soon to be arch wiki page? :)

There is always Clevis that does it all for you. Just remember dracut instead for mkinitcpio. (Or create a hook that does it with mkinitcpio).

@v3rm0n
Copy link

v3rm0n commented Jan 4, 2021

I didn't have any issues following the guide, but I was struggling to understand what to do next. Luckily a bit of googling got me to the mkinitcpio-tpm2-encrypt repo and everything clicked (some issues there as well but I not related to this project).
So maybe a section to the README with links to next steps would help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants