Cryptenroll

systemd-cryptenroll¶

https://gist.github.com/chrisx8/cda23e2d1fa3dcda0d739bc74f600175
https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

Bypassing disk encryption on systems with automatic TPM2 unlock

Todo

Verify

On my system, I used `tpm2-measure-pcr=yes` in `/etc/crypttab.initramfs`, then used `--tpm2-pcrs=0+2+7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000` with `systemd-cryptenroll`.

As soon as a volume is decrypted, initrd will write `volume-key` to PCR 15, so any further executables can no longer access the data stored in the TPM.

PCR Information¶

Common PCR Checks:

PCR	Name	Explanation
0	platform-code	Core system firmware executable code; changes on firmware updates
2	external-code	Extended or pluggable executable code; includes option ROMs on pluggable hardware
7	secure-boot-policy	Secure Boot state; changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) changes.
15	system-identity	systemd-cryptsetup(8) optionally measures the volume key of activated LUKS volumes into this PCR. systemd-pcrmachine.service(8) measures the machine-id(5) into this PCR. [email protected](8) measures mount points, file system UUIDs, labels, partition UUIDs of the root and /var/ filesystems into this PCR.

Show the PCR Variables:

>>> systemd-analyze pcrs
NR NAME                SHA256
 0 platform-code       c0ef6c8f0175954040fd5186cfe98ab0b4494941743b49a402854de07e5e80bd
 1 platform-config     03b942bf6bd5c5867dfd11220a26f5492f05e8aaf92b11c316194db24e87455a
 2 external-code       6a16cd67d88e7f56f19a277cc7dd9cb0a69f39c9d57d7a98cedeb3cd6caab182
 3 external-config     3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
 4 boot-loader-code    ffc003405b4d31ed9c6959570c795c34afbd3d83b502bd4bfcb77fd8e06ada93
 5 boot-loader-config  4cf5c48258a3895018ebc850f72cf534a0b49b144c60213b5cd6c5da2d078005
 6 host-platform       3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
 7 secure-boot-policy  b6ec31ebf594910708a525249ccdace6aba255143bae8a3a543388dfb9dd9c9c
 8 -                   0000000000000000000000000000000000000000000000000000000000000000
 9 kernel-initrd       6bc39477243d76af7e935f82f7d1302979ef1858dcee29852512f15ad1faa97f
10 ima                 0000000000000000000000000000000000000000000000000000000000000000
11 kernel-boot         0000000000000000000000000000000000000000000000000000000000000000
12 kernel-config       5d6452209a594eed3fa5def6c8a5b86bf9fe88883d28fd46767f61a69c6748f2
13 sysexts             0000000000000000000000000000000000000000000000000000000000000000
14 shim-policy         0000000000000000000000000000000000000000000000000000000000000000
15 system-identity     0000000000000000000000000000000000000000000000000000000000000000
16 debug               0000000000000000000000000000000000000000000000000000000000000000
17 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
18 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
19 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
20 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
21 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
22 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
23 application-support 0000000000000000000000000000000000000000000000000000000000000000

Setting up with TPM2¶

This binds the unlock key to the specific TPM

Adding the Info to LUKS2 Header:

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+15 /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - tpm2-device=auto

Setting Up a Recovery Key¶

systemd-cryptenroll --recovery-key /dev/sda5

Setting up with FIDO2¶

Install fido2 lib:

yay -S libfido2

List fido2 devices:

[gen0@gen0 tmp]$ sudo systemd-cryptenroll --fido2-device=list
PATH         MANUFACTURER PRODUCT              
/dev/hidraw2 Yubico       YubiKey OTP+FIDO+CCID

Adding the Info to LUKS2 Header:

systemd-cryptenroll --fido2-device=auto /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - fido2-device=auto

Setting up with Yubikey PKCS#11¶

Generate Key:

#Genrate Key
ykman piv reset
ykman piv generate-key -a RSA2048 9d pubkey.pem
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
rm pubkey.pem

Adding the Info to LUKS2 Header:

systemd-cryptenroll --pkcs11-token-uri=auto /dev/sda5

Modifying the crypttab:

>>> cat /etc/crypttab
myvolume /dev/sda5 - pkcs11-uri=auto