[SOLVED] Store LUKS key in the TPM for passwordless boot?

Daedra · 05-04-2024, 09:45 PM

I know this is possible in a systemd distro, but I can't find any guides on how to do this in Slackware. Basically right now my laptop I have a Windows 10 ssd with bitlocker enabled and the other ssd is running Slackware 15.0 with LUKS. Right now I have to enter the password to open grub, then enter the password to unencrypt the root partition. I am using a key to unencrypt the swap partition so I don't have to enter the password a third time. But I am wondering if anyone has a setup where the key is stored in the TPM for a passwordless boot?

Second, I know I am going to get some replies about the security implications of this or saying its a bad idea. I am fully aware of all the risks I just want to know if it is possible in Slackware with Grub.

Thanks.

Daedra · 05-05-2024, 02:48 PM

I will just go ahead and bump this so it doesn't keep moving back to the top.

Tonus · 05-05-2024, 03:25 PM

Just fully possible from an usb disk or any other readable partition, Alien Bob has a blogpost on this topic iirc.

For your tmp thing I don't know since I do not own a capable device but first would be to get userspace tool to build and run on Slackware. What tool have you tried and what problem are you encountering ?

Didier Spaier · 05-05-2024, 03:36 PM

Quote:

Originally Posted by Daedra

I know this is possible in a systemd distro, but I can't find any guides on how to do this in Slackware. Basically right now my laptop I have a Windows 10 ssd with bitlocker enabled and the other ssd is running Slackware 15.0 with LUKS. Right now I have to enter the password to open grub, then enter the password to unencrypt the root partition. I am using a key to unencrypt the swap partition so I don't have to enter the password a third time. But I am wondering if anyone has a setup where the key is stored in the TPM for a passwordless boot?

Second, I know I am going to get some replies about the security implications of this or saying its a bad idea. I am fully aware of all the risks I just want to know if it is possible in Slackware with Grub.

Thanks.

Not exactly an answer to your question, but I store a keyfile in /etc/keys and copy it in the initramfs with a command like:

Code:

dracut -q --no-early-microcode --zstd --install  " /etc/keys/$KEYFILE " --kver  <kernel version>

and use a separate partition neither for swap not for /boot for. Thus I type only the passphrase once, when requested by GRUB.

rizitis · 05-05-2024, 04:10 PM

@Daedra probably you can do it, i never did, but that means that every time you create an initrd you must do all settings again... Thats not very difficult if you wrote a script for that job. But why to make your system vulnerable? I mean if you need encrypted and privacy the BEST over all is what you are doing now... type passwords.

Scenario: An attacker uses a rootkit to compromise the operating system and access TPM-stored keys.
modern rootkit, is a type of malware designed to maintain persistent and undetected access to the system.
The rootkit gives the attacker near-total control over the system, including processes that interact with the TPM. This control allows them to manipulate or monitor TPM-related functions.
The rootkit might monitor the operating system's interaction with the TPM, intercepting data during retrieval of the LUKS key. Alternatively, the rootkit might modify scripts or processes that interact with the TPM to force it to reveal stored keys.
Once the rootkit has the key, the attacker can use it to unlock encrypted partitions without needing a password. This allows them to access sensitive data on the device, compromising the security of LUKS encryption.
SO TPM is -1 for LUCKS usage...

Scenario2: A cracker had physical access to your laptop. There are out there hardware tools to create a clone of the TPM or directly manipulate the TPM's internals to override security checks. This allows them to retrieve sensitive data, such as encryption keys, without going through the normal authorization mechanisms.
Once the attacker has bypassed TPM security, they can extract the encryption key used for passwordless booting and subsequently use it to decrypt any LUKS-encrypted data. This exposes sensitive data and renders the initial encryption meaningless.

There are plenty example like these, but lets say you dont have TOP secrets in your laptop, and you none of those super crackers will touch you.
In theory you can do it some how like this:
check your system what version of TPM support 1.2 or 2, also you will see if a block of system memory has been reserved for the TPM, showing that it is properly detected and initialized during boot etc..

Code:

dmesg | grep -i tpm

assume you have 2 version you need these tools: https://tpm2-tools.readthedocs.io/en/latest/INSTALL/
make your test and see if you can interact properly , for example

Code:

tpm2_getrandom 8

Generate random data using the TPM to confirm it is functional.
and

Code:

tpm2_pcrread sha256:0

Read a Platform Configuration Register (PCR) to ensure the TPM can report values.

If everything go right so far then create a key file to use with LUKS instead of a password

Code:

dd if=/dev/urandom of=/root/luks-key bs=32 count=1
cryptsetup luksAddKey /dev/sdXY /root/luks-key

Now store the key securely in the TPM

Code:

tpm2_nvdefine -x 0x1500016 -a "owner" -s 32 -t "ownerwrite|ownerread"
tpm2_nvwrite -x 0x1500016 -a "owner" -i /root/luks-key

Now hack your initrd.gz

Code:

make a folder someware and cd to it, then
gunzip -c /boot/initrd.gz | cpio -i

Now you must install tpm2-tools to the initramfs so it can interact with TPM at boot time.
Copy the TPM binary and any necessary dependencies to the initramfs. You might need to include libraries from your system that tpm2-tools relies on (idk?!)

Code:

cp /usr/bin/tpm2_nvread bin/  # Copy tpm2-tools
cp /lib64/libtss2* lib64/  # Copy necessary libraries

Paths may be different... idk

also in theory you must modify and run this script in also

Code:

#!/bin/sh
# Read the key from TPM
tpm2_nvread -x 0x1500016 -a "owner" > /tmp/luks-key
# Unlock the LUKS partition
cryptsetup luksOpen /dev/sdXY luks-partition --key-file /tmp/luks-key

maybe here you can find more infos how to hack initrd

any way if you have success so far

Code:

find . | cpio -o -H newc | gzip > /boot/initrd-new.gz

now make GRUB to use the initrd-new.gz

Code:

EDIT /boot/grub/grub.cfg

Reboot your system and see if the boot process unlocks the LUKS partition without prompting for a password.
More or less thats the steps. But i m sure you understand the security implications...andthe risks.

Daedra · 05-05-2024, 09:46 PM

Thanks for the replies. I decided to scrap the TPM idea. I don't mind typing my password twice. I am just playing around with this now. I got a new VM setup with LUKS encrypted root partition and swap. Swap takes care of itself as per the README.crypt. Now I just enter my password at power on for Grub and then during boot to mount the root partition. Now I am looking into adding the key to the initrd and have LUKS look for the key there to unlock the root partition during boot, thereby only having to type my password once at power on. I did find this older post that is related. But again, I'm just playing at this point. Entering the password twice is not a heavy burden.

https://www.linuxquestions.org/quest...ns-4175725236/

viel · 05-06-2024, 11:13 AM

1- Make a usb with your LABEL in mi case LABEL = USB_BAR.

Tip: Use a usb file type that the kernel can read without modules. In mi case ext4.

Code:

[root@arcadia v]# lsblk -o "NAME,LABEL,FSTYPE" /dev/sdd
NAME   LABEL   FSTYPE
sdd
├─sdd1
├─sdd2         vfat
└─sdd3 USB_BAR ext4

2- Make a new password-file and store it in the usb. In mi case mounted on /mnt/3 and the password-file named nix.key

Code:

dd if=/dev/random bs=256 count=1 of=/mnt/3/nix.key

3- Add the new file to your encrypted disk in mi case encrypted home on sdb3

Code:

[root@arcadia v]# cryptsetup luksAddKey /dev/sdb3 /mnt/3/nix.key
Enter any existing passphrase:

To view the new keyslot:
[root@arcadia v]# cryptsetup luksDump /dev/sdb3

To verify:
[root@arcadia v]# cryptsetup open /dev/sdb3 newdata --key-file /mnt/3/nix.key

4- Now make the new initrd.gz with the new parameters.

EDITED: The important options are -K LABEL=USB_BAR:/nix.key -C /dev/sdb3 (mkinitrd --help)

This is the script I use to make it.

Code:

#!/bin/sh
#
#    Build initrd
#
# Kernel version
VERSION=${VERSION:-$(uname -r)}
INITRD_NAME="initrd-${VERSION}.gz"

echo "Make new initrd for kernel $VERSION with intel mitigations and LUKS usb key support."

#backup old initrd.gz
#[[ -e  /boot/initrd.gz.bkp ]] && mv /boot/initrd.gz.bkp /boot/initrd.gz.bkp1 || exit 1
#[[ ! -e  /boot/initrd.gz.bkp ]] && cp /boot/initrd.gz /boot/initrd.gz.bkp || exit 1

cd /boot

# Original options
#mkinitrd -c -k ${VERSION} \
#         -m xfs:ehci-hcd:uhci-hcd:usbhid \
#         -f xfs -r /dev/sdc2 \
#         -l es -L -C /dev/sda9

# Some trys
# remove -c option to dont clean new source tree initrd-tree
#mkinitrd -c -k ${VERSION} \
         #-P /boot/intel-ucode.cpio \
         #-s /boot/initrd-tree/ \

# Working options
mkinitrd -k ${VERSION} \
         -o /boot/$INITRD_NAME \
         -P /boot/intel-ucode.cpio \
         -K LABEL=USB_BAR:/nix.key \
         -f xfs -r /dev/sdb2 \
         -m usb-storage:xhci-hcd:usbhid:xfs \
         -l es -C /dev/sdb3 \
         -w 3

# The following are needed if you use a keyfile on a vfat usbstick.
# Add them to the module list in the command above
#        -m sg:usb_storage:nls_cp437:nls_iso8859-1:fat:vfat

# Use -K option
#echo "LABEL=USB_BAR:/nix.key" > /boot/initrd-tree/lukskey

# Add pause to allow usb devices to activate.
#echo "2" > /boot/initrd-tree/wait-for-root

#cp /boot/initrd.gz /boot/$INITRD_NAME

echo "New initrd created: /boot/$INITRD_NAME"
echo "REMINDER: Dont forget to cp new /boot/$INITRD_NAME to /boot/initrd.gz"

EDITED: If you want to see the initrd.gz sources, comment mkinitrd -c option to expose default /boot/initrd-tree SOURCE_TREE

5- Hope you don't have issues. If not follow /boot/initrd-tree/init script.

Add:
set -x
echo "----> My luksdev: $LUKSDEV"
echo " ---> My lukskey device/file: $LUKSKEY"

Verify:

Code:

[root@arcadia v]# cat /boot/initrd-tree/luksdev
/dev/sdb3
[root@arcadia v]# cat /boot/initrd-tree/lukskey
LABEL=USB_BAR:/nix.key

etc.

You know.

Hope that helps.

Viel.

Daedra · 05-07-2024, 12:23 AM

Thanks everyone for the replies. I finally got to work with the "embed the key in the initrd" method. Didier Spaier's response in a different post reminded me of a guide I stumbled upon last year and forgot about. I followed the guide and had it working. It is not difficult for the initiated. Now I only have to type my password at power on and the key in the initrd will unlock root.

https://yellowapple.us/2022/02/10/sl...-efi-only.html