On 2024-03-27 17:26, aplanas wrote:
On 2024-03-27 17:19, Andrei Borzenkov wrote:
On 27.03.2024 18:41, aplanas wrote:
Hi,
after the announcement of sdbootutil[1] and the support of full disk encryption (FDE)[2] using systemd-cryptenroll via pcr-oracle, we are releasing images for MicroOS and Tumbleweed that support the new systemd-pcrlock mechanism!
Can existing images be updated?
I can prepare an update to sdbootutil that will do the migration from pcr-oracle to pcrlock, or at least I will document how it can be done manually (is as simple as removing the tpm2-* files from the ESP and /var and calling `sdbootutil update-predictions`)
Ok. This is how the transition from pcr-oracle to systemd-pcrlock can be done: == From pcr-oracle to systemd-pcrlock # Install systemd-experimental (reboot, as sdbootutil should find # systemd-pcrlock) transactional-update pkg in systemd-experimental # Remove public and private keys fron /etc and public from ESP rm /etc/systemd/tpm2-pcr-private-key.pem rm /etc/systemd/tpm2-pcr-public-key.pem rm /boot/efi/EFI/systemd/tpm2-pcr-public-key.pem # Remove signed policy from /etc and ESP rm /etc/systemd/tpm2-pcr-signature.json rm /boot/efi/EFI/systemd/tpm2-pcr-signature.json # Drop the "tpm2" keyslot from the LUKS2 device systemd-cryptenroll --wipe-slot=tpm2 $DEV # Generate predictions and policy, and register it in the TPM2's NVRAM sdbootutil update-predictions # Enroll the keyslot in the LUKS2 device. Will ask for the recovery # password systemd-cryptenroll \ --tpm2-device=auto \ --tpm2-pcrlock=/var/lib/systemd/pcrlock.json \ /dev/vda3 For completion, this is how we can go back to pcr-oracle: == From systemd-pcrlock to pcr-oracle # Remove systemd-experimental package (reboot, as sdbootutil should # not find systemd-pcrlock) transactional-update pkg rm systemd-experimental # Remove .pcrlock files with components and variants rm -fr /var/lib/pcrlock.d # Remove pcrlock.json in /var and ESP rm /var/lib/systemd/pcrlock.json rm /boot/efi/EFI/systemd/pcrlock.json # Clean the TPM2, to remove the NVIndex policy tpm2_clear # Generate a RSA key pair pcr-oracle \ --rsa-generate-key \ --private-key /etc/systemd/tpm2-pcr-private-key.pem \ --public-key /etc/systemd/tpm2-pcr-public-key.pem \ store-public-key # Drop the "tpm2" keyslot from the LUKS2 device systemd-cryptenroll --wipe-slot=tpm2 $DEV # Enroll the private key systemd-cryptenroll \ --tpm2-device=auto \ --tpm2-public-key=/etc/systemd/tpm2-pcr-public-key.pem \ --tpm2-public-key-pcrs=0,2,4,9 \ $DEV # Generate new predictions with pcr-oracle sdbootutil update-predictions