On Tue, Dec 21, Martin Wilck wrote:
On Thu, 2021-11-25 at 17:33 +0100, Benjamin Brunner wrote:
For all interested and curious who would like to have a look or want to directly test it, Antonio Feijoo <antonio.feijoo@suse.com> prepared some step by step guides at https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2.
The documentation should work on Tumbleweed and later on openSUSE Leap 15.4.
We would really appreciate any feedback, thoughts, or reports in case you encounter any issues.
I'm missing something essential in the TPM2 scenario. It offers (some) protection against tampering. But how does it protect the contents of the storage from being read by 3rd parties? What if someone simply steals the computer and boots it from a USB stick or a DVD?
The USB stick or DVD will create other boot measurements and thus the TPM will not give out the hash to decrypt the harddisk.
As long as the PCR values are unchanged and she has root rights on the booted devices, the person should be able to read the entire disk. What am I overlooking here?
If the harddisk is encrypted, you cannot read the disk.
I guess it would work if the kernel, initrd, and kernel command line were also used for PCR-based protection but that's not the setup described in the Wiki, which uses only PCR 7.
They are used, even the firmware is normally used.
I believe the problem could be handled by locking the TPM2 with a password. AFAIK that's possible. But then this password would need to be entered during boot, and I'm unsure whether this is currently supported by the dracut / cryptsetup boot procedure.
Another remark: the wiki page calls the encrypted boot partition setup the "most secure", but it doesn't mention that GRUB2's cryptomount is painfully slow even on the fastest modern CPUs. I recently tried this (with LUKS1, no TPM), and soon reverted to unencrypted boot because I just couldn't stand having to wait ~30s just for decryption of one LUKS key slot.
The problem is the initrd: if your boot partition is not encrypted, the initrd is not protected and the weak spot. There is somewhere a blog by Lennart about this, maybe it explains the problems better. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Ivo Totev (HRB 36809, AG Nürnberg)