Skip to content

Instantly share code, notes, and snippets.

@stengoes

stengoes/tpm2.0-fulldisk-decryption-at-boot.md

Last active January 21, 2020 13:28
Show Gist options
  • Save stengoes/b1792513806c895d393ff1c390aedc5d to your computer and use it in GitHub Desktop.
Save stengoes/b1792513806c895d393ff1c390aedc5d to your computer and use it in GitHub Desktop.
Download ZIP
Setup TPM2.0 for full disk decryption at boot
Raw
tpm2.0-fulldisk-decryption-at-boot.md

First step: install tpm2-tss, tpm2-tools and all its depedencies.

# Install dependencies
sudo apt-get update && sudo apt-get -y install autoconf autoconf-archive automake libtool pkg-config gcc libssl-dev libcurl4-gnutls-dev doxygen

# Install tpm2-tss
git clone https://github.com/tpm2-software/tpm2-tss.git
cd tpm2-tss
git checkout e05d28ec  # I used this particular commit
./bootstrap
./configure --prefix=/usr
make -j5
sudo make install

# Install tpm2-tools
git clone https://github.com/tpm2-software/tpm2-tools.git
cd tpm2-tools
git checkout 446b4f37 # I used this particular commit
 ./bootstrap
 ./configure --prefix=/usr
 make -j5
 sudo make install

Second step: create a secret key and add it to the cryptsetup.

# Create secret and add to cryptsetup
sudo dd if=/dev/urandom of=/secret.bin bs=32 count=1
sudo chmod 700 /secret.bin
sudo cryptsetup luksAddKey /dev/sda<x> /secret.bin

*replace the <x> with your own value.

Third step: load the secret key into the TPM and make it persistent.

# Enable and clear your tpm in your BIOS first to start with a clean TPM

# Create primary TPM object
sudo tpm2_createprimary -c primary.ctx

# Create PCR Policy against PCR 0-7 
sudo tpm2_createpolicy --policy-pcr -l sha1:0,1,2,3,4,5,6,7 -L policy.digest 

# Create tpm object
sudo tpm2_create -C primary.ctx -u obj.pub -r obj.priv -L policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /secret.bin

# Flush transient handles (making some room in the memory for the TPM)
sudo tpm2_flushcontext -t

# Load object into the TPM
sudo tpm2_load -C primary.ctx -u obj.pub -r obj.priv -c load.ctx

# Make object persistent
sudo tpm2_evictcontrol -c load.ctx

# Flush transient handles
sudo tpm2_flushcontext -t

# List persistent handles
sudo tpm2_getcap handles-persistent

# Bonus commands:
# To unseal an object use:
sudo tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
# To remove an object use:
sudo tpm2_evictcontrol -c 0x81000000
# The handle 0x81000000 was given by the `tpm2_getcap handles-persistent` command

Fourth step: add unseal script: /sbin/getsecret.sh

#!/bin/sh
echo "Unlocking via TPM" >&2
export TPM2TOOLS_TCTI="device:/dev/tpm0"
/sbin/tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7
if [ $? -eq 0 ]; then
	exit
fi
/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "

Fifth step: make a backup of the current boot

sudo cp /boot/initrd.img-$(uname -r) /boot/initrd.img-$(uname -r).orig

Sixth step: add tpm hook to initramfs-tools: /etc/initramfs-tools/hooks/tpm2

#!/bin/sh
PREREQ="lvm"
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
    prereqs
    exit 0
    ;;
esac

. /usr/share/initramfs-tools/hook-functions

# Begin real processing below this line
 
#copy the files to read the NVRAM and to read the secret  
copy_exec /usr/bin/tpm2_unseal /sbin/
copy_exec /usr/lib/libtss2-tcti-device.so /sbin/
copy_exec /sbin/getsecret.sh /sbin

Seventh step: make script and hook executable.

sudo chmod +x /sbin/getsecret.sh
sudo chmod +x /etc/initramfs-tools/hooks/tpm2

Eighth step: modify the /etc/crypttab by adding keyscript.

sda<x>_crypt UUID=<UUID> none luks,keyscript=/sbin/getsecret.sh

*replace the <x> and <UUID> with your own values.

Nineth step: update initramfs:

sudo update-initramfs -u

Thats all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment