diff options
| -rw-r--r-- | .SRCINFO | 25 | ||||
| -rw-r--r-- | PKGBUILD | 33 | ||||
| -rw-r--r-- | README | 66 | ||||
| -rw-r--r-- | hook_tpm | 180 | ||||
| -rw-r--r-- | hosts | 2 | ||||
| -rw-r--r-- | install_tpm | 57 | ||||
| -rw-r--r-- | passwd | 2 | ||||
| -rw-r--r-- | shadow | 2 |
8 files changed, 367 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..4d28612670d9 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,25 @@ +pkgbase = mkinitcpio-tpm-encrypt + pkgdesc = mkinitcpio to decrypt LUKS passphrase with TPM + pkgver = 0.1 + pkgrel = 1 + url = https://aur.archlinux.org/packages/mkinitcpio-tpm-encrypt/ + arch = any + license = GPL + depends = mkinitcpio + depends = tpm-tools + depends = trousers + source = install_tpm + source = hook_tpm + source = hosts + source = passwd + source = shadow + source = README + sha256sums = da6ddaff8783a80568e8990016ee275a6e6ab64d57881a8438e5fadc0a5f07a1 + sha256sums = 5630d592ab3adc2d461fa90026f2bcc0a81cc4219f62f968992c1c2cc8d958e1 + sha256sums = 498f494232085ec83303a2bc6f04bea840c2b210fbbeda31a46a6e5674d4fc0e + sha256sums = 4b263523f4904bfe340a3208f327697ebd78f9f921e8be0dabdf33535c54a1b5 + sha256sums = 674c97df063879b4ba04f70312dc67762a36dc81b49a2b2131e7f71432efa1a3 + sha256sums = 70288bb0e9dc6bf4cd49079a503fb436c1b0b234f23201b24762e47db3cfd1ab + +pkgname = mkinitcpio-tpm-encrypt + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..1af525dc5168 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,33 @@ +# Maintainer: Max Resch <resch.max@gmail.com> + +pkgname=mkinitcpio-tpm-encrypt +pkgver=0.1 +pkgrel=1 +pkgdesc="mkinitcpio to decrypt LUKS passphrase with TPM" +url="https://aur.archlinux.org/packages/mkinitcpio-tpm-encrypt/" +arch=(any) +license=('GPL') +depends=('mkinitcpio' 'tpm-tools' 'trousers') +source=('install_tpm' + 'hook_tpm' + 'hosts' + 'passwd' + 'shadow' + 'README') + +sha256sums=('da6ddaff8783a80568e8990016ee275a6e6ab64d57881a8438e5fadc0a5f07a1' + '5630d592ab3adc2d461fa90026f2bcc0a81cc4219f62f968992c1c2cc8d958e1' + '498f494232085ec83303a2bc6f04bea840c2b210fbbeda31a46a6e5674d4fc0e' + '4b263523f4904bfe340a3208f327697ebd78f9f921e8be0dabdf33535c54a1b5' + '674c97df063879b4ba04f70312dc67762a36dc81b49a2b2131e7f71432efa1a3' + '70288bb0e9dc6bf4cd49079a503fb436c1b0b234f23201b24762e47db3cfd1ab') + +package() { + install -Dm644 install_tpm "${pkgdir}/usr/lib/initcpio/install/tpm" + install -Dm644 hook_tpm "${pkgdir}/usr/lib/initcpio/hooks/tpm" + install -Dm644 hosts "${pkgdir}/usr/lib/initcpio/tpm/hosts" + install -Dm644 passwd "${pkgdir}/usr/lib/initcpio/tpm/passwd" + install -Dm644 shadow "${pkgdir}/usr/lib/initcpio/tpm/shadow" + install -Dm644 README "${pkgdir}/usr/share/doc/${pkgname}/README" +} + diff --git a/README b/README new file mode 100644 index 000000000000..c09e2818b047 --- /dev/null +++ b/README @@ -0,0 +1,66 @@ + +This is a modified version of the default Archlinux encrypt hook. +The only difference is that the cryptkey file from the commandline +is handled by tpm_unsealdata before it is passed to cryptosetup. + +Fist the TPM has to be configured and trousers and tpm_tools +have to be installed. + +To initialize the TPM run + +# tpm_takeownership + +Don't use either -y or -z these are the all-zero default +passwords. The Storage Root Key (SRK) password will be requestet on +every boot to open the encrypted LUKS key. + +The SRK password can be changed with + +# tpm_changeownerauth -s + +In order to create a valid key file run: + +# tpm_sealdata --pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 8 --pcr 9 --pcr 12 --pcr 14 -o root.enc + +where root.enc is the resulting encrypted file. Save it on your +EFI System Partition, and specifiy it in the kernel commandline: + +cryptkey=/dev/sda1:vfat:/root.enc + +where /dev/sda1 is your ESP, and /root.enc the path to the key. + +Modify /etc/mkinitcpio.conf and add the tpm hook +in the HOOKS array: + +HOOKS="base udev keymap autodetect keyboard block tpm filesystems fsck" + +(the same as with normal encrypt, you need to add keymap and keyboard +if you need support for either non US keyboards or keyboards that +require i.e. USB). Don't forget to add the filesystem dirver +from cryptkey= to the MODULES array + +MODULES="vfat" + +Now you can run mkinitcpio, to be save make a backup copy of your working +initram disk, so that you can use it if the new one is corrupt. + +# mkinitcpio -p linux + +If everything worked the scipt will ask for your SRK password. + +In case a kernel update was performed or if a Firmware configuration +setting was changed, unsealdata will not return the LUKS key, and a +warning is displayed. + +If you haven't changed something on your system, this warining could +indicate a possible evil maiden attack. + +In order to continue booting the LUKS key has to +be supplied manually. + +So it is IMHO best to have two LUKS keys configured, one that is typable +in case of an update, and one that is encrypted on the ESP. + +After the LUKS key was manually entered, the key has to be reencrypted +with tpm_seal data as described before with the new PCR data. + diff --git a/hook_tpm b/hook_tpm new file mode 100644 index 000000000000..64e85dec330b --- /dev/null +++ b/hook_tpm @@ -0,0 +1,180 @@ +#!/usr/bin/ash + +run_hook() { + msg ":: Initializing TPM..." + modprobe -q tpm_tis >/dev/null 2>&1 + iplink set lo up + tcsd + + modprobe -a -q dm-crypt >/dev/null 2>&1 + [ "${quiet}" = "y" ] && CSQUIET=">/dev/null" + + # Get keyfile if specified + ckeyfile="/crypto_keyfile.bin" + if [ -n "$cryptkey" ]; then + IFS=: read ckdev ckarg1 ckarg2 <<EOF +$cryptkey +EOF + + if [ "$ckdev" = "rootfs" ]; then + ckeyfile=$ckarg1 + elif resolved=$(resolve_device "${ckdev}" ${rootdelay}); then + case ${ckarg1} in + *[!0-9]*) + # Use a file on the device + # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path + mkdir /ckey + mount -r -t "$ckarg1" "$resolved" /ckey + dd if="/ckey/$ckarg2" of="$ckeyfile" >/dev/null 2>&1 + if [ -f /ckey/tpm/system.data ]; then + cp /ckey/tpm/system.data /var/lib/tpm/ + fi + umount /ckey + ;; + *) + # Read raw data from the block device + # ckarg1 is numeric: ckarg1=offset, ckarg2=length + dd if="$resolved" of="$ckeyfile" bs=1 skip="$ckarg1" count="$ckarg2" >/dev/null 2>&1 + ;; + esac + fi + [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase." + fi + + if [ -n "${cryptdevice}" ]; then + DEPRECATED_CRYPT=0 + IFS=: read cryptdev cryptname cryptoptions <<EOF +$cryptdevice +EOF + else + DEPRECATED_CRYPT=1 + cryptdev="${root}" + cryptname="root" + fi + + warn_deprecated() { + echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" + echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." + } + + for cryptopt in ${cryptoptions//,/ }; do + case ${cryptopt} in + allow-discards) + cryptargs="${cryptargs} --allow-discards" + ;; + *) + echo "Encryption option '${cryptopt}' not known, ignoring." >&2 + ;; + esac + done + + if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then + if cryptsetup isLuks ${resolved} >/dev/null 2>&1; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + dopassphrase=1 + # If keyfile exists, try to use that + if [ -f ${ckeyfile} ]; then + tpm_unsealdata -i ${ckeyfile} -o ${ckeyfile}.orig + ret=$? + tpmok=0 + case $ret in + 0) + tpmok=1 + ;; + 1) + echo "TPM: Wrong SEK" + ;; + 17) + echo "TPM: Communication Error" + ;; + 24) + echo "" + echo -e "\033[31;1mTPM WARNING: PCR HAS BEEN ALTERED!\033[0m" + echo "This is an indication that the system boot is different from when the key was generated" + echo "This is normal when the kernel was updated or the BIOS settings were changed." + echo "" + echo -e "\033[31;1mHowever, this could also indicate a breach in the bootup code.\033[0m" + echo "" + ;; + 255) + echo "TPM: Could not read keyfile" + ;; + *) + echo "TPM: Unknown Error $ret" + ;; + esac + if [ ${tpmok} -gt 0 ]; then + if eval cryptsetup --key-file ${ckeyfile}.orig open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; then + dopassphrase=0 + else + echo "Invalid keyfile. Reverting to passphrase." + fi + else + echo "TPM Could not decrypt keyfile, proceed manually." + fi + fi + # Ask for a passphrase + if [ ${dopassphrase} -gt 0 ]; then + echo "" + echo "A password is required to access the ${cryptname} volume:" + + #loop until we get a real password + while ! eval cryptsetup open --type luks ${resolved} ${cryptname} ${cryptargs} ${CSQUIET}; do + sleep 2; + done + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + elif [ -n "${crypto}" ]; then + [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated + msg "Non-LUKS encrypted device found..." + if echo "$crypto" | awk -F: '{ exit(NF == 5) }'; then + err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip" + err "Non-LUKS decryption not attempted..." + return 1 + fi + exe="cryptsetup open --type plain $resolved $cryptname $cryptargs" + IFS=: read c_hash c_cipher c_keysize c_offset c_skip <<EOF +$crypto +EOF + [ -n "$c_hash" ] && exe="$exe --hash '$c_hash'" + [ -n "$c_cipher" ] && exe="$exe --cipher '$c_cipher'" + [ -n "$c_keysize" ] && exe="$exe --key-size '$c_keysize'" + [ -n "$c_offset" ] && exe="$exe --offset '$c_offset'" + [ -n "$c_skip" ] && exe="$exe --skip '$c_skip'" + if [ -f "$ckeyfile" ]; then + exe="$exe --key-file $ckeyfile" + else + exe="$exe --verify-passphrase" + echo "" + echo "A password is required to access the ${cryptname} volume:" + fi + eval "$exe $CSQUIET" + + if [ $? -ne 0 ]; then + err "Non-LUKS device decryption failed. verify format: " + err " crypto=hash:cipher:keysize:offset:skip" + exit 1 + fi + if [ -e "/dev/mapper/${cryptname}" ]; then + if [ ${DEPRECATED_CRYPT} -eq 1 ]; then + export root="/dev/mapper/root" + fi + else + err "Password succeeded, but ${cryptname} creation failed, aborting..." + exit 1 + fi + else + err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified." + fi + fi + rm -f ${ckeyfile} +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/hosts b/hosts new file mode 100644 index 000000000000..849c10d45629 --- /dev/null +++ b/hosts @@ -0,0 +1,2 @@ +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 diff --git a/install_tpm b/install_tpm new file mode 100644 index 000000000000..3fc5f3308a38 --- /dev/null +++ b/install_tpm @@ -0,0 +1,57 @@ +#!/bin/bash + +build() { + local mod + + add_module "tpm_tis" + add_binary "/usr/bin/tpm_unsealdata" "/usr/bin/tpm_unsealdata" + add_binary "/usr/sbin/tpm_version" "/usr/bin/tpm_version" + add_binary "/usr/sbin/tcsd" "/usr/bin/tcsd" + + add_dir "/var/lib/tpm" + add_file "/var/lib/tpm/system.data" + add_file "/usr/lib/initcpio/tpm/hosts" "/etc/hosts" + add_file "/usr/lib/initcpio/tpm/passwd" "/etc/passwd" + add_file "/usr/lib/initcpio/tpm/shadow" "/etc/shadow" + add_file "/usr/lib/libnss_files.so.2" + add_file "/etc/nsswitch.conf" + + add_module dm-crypt + if [[ $CRYPTO_MODULES ]]; then + for mod in $CRYPTO_MODULES; do + add_module "$mod" + done + else + add_all_modules '/crypto/' + fi + + add_binary "cryptsetup" + add_binary "dmsetup" + add_file "/usr/lib/udev/rules.d/10-dm.rules" + add_file "/usr/lib/udev/rules.d/13-dm-disk.rules" + add_file "/usr/lib/udev/rules.d/95-dm-notify.rules" + add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules" + + add_runscript +} + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device. Users should specify the device +to be unlocked using 'cryptdevice=device:dmname' on the kernel command line, +where 'device' is the path to the raw device, and 'dmname' is the name given to +the device after unlocking, and will be available as /dev/mapper/dmname. + +For unlocking via keyfile, 'cryptkey=device:fstype:path' should be specified on +the kernel cmdline, where 'device' represents the raw block device where the key +exists, 'fstype' is the filesystem type of 'device' (or auto), and 'path' is +the absolute path of the keyfile within the device. + +Without specifying a keyfile, you will be prompted for the password at runtime. +This means you must have a keyboard available to input it, and you may need +the keymap hook as well to ensure that the keyboard is using the layout you +expect. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/passwd b/passwd new file mode 100644 index 000000000000..fed7ee44fc21 --- /dev/null +++ b/passwd @@ -0,0 +1,2 @@ +root:x:0:0:root:/root:/bin/bash +tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin diff --git a/shadow b/shadow new file mode 100644 index 000000000000..f64c6eabe0ab --- /dev/null +++ b/shadow @@ -0,0 +1,2 @@ +root:*:14715:0:99999:7::: +tss:!!:15217:::::: |