diff --git a/README.md b/README.md index 4c0647c..1f4a0af 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,19 @@ Adds automatic decryption function based on TPM policy configuration Main Source: https://threat.tevora.com/secure-boot-tpm-2/ -# Using the scripts -`setup` automatically pulls out the LUKS and EFI boot partition using blkid and grep. The only input it requires is a `cryptsetup` password and a simple `yes`. The script supports flags as follows: +# General requirements +- A secure-boot enabled system with a custom key authentication setting in BIOS. +- EFI System Partition (ESP) access for installing custom kernels. +- General understanding of bash commands. +- ~~Patience. Quite a bit of it~~ Not so much patience required anymore, just time. + +# Detailed Walkthrough +## Prerequisites +* An Ubuntu install during which [Encryption was Enabled](https://ubuntu.com/tutorials/install-ubuntu-desktop#7-optional-enable-encryption) +* `Secure Boot` disabled in the BIOS (will be enabled after Step 1) + +## Step 1 +Run `./setup` as `root`, this will install the required packages and automatically pull the LUKS and EFI boot partition using blkid and grep. It will ask for confirmation to continue before modifying anything, then a password (and confirmation) that will be used for the `MOK Enrollment`, then the passphrase for your `LUKS` partition. The script supports flags as follows: * -b: Manually sets the boot partition by UUID * -l: Manually sets the LUKS partition by UUID @@ -12,16 +23,15 @@ Main Source: https://threat.tevora.com/secure-boot-tpm-2/ * -r: Manually sets the root partition under /dev/mapper/ * -y Gives the script a clear go-ahead for signed kernel creation -Once it finishes the first round, it will try to set up a GRUB menu entry. If the system does not use GRUB, it will continue running after giving a notice. Next, a `systemd` file will be added and enabled to run at boot. The `tpm2keyunlock.service` file will be installed under /etc/systemd/system and run TPM commands to persist secret in memory. The service will then disable itself after finishing setting up `/etc/crypttab` and `/usr/local/bin/passphrase-from-tpm` with the appropriate PCR hash method and persistent handle. +As it finishes, it will set up a `MOK Enrollment` for secure boot. To complete this Step, the user must reboot (see Note below). -# Detailed walkthrough -The setup of TPM unlocking involves three phases. The first phase installs the TPM tools. The second sets up a TPM-signed kernel and TPM key. The final step verifies the TPM key is working and finishes setting up the TPM kernel. +**Note** +Upon rebooting, the user will be prompted with the `MOK Enrollment` blue screen. Select `Enroll MOK`, then `Continue` followed by `Yes`, enter the password given during `setup`, finally select `Reboot`. -# General requirements -- A secure-boot enabled system with a custom key authentication setting in BIOS. -- EFI System Partition (ESP) access for installing custom kernels. -- General understanding of bash commands. -- ~~Patience. Quite a bit of it~~ Not so much patience required anymore, just time. +Once back in Ubuntu, reboot a second time, this time entering the BIOS to enable Secure Boot. + +## Step 2 +Now back in Ubuntu (with MOK Enrollment and Secure Boot enabled), run `./tpm2PolicyConfig` as root. This will run TPM commands to persist the LUKS passphrase in memory by setting up `/etc/crypttab` and `/usr/local/bin/passphrase-from-tpm` with the appropriate PCR hash method and persistent handle. # Using cloud-init to automate deployment and installation I created an overview over at https://www.edwardssite.com/cloud-init outlining the details of how to automate the deployment and installation process of this project using cloud-init and Ubuntu's autoinstall settings. Pretty much everything needed is explained there, and reference files are included. diff --git a/bootChain-update b/bootChain-update old mode 100644 new mode 100755 diff --git a/passphrase-from-tpm b/passphrase-from-tpm old mode 100644 new mode 100755 diff --git a/setup b/setup old mode 100644 new mode 100755 index 28e93d6..51b214a --- a/setup +++ b/setup @@ -73,9 +73,6 @@ done apt-get install -y glib2.0 || (echo "Could not install glib2.0"; exit 1) -cp tpm2keyunlock.service /etc/systemd/system/ -sed -i "s#LOCATION#$BASEDIR#g" /etc/systemd/system/tpm2keyunlock.service - cd /usr/local/src || exit 1 git clone https://github.com/tpm2-software/tpm2-tss.git @@ -155,6 +152,7 @@ sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth cp db.auth /boot/efi/EFI/BOOT/ cp KEK.auth /boot/efi/EFI/BOOT/ +echo "Enter password for MOK Enrollment:" mokutil --import db.cer KEK.cer echo "root=$ROOT panic=60" > cmdline.txt @@ -179,6 +177,7 @@ dd if=/dev/urandom of=secret.bin bs=32 count=1 conv=sync if [ "${PASSWORD}" != '' ]; then echo $PASSWORD | cryptsetup luksAddKey $DRIVE secret.bin else + echo "Enter passphrase for the encrypted drive ($DRIVE):" cryptsetup luksAddKey $DRIVE secret.bin fi @@ -192,6 +191,5 @@ cp /etc/crypttab /etc/crypttab.bak efibootmgr -c -L "TPM2 EFI Stub" -l "\\EFI\\BOOT\\BOOTX64.EFI" -d $EFIBOOT -p $EFIPART efibootmgr -o $(efibootmgr | grep "TPM2 EFI Stub" | grep -Po "(?<=Boot)[A-Za-z0-9]+"),$EFIORDER -systemctl enable tpm2keyunlock.service echo "TPM2 boot enabled, please restart." >> /var/run/reboot-required cat /var/run/reboot-required diff --git a/tpm2Hook b/tpm2Hook old mode 100644 new mode 100755 diff --git a/tpm2PolicyConfig b/tpm2PolicyConfig old mode 100644 new mode 100755 index 3a823a2..5b10c31 --- a/tpm2PolicyConfig +++ b/tpm2PolicyConfig @@ -9,8 +9,6 @@ TPM_TEST=$(tpm2_pcrread sha256:0 | grep -Po "[0][x][A-Za-z0-9]+") PCR_BANK=1 PCR_VALUES="0,2,3,7" -systemctl disable tpm2keyunlock.service - chmod 0755 tpm2Hook passphrase-from-tpm cp tpm2Hook /usr/share/initramfs-tools/hooks/tpm2KeyUnlock chown 0:0 /usr/share/initramfs-tools/hooks/tpm2KeyUnlock @@ -43,10 +41,9 @@ tpm2_createpolicy --policy-pcr -l sha$PCR_BANK:$PCR_VALUES -f pcrs.bin --policy tpm2_createprimary -c primary.context tpm2_create -u obj.pub -r obj.priv -C primary.context -L policy.digest --attributes "noda|adminwithpolicy|fixedparent|fixedtpm" -i secret.bin tpm2_load -C primary.context -u obj.pub -r obj.priv -c load.context -tpm2_evictcontrol -c load.context +REFERENCE=$(tpm2_evictcontrol -c load.context | tee /dev/tty | grep "persistent-handle:" | cut -d' ' -sf2) sed -i "s/HASH/sha$PCR_BANK/g" /usr/local/bin/passphrase-from-tpm -REFERENCE=$(tpm2_getcap handles-persistent | grep -Po "[0][x][A-Za-z0-9]+" | tail -1) sed -i "s/REFERENCE/$REFERENCE/g" /usr/local/bin/passphrase-from-tpm sed -i "s/PCRVAL/$PCR_VALUES/g" /usr/local/bin/passphrase-from-tpm diff --git a/tpm2keyunlock.service b/tpm2keyunlock.service deleted file mode 100644 index 94b9301..0000000 --- a/tpm2keyunlock.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=TPM2 post-install manager - -[Service] -User=root -WorkingDirectory=LOCATION -ReadWriteDirectories=LOCATION -TimeoutSec=180 -ExecStart=LOCATION/tpm2PolicyConfig - -[Install] -WantedBy=multi-user.target