search

gardenlinux / builder

Builder used to construct Garden Linux. Re-usable for other OS-projects.
Apache License 2.0
8 stars 1 forks source link

Pre-calculate and sign `PCR 11` values on build #69

Closed brdanin closed 6 months ago

brdanin commented 6 months ago

This PR changes the current encryption behaviour in favour of binding to signatures of PCR 11 values with signed public key based policies. Binding to PCR 7 is kept static, as the Secure Boot state should not change during e.g. a kernel upgrade.

Following steps are being performed during the build process if a partition with the feature flag tpm2 is defined in the fstab.mod file:

  1. PCR 11 values get pre-calculated during the build process using ukfiy(could be changed in the future to systemd-measure)
  2. Generates a valid PCR signature JSON for the given build based on the values calculated in Step 1
  3. Combines .pcrsig and .pcrpkey sections into the final bootable Unified Kernel Image
  4. Optional: This UKI file can also be signed if Secure Boot is enabled

These steps are executed by the OS during boot:

  1. When creating the defined partitions, systemd-repart binds the encryption to the signature values defined in tpm2-pcr-signature.json (.pcrsig)
  2. systemd-cryptsetup then valides this signatures with the PCR 11 values present on the system and the public key provided using the tpm2-pcr-public-key.pem (.pcrpkey) certificate file
  3. If all checks out, the boot process is continued and the partition can then be mounted and accessed