Open tlaurion opened 3 years ago
Should be considered in limitations when implementing https://github.com/osresearch/heads/issues/921
Another note of interest here is that Heads does not implement dmverity checks as of now (was in before, never really documented, could have worked with patches to QubesOS 3.2 but never happened for QubesOS, where I cannot find link to past discussions as of right now.)
For QubesOS to support such setup (as safeboot goal) QubesOS disk layout and keeping QubesOS from constantly writing into the rootfs layer (which should not change outside of updates) needs to be implemented.
The best Heads implements, as of right now, in my opinion, is:
Any other implementation proposed previously would lower the security offered.
The above implementation comes with limits as well. In theory, it would be totally possible to:
On TPM-less USB Security dongle-only enforced remote attestation (firmware integrity remote attestation on USB Security dongle through HOTP):
HOTP:Success
and green led flashing would be shown, the user would think its ok. Well, until he tries to sign/encrypt content with that rubber ducky and realize it was swapped with the original. Above point is more attractive approach to compromise heads functions; changing the whole Heads scripts to save in /boot or anywhere else the USB Security dongle's PINs and Disk Recovery Key passphrases. Why not put the logic further, and have Heads code wait for a USB disk UUID to mount it in a flash, exfiltrate secrets. Or simply wait a day or two so that the user uses his computer, and simply steal it at this point, knowing that you have all that is desired inside of /boot, just needing to reset passphrases from OS from an external boot media.On LUKS encrypted backup of key generation:
On LUKS encrypted partition replacing USB Security dongle:
@tlaurion More detail and better explanations are needed in the wiki but how would this be organized? This, when all together, seems like it lead to more questions from new users.
Diagrams laying out where everything is stored and a glossary may be useful but seem like they are outside of the scope of this ticket. I'll open new ones.
Sandy and Ivy bridge (xx20/xx30) get platform locking (no SPI write outside of Heads) through https://github.com/osresearch/heads/pull/326
Take into consideration https://github.com/linuxboot/heads-wiki/issues/116 when updating docs to differenciate measuring and sealing operations.
Detailed again what kexec*.txt files are for, as detached signed under kexec.sig under https://github.com/linuxboot/heads/issues/1620#issuecomment-2023315107
Time to work on docs!
- Firmware remote attestation (TOTP, HOTP) of measured firmware components, including GPG public key into PCR7, used to provide validation of detached signed digest of precedent step.
Discussion on bootguard vs bootblock RoT at https://matrix.to/#/!GzefHyBKGoKjOgarWV:matrix.org/$Fa2nJy6D0W0mNELnNzUJVYAXhZoVGn1Dw4Mqtmax9qg?via=dreamless.one&via=matrix.org&via=tchncs.de
Edit: best unbiased, user written doc at https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/
The following should go into a wiki page.
Actual Heads security mechanisms are:
Measured /boot, requiring a USB Security dongle to offload GPG operations (signing with private key in smartcard). The verification of detached signed /boot digest is automatic on each boot, verified against public key injected in firmware (and measured by TPM).
Firmware remote attestation (TOTP, HOTP) of measured firmware components, including GPG public key into PCR7, used to provide validation of detached signed digest of precedent step.
Disk Unlock Key, using NV TPM reserved space to release Disk Unlock Key when (1) (2) and LUKS header + Disk Unlock Key passphrase are valid, while rate limiting passphrase attempts by the TPM. (Note that if going into recovery shell, measurements are invalidated and this won't be successful)
Let's focus on (1) here.
For more information, please read: https://www.linuxjournal.com/content/why-smart-cards-are-smart