Open stereobutter opened 3 months ago
The machine config I'm using currently is
machine:
systemDiskEncryption:
ephemeral:
cipher: aes-xts-plain64
keySize: 256
keys:
- slot: 1
static:
passphrase: <your passphrase>
provider: luks2
state:
cipher: aes-xts-plain64
keySize: 256
keys:
- slot: 0
tpm: {}
provider: luks2
Feature Request
Seal the LUKS encryption keys for the
EPHEMERAL
partition using a TPM register that depends on confidential information from theSTATE
partition.Description
Consider a scenario where an attacker has physical access to a cluster (as opposed to access to a lone disk removed from the cluster). I'm currently unsure whether using TPM-based LUKS encryption for both the
STATE
andEPHEMERAL
partitions is sufficient to guarantee that user data onEPHEMERAL
will not be readable by the attacker.The boot process, as I understand it using SecureBoot and LUKS with TPM-based encryption, looks roughly as follows:
init
and talos takes over.STATE
partition.EPHEMERAL
. The partition is decrypted and mounted as/var
.If I'm not mistaken, all PCR measurements up to step 9, where the encryption key for
EPHEMERAL
is released by the TPM, depend either on the physical device (CPU, TPM-Chip, etc.) or the current talos installer image used on the machine (Kernel, Bootloader, SecureBoot signature, etc.) and not on the identity of the machine/cluster. I believe this would enable an attacker to overwrite theSTATE
with their talosSTATE
partition (created by the attacker using the same installer image).The issue, I think, is that during step 8, no machine- (and/or cluster-specific) information is measured into any of the PCRs, including PCR[11] which is currently used for LUKS in talos. Compare that to systemd-pcrmachine.service which measures the
machine-id
, a confidential identifier that is generated on the first boot, into PCR[15] (which could then be used for binding the LUKS encryption key forEPHEMERAL
to).Workaround
If the above is correct, I think a workaround for the time being is using TPM-based LUKS encryption just for the
STATE
partition and passphrase-based encryption forEPHEMERAL
. The relevant part of the boot process would look like this:init
and talos takes over.STATE
partition.EPHEMERAL
. The partition is decrypted and mounted as/var
.Overwriting the
STATE
partition to try and boot talos with a machine config under the control of the attacker would destroy the static passphrase and renderEPHEMERAL
inaccessible to the attacker.Useful references