[Enhancement] Mitigate faulTPM as much as possible

[reitzrobert77]

Description

Give zero trust to the TPM: https://arxiv.org/abs/2304.14717

As faulTPM had schown, all key material can be extracted from the TPM. The proposed mitigation from the authors recommend to use the TPM + password option, together with a KDF and appending the password to the TPM secret which opens LUKS:

Sealing

• A LUKS_SECRET is computed randomly
• User enters TPM_PASSWORD
• PWD_HASHED = argon2(TPM_PASSWORD)
• LUKS_SECRET is sealed in the TPM with PWD_HASHED (and PCR) as authorization
• LUKS will be encryted by LUKS_SECRET + TPM_PASSWORD
• LUKS will use argon2 for encryption internally as well

Unsealing

• User enters TPM_PASSWORD
• PWD_HASHED = argon2(TPM_PASSWORD)
• LUKS_SECRET is unsealed from the TPM with PWD_HASHED (and PCR) as authorization
• LUKS will be decryped by LUKS_SECRET + TPM_PASSWORD
• LUKS will use argon2 for decryption internally as well

The catch is that if the TPM is completely broken, then the LUKS_SECRET is known to the attacker. But that won't not be sufficient to decrypt, because the original password needs to be known. The attacker has to brute force the password with argon2 as KDF. Therefor is sectpmctl with TPM+password option on a vulnerable system at least as strong as a software only encryption without a TPM at all.

Additional information

No response

[reitzrobert77]

The command line utility argon2 on Ubuntu 22.04 seems to be broken when parallelism is used. It only uses as single thread. Interestingly the Ubuntu 22.04 libargon2 library doesn't suffer from this problem.