TL;DR: Now you can have LUKS-encrypted root filesystem in your Ubuntu 16.10/17.04 without the need to enter password during boot.
Tell me more:
Have you ever wondered how do Windows Bitlocker-protected computers start without entering password during boot? While this is only one of the possible Bitlocker configurations (and certainly not the most secure one), it is very user friendly and provides certain level of security.
Windows uses the so-called Trusted Platform Module (TPM) to provide Bitlocker disk encryption without entering password on boot. The Bitlocker component is configured when Windows is up and running. When a TPM is present in the system, it is initialized and a desired state of boot components is precomputed by the operating system. Bitlocker secret is then bound (sealed) to this precomputed state and stored on the boot drive (a TPM storage root key is used in this sealing process; TPM itself is the component which does the sealing).
During boot, each component which is part of the boot process gets measured (hashed) and the measurement is then extended into TPM's Platform Control Registers (PCRs). This includes your BIOS/UEFI code, some data (such as current state of your partitions in MBR or GPT), operating system boot loader, kernel and its start-up parameters (such as "is safe mode enabled?"). Based on these measurements, the Windows secret is either unsealed by the TPM (if the storage root key and computer state in PCRs match the expectations defined during the sealing process) or unsealing fails (if a system state has been tampered with). When the unsealing process fails, Windows prompt user for the Bitlocker recovery password.
In Linux, the support of TPM has existed for years in kernel, but there is very limited support in bootloaders and toolchain to allow similar set-up for LUKS-encrypted root filesystem drives. There are the following projects regarding Measured boot and LUKS-TPM in Linux:
While there were multitude options to choose from, none of them matched the feature set needed for Ubuntu support, namely:
As a result, the tools to facilitate the feature set above are included in this repository, together with the Grub2-tpm for Ubuntu repository. These repositories are accompanied by a LUKS-TPM Launchpad PPA, where the precompiled packages are available for easy installation.
Due to the limitation of TrouSerS, Linux cannot perform the sealing to precomputed PCR values (although a patch has been submitted by NSA in 2011). Therefore we do use TPM's NVRAM to store the key and perform PCR validation of PCR state to allow/forbid access to NVRAM.
After an initial configuration, a random 32 byte (256 bit) key is generated by tpm-luks-init
. System is measured by tpm-luks-gen-tgrub-pcr-values
and PCR values are precomputed (an extra tool called pcrsum has been created to enhance UEFI based measurements). The key is stored in TPM together with the precomputed PCR values. The key is then added to a free LUKS key slot.
Each time a new active initramdisk is generated by system, a /etc/initramfs/post-update.d/tpm-luks-update
hook is executed, which (after some additional checks) executes tpm-luks-update
. tpm-luks-update
then precomputes PCR values for the new system state and migrates the current LUKS key to a new NVRAM index in TPM. This allows for easy kernel updates without manual intervention.
Note: active initramdisk is the initramdisk to which a default Grub entry points at the moment of executing tpm-luks-update
.
If you modify your bootloader (e.g. reinstall grub or change its configuration), tamper with your kernel image, cmdline or initramdisk manually, you must run tpm-luks-update
manually as well to perform the PCR precomputation and NVRAM data migration. Otherwise you lose your TPM-stored key after a reboot (unless you can reboot back to a state which is expected by the TPM and recover the key manually).
If you lose your TPM-stored key, it is easy to kill the key from LUKS header (cryptsetup luksKillSlot X
where X
is the position of your TPM-stored key) and then re-run tpm-luks-init
.
/etc/tpm-luks.conf
.tpm-luks-update
(either directly or by updating kernel or initramdisk), all TPM keys are released and you will have to re-run tpm-luks-init
! This is a current limitation of tpm-luks-update
and might be fixed in next release.The system is modereately secure, based on these assumptions:
Additional possible measurements are:
The following risks are NOT mitigated in the proposed set-up below:
Be aware that if an attacker gets hands on your computer with just LUKS password, he can try coldboot attack once. If he gets the TPM-unlocked PC, he might be trying over and over again. It is a matter of further discussions if and how to countermeasure these types of attacks, for example by using an extra PIN to protect LUKS password stored in TPM. Please also note that tpm_nvread can be (after default tpm-tools installation) executed by any user, which means any user can read your LUKS password.
This attack also does not protect you against misconfigured console (or GUI, e.g. not disabling a Guest session is generally a very bad idea), neither does it protect you against misconfigured firewall and/or network applications (such as network shares without a password). If an attacker gets local access, you lose.
Also, if you do not trust your motherboard vendor, your TPM vendor or your system at all, do not use these tools.
sudo apt update && sudo apt dist-upgrade
A prebuilt repository of Ubuntu DEB packages is available.
sudo apt-add-repository ppa:radek-zajic/measuredluks
This will install grub with support for measured boot.
sudo apt update && sudo apt dist-upgrade
This step installs toolset from this repository.
sudo apt install tpm-luks
Into /etc/tpm-luks.conf
add the following line:
LUKS_INITRD_ENABLE=1
Then configure DEVICE="/dev/sdXY"
e.g. /dev/sdf3 where sdXY is your encrypted rootfs
Next, passwords must be configured.
/etc/tpm-luks.conf
and copy&paste OWNERPASS
& NVPASS
from the other tpm-luks secured system/etc/tpm-luks.conf
set your OWNERPASS
and NVPASS
passwords efibootmgr -v # lists boot entries
efibootmgr -o 9,8,0 # change boot order to entries 9, 8, 0
You can also adjust the measurements executed by modyfing these variables in /etc/tpm-luks.conf
:
PCRS_UEFI
for UEFI-based bootPCRS_BIOS
for BIOS-based (MBR) bootDo NOT use PCR[10] for measurements, please.
/etc/default/grub
Remove the splash
keyword from GRUB_KERNEL_CMDLINE
$vt_handoff
variable, which breaks the precomputation script.Add panic=60
to your kernel cmdline, otherwise your LUKS-TPM set-up is exploitable and LUKS password can be easily stolen!
Optional: if you want to start multiple entries from grub, please change savedefault parameters
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
sudo update-grub
sudo grub-install /dev/sdX # where X is your boot drive letter
This is to ensure PCRs will be precomputed properly (useful mainly if you are using PCR[8] or PCR[11] for sealing, which cannot be precomputed as of now).
This step adds necessary code for TPM unlocking to your initramfs.
sudo update-initramfs -k all -u
In this step, the scripts add a new LUKS key to your LUKS-protected drive, then store this key into TPM NVRAM. Passwords and PCR states assured by steps above are used to seal this password to only allow access to the NVRAM, if NVRAM password is known and PCR state matches. In other cases, access to the NVRAM is disallowed.
sudo tpm-luks-init
Your PC should boot without entering LUKS password now!
sudo chmod 0700 /usr/sbin/tpm_nvread