Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
Hi all, Change author here. I think that everything is on-track now. Sorry I hadn't seen any of these messages before, there's a newer post over here (https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/L64OGN7XWO7VQEUDKFB3IJ2HYUFTSPFA/) and I hadn't realised that this had been active. I've posted two scripts over there too. I'd appreciate any feedback on them. Chris, The only system for automatic decryption with a TPM that I know of is clevis, which operates in the initramfs for both LUKS1 and LUKS2. I mention it in the change proposal as a recommendation, but it is by no means a requirement. Petr, While you are correct, I'd rather attempt to prevent tampering and also set-up a system through which to detect any. Besides, this change proposal is simply meant to offer security-minded users options that weren't available to them before. Benjamin ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Friday, 05 April 2019 at 10:00, Petr Pisar wrote: [...] > What's the point of encrypting /boot? All the executed bits from /boot > (grub, kernel, and initramdisk) are measured by TPM. Thus if somebody > tampers them, root file system decryption that uses TPM will fail. Not everyone has a TPM chip in their machine... Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Fri, 5 Apr 2019 at 04:01, Petr Pisar wrote: > > > Well, why can't we have LUKS1-encrypted /boot and enter the encryption > > password by hand? That's still better than unencrypted /boot. > > > What's the point of encrypting /boot? All the executed bits from /boot > (grub, kernel, and initramdisk) are measured by TPM. Thus if somebody > tampers them, root file system decryption that uses TPM will fail. > I expect it is in the case where the TPM is not available or where you have been given a mandate to maintain confidentiality for all bits even if you have integrity covered. [Sometimes confidentiality is more prized than availability.] > -- Petr > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org -- Stephen J Smoogen. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On 2019-04-03, Dominik 'Rathann' Mierzejewski wrote: > On Wednesday, 03 April 2019 at 21:30, Chris Murphy wrote: >> On Wed, Apr 3, 2019 at 2:58 AM Dominik 'Rathann' Mierzejewski >> wrote: >> > >> > On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: >> > > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton wrote: >> > > > >> > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 >> > > > >> > > This Change proposal is on hold. >> > >> > Too bad. As a long-time SecureBoot user, I was looking forward to being >> > able to have encrypted /boot on Fedora. >> >> I'm not sure if this has anything to do with why it's on hold, but >> GRUB does not support LUKS2. And there are no TPM bindings supported >> in LUKS1, but are in LUKS2. In order to get to full disk encryption >> out of the box by default with automatic unlock (measured boot to >> obtain the cryptographic key from the TPM), needs LUKS2. So in effect >> that means we either need GRUB to support LUKS2, or settle on an >> unencrypted /boot. > > Well, why can't we have LUKS1-encrypted /boot and enter the encryption > password by hand? That's still better than unencrypted /boot. > What's the point of encrypting /boot? All the executed bits from /boot (grub, kernel, and initramdisk) are measured by TPM. Thus if somebody tampers them, root file system decryption that uses TPM will fail. -- Petr ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Wednesday, 03 April 2019 at 21:30, Chris Murphy wrote: > On Wed, Apr 3, 2019 at 2:58 AM Dominik 'Rathann' Mierzejewski > wrote: > > > > On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: > > > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton wrote: > > > > > > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > > > > > > > This Change proposal is on hold. > > > > Too bad. As a long-time SecureBoot user, I was looking forward to being > > able to have encrypted /boot on Fedora. > > I'm not sure if this has anything to do with why it's on hold, but > GRUB does not support LUKS2. And there are no TPM bindings supported > in LUKS1, but are in LUKS2. In order to get to full disk encryption > out of the box by default with automatic unlock (measured boot to > obtain the cryptographic key from the TPM), needs LUKS2. So in effect > that means we either need GRUB to support LUKS2, or settle on an > unencrypted /boot. Well, why can't we have LUKS1-encrypted /boot and enter the encryption password by hand? That's still better than unencrypted /boot. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Wed, Apr 3, 2019 at 2:58 AM Dominik 'Rathann' Mierzejewski wrote: > > On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: > > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton wrote: > > > > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > > > > > This Change proposal is on hold. > > Too bad. As a long-time SecureBoot user, I was looking forward to being > able to have encrypted /boot on Fedora. I'm not sure if this has anything to do with why it's on hold, but GRUB does not support LUKS2. And there are no TPM bindings supported in LUKS1, but are in LUKS2. In order to get to full disk encryption out of the box by default with automatic unlock (measured boot to obtain the cryptographic key from the TPM), needs LUKS2. So in effect that means we either need GRUB to support LUKS2, or settle on an unencrypted /boot. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Thursday, 28 March 2019 at 17:30, Ben Cotton wrote: > On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton wrote: > > > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > > > This Change proposal is on hold. Too bad. As a long-time SecureBoot user, I was looking forward to being able to have encrypted /boot on Fedora. Regards, Dominik -- Fedora https://getfedora.org | RPM Fusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: F31 Self-Contained Change proposal: Include several modules in the EFI build of Grub2 for security use-cases
On Mon, Mar 25, 2019 at 4:12 PM Ben Cotton wrote: > > https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2 > This Change proposal is on hold. -- Ben Cotton Fedora Program Manager TZ=America/Indiana/Indianapolis Pronouns: he/him ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org