Re: [TrouSerS-users] TPM Support for LUKS Partitions.

Bill Martin Thu, 21 Nov 2013 10:59:03 -0800

Hi group,

Hopefully Kent Yoder will see this and respond. In reference to 2012-11-28 his 
announcement of the tpm-luks tools.


I think there is a problem in tpm_nvdefine / tpm_nvwrite  / tpm_nvread still.

I am using -f to send in the PCR list. I think maybe the -r and -w options for 
tpm_nvdefine must be used. This is a long message but is also some feedback of 
the tpm-luks tool that Kent requested

here goes:

I have tpm-tools 1.3.9, TrouSers 0.3.10,  crypt setup 1.6.2, TrustedGRUB-1.1.5 
on an x86 architecture Linux system.

After a few mods of tpm-luks scripts I managed to get where I can generate the 
NVPERMS files for PCRs 4, 5, 12, and 14. We made some mods because for some 
reason, perhaps our version of bash, some of the commands in the script did not 
work. My colleague, Cameron Durham, for instance found on line 122 in tpm-luks 
the line needed an an extra pair of parens around ${NV_INDEXES[$i]}

# On line 122 in tpm-luks change line to
# if [ $(( ${NV_INDEXES[$i]} )) -lt ${TPM_LUKS_NV_INDEX_LIMIT} ]; then

And in tpm-luks-gen-tgrub-pcr-values
the lines like 
KERNELS=( $(cat ${MENU} | awk -F "\n" '$1 ~ /^\Wkernel/ { print $0 }') )
produced an empty line. Our bash had a problem with "^\W" in these lines, for 
instance.

This one worked for me
KERNELS=( $(cat ${MENU} | awk '$1 ~ /kernel/ { print $0 }') )


My application is to encrypt a hard disk partition, /dev/sda2

So I start by

$ cryptsetup --debug -c aes-cbc-plain -s 256 luksFormat /dev/sda2

The above asks for my initial passphrase and puts it in LUKS index 0

I then made a LUKS name for /dev/sda2

$ cryptsetup open /dev/sda2 secretfs


the luksDump is

$ cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2

Version:        1
Cipher name:    aes
Cipher mode:    cbc-plain
Hash spec:      sha1
Payload offset: 4096
MK bits:        256
MK digest:      12 26 d7 4c a2 81 6b b5 cd 5e 76 4a 34 b6 52 a7 71 c4 ff fa 
MK salt:        8c ed 15 7a 74 68 6b 97 e8 13 df 08 14 db b5 0a 
                b0 00 0e 18 fb f8 0b fd 4d be 5f 7e 17 e3 bc 41 
MK iterations:  16750
UUID:           7438bfd3-878c-4778-a296-c5eae309a3a3

Key Slot 0: ENABLED
        Iterations:             66805
        Salt:                   20 48 70 a5 3a 0f 44 d9 9e 16 95 9f ca 68 de 22 
                                bf 46 be 32 94 bc ce fe ba 25 4d 34 c9 a9 55 c3 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

I then made a mount point /mnt/thePartition/secretfs and mounted 
/dev/mapper/secretfs there.

I put a file junk.dat in /mnt/thePartition/secretfs

In /etc/tpm-luks.conf I put the line in like

/dev/sda2:9:/usr/sbin/tpm-luks-gen-tgrub-pcr-values

So now I ran tpm-luks-init

$ tpm-luks-init


So from tpm-luks-init (with my added debug statements) and based on my menu.lst 
I got something like

root@crownbay-noemgd:/# tpm-luks-init
Generating PCR values for /dev/sda2...
w 12 baa02214e76f7edd250994405ad9563dfb483443
w 14 fe9aba7c51bae06a65a99e0cbb862d49be06d4f0
tpm-luks-gen... removed tempfile
In tpm-luks Before call to tpm-luks -c...PCRs r-w permissions file is:
r 4 3d80d7fe658e835d58e12f97f72a713ac7660817
r 5 e51eb6a9f41824f63ec60a44237c5c2116b4f991
r 12 baa02214e76f7edd250994405ad9563dfb483443
r 14 fe9aba7c51bae06a65a99e0cbb862d49be06d4f0
Creating new TPM NVRAM secret for /dev/sda2...
Enter a new TPM NV area password: 
Re-enter the new TPM NV area password: 
Enter your TPM owner password: 
NVINDEX is 9   KEYFILE_SIZE is 32     RW_PERMS is AUTHREAD|AUTHWRITE   
PERMSFILE is /tmp/tpm-luks-init-7UQrlH
Tspi_NV_DefineSpace failed: 0x0000313b - layer=tsp, code=013b (315), NVRAM area 
already exists
tpm-luks tpm_nvdefine uses -f with file /tmp/tpm-luks-init-7UQrlH as below
r 4 3d80d7fe658e835d58e12f97f72a713ac7660817
r 5 e51eb6a9f41824f63ec60a44237c5c2116b4f991
r 12 baa02214e76f7edd250994405ad9563dfb483443
r 14 fe9aba7c51bae06a65a99e0cbb862d49be06d4f0
Successfully wrote 32 bytes at offset 0 to NVRAM index 0x9 (9).
in nv_devine_and_write just called tpm_nvwrite
DATAFILE is /dev/shm/key and dumped:
0000000 0e 30 a6 ec 58 f3 79 0f 43 b8 0b d9 c4 b9 a9 41
0000020 2c cc 0c 17 d6 3d 7d b6 94 74 ce 4e e5 70 44 66
0000040
You will now be prompted to enter any valid LUKS passphrase in order to store
the new TPM NVRAM secret in LUKS key slot 1:

key slot 1 1 1
cryptsetup KEY_SLOT is 1  DEVICE is /dev/sda2  KEYFILE is /dev/shm/key and 
dumped:
0000000 0e 30 a6 ec 58 f3 79 0f 43 b8 0b d9 c4 b9 a9 41
0000020 2c cc 0c 17 d6 3d 7d b6 94 74 ce 4e e5 70 44 66
0000040
Enter any passphrase: 
Using NV index 9 for device /dev/sda2


----------------------

Okay see I modified the script to spit out the LUKS secret that I presume was 
"massaged" with the PCRs list in tpm_nvdefine and tpm_nvwrite.

The binary dumps are above.

The problem is that I can alter menu.lst to add a checkfile. This changes PCR-12

So I do a reboot and I get something in PCR-13 but disturbingly my key-file on 
the tpm-nvread still worked and decrypted the /dev/sda2 partition! 
I could access my junk.dat file. 

I expected to not be able to get to my LUKS partition

Why?


------------

root@crownbay-noemgd:/boot/grub# reboot

The system is going down for reboot NOW!mgd (pts/0) (Thu Nov 21 01:40:21 2013
root@crownbay-noemgd:/boot/grub# Write failed: Broken pipe
macbookpro-708c:Downloads billmartin$ !ssh
ssh [email protected]
[email protected]'s password: 
root@crownbay-noemgd:~# cat /sys/class/misc/tpm0/device/pcrs 
PCR-00: 87 6A 18 78 C5 43 62 C8 95 06 61 48 8E 60 23 49 F2 A0 89 11 
PCR-01: 30 66 6A 4A C8 31 C0 12 ED E5 D7 EF B0 25 88 85 73 DE FC 07 
PCR-02: 8A 06 1C B2 CF 13 39 7F A1 A2 28 A4 1F 31 1D 6A D0 92 2E 2F 
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 
PCR-04: 3D 80 D7 FE 65 8E 83 5D 58 E1 2F 97 F7 2A 71 3A C7 66 08 17 
PCR-05: E5 1E B6 A9 F4 18 24 F6 3E C6 0A 44 23 7C 5C 21 16 B4 F9 91 
PCR-06: 78 CD 77 59 86 6A 77 D0 31 03 C2 03 5B F7 DC 7E 61 DC 19 2E 
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 
PCR-08: E6 08 14 11 5E 11 FC 94 18 29 5B F9 43 8F 1F 03 F7 80 37 AA 
PCR-09: 94 D7 CA 5B D0 78 86 40 56 FC 47 19 68 AF 4F CC CE 4C 1C 67 
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-12: 44 AF 1D 83 74 2D F5 97 05 E6 6D 1D 2C 63 76 D5 6C CE 2E 8D 
PCR-13: 79 85 5C 47 87 93 72 67 DA D4 49 91 C7 0D AD F1 D6 A0 25 8C 
PCR-14: FE 9A BA 7C 51 BA E0 6A 65 A9 9E 0C BB 86 2D 49 BE 06 D4 F0 
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
root@crownbay-noemgd:~# tpm-luks -o secretfs -d /dev/sda2
Enter your TPM NVRAM password for index 0x00000009: 
in luks_open tmpfs_keyfile is 
0000000 0e 30 a6 ec 58 f3 79 0f 43 b8 0b d9 c4 b9 a9 41
0000020 2c cc 0c 17 d6 3d 7d b6 94 74 ce 4e e5 70 44 66
0000040
root@crownbay-noemgd:~# ls /dev/mapper/
control  secretfs
root@crownbay-noemgd:~# mount /dev/mapper/secretfs /mnt/thePartition/secretfs/
root@crownbay-noemgd:~# ls -lta /mnt/thePartition/secretfs/
total 145580
-rw-r--r-- 1 root root 148897792 Nov 21 01:31 junk.dat
drwxr-xr-x 3 root root      4096 Nov 21 01:30 .
drwxr-xr-x 3 root root      4096 Nov 21 01:29 ..
drwx------ 2 root root     16384 Nov 21 01:28 lost+found


------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users

Re: [TrouSerS-users] TPM Support for LUKS Partitions.

Reply via email to