read up on things like

https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html https://en.opensuse.org/SDB:LUKS2,TPM2and_FIDO2

follow up on the idea of remote storing the luks header https://linuxconfig.org/how-to-use-luks-with-a-detached-header

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 21

Activity

  • over 2 years ago: dsterba liked this project.
  • over 2 years ago: bchou liked this project.
  • over 2 years ago: oertel originated this project.

  • Comments

    • oertel
      over 2 years ago by oertel | Reply

      worked on the luks2.sh script from https://en.opensuse.org/SDB:LUKS2,TPM2and_FIDO2 to support the setup of just /boot/efi separate and / including /boot on lvm inside the crypted disk

      ```

      !/bin/bash

      LVM="" GRUBMOUNT=$(df /boot/grub2 | tail -n1) GRUBMOUNT=${GRUBMOUNT%% *} set -- $(lsblk -p -r | grep "^$GRUBMOUNT") DEV=$1 TYP=$6 MP=$7 case $TYP in lvm) LVM="lvm" LVMGRUB=${GRUBMOUNT#/dev/mapper/} GRUBROOT="($LVM/$LVMGRUB)" case $MP in /) GRUBPREFIX=($LVM/$LVMGRUB)/boot/grub2 ;; /boot) GRUBPREFIX=($LVM/$LVMGRUB)/grub2 ;; /boot/grub2) GRUBPREFIX=($LVM/$LVMGRUB) ;; esac ;; part) LVM="" case $DEV in /dev/sda) DISK=hd0 ;; /dev/sdb) DISK=hd1 ;; /dev/sdc*) DISK=hd2 ;; esac PART=${DEV: -1} GRUBPREFIX="($DISK.gpt$PART)" case $MP in /) echo "/ not encrypted, not needed here" ; exit 1 ;; /boot) GRUBPREFIX="$GRUB_PREFIX/grub2" ;; esac ;; esac

      set -- $(lsblk -p -r | grep " /$") ROOTDEV=$1 ROOTTYP=$6 case $ROOTTYP in crypt) GRUBROOT=crypto0 ;; esac set -- $(blkid | grep crypto_LUKS)

      second param is UUID=

      eval $2

      drop the - dashes

      TARGET=${UUID//-/}

      GRUBMODULES="luks2 partgpt cryptodisk gcryrijndael pbkdf2 gcrysha512 btrfs gcrysha256 gcrysha1 ext2 luks $LVM"

      grub2-install --target=x8664-efi --modules="$GRUBMODULES"

      CONFIG=$(mktemp /tmp/grub-config.XXXXX) cat >"$CONFIG" <<EOF cryptomount -u "$TARGET" set root=$GRUBROOT set prefix=$GRUBPREFIX insmod normal normal EOF

      cat $CONFIG

      grub2-mkimage \ -p "$GRUBPREFIX" \ -O x8664-efi \ -c "$CONFIG" \ -o /tmp/image \ $GRUB_MODULES rm "$CONFIG"

      cp -v /tmp/image /boot/efi/EFI/opensuse/grubx64.efi

      ```

    • oertel
      over 2 years ago by oertel | Reply

      hacked up a patch for systemd to have a chance to notice the user should touch the token on bootup

      ``` --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -345,6 +345,13 @@ static int fido2usehmachashspecifictoken( lognotice("%s%sPlease confirm presence on security to unlock.", emojienabled() ? specialglyph(SPECIALGLYPHTOUCH) : "", emojienabled() ? " " : ""); + + if (!retrywithup) { + /* notify user for a few secs on first try */ + _cleanup(strvfreeerasep) char **pin = NULL; + askpasswordauto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usecadd(now(CLOCKMONOTONIC), 5 * USECPERSEC), 0, &pin); + } + retrywithup = true; }

      ```

    • oertel
      over 2 years ago by oertel | Reply

      for systemd on 15.4 this is:

      ``` --- systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:41:51 1.1 +++ systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:42:43 @@ -292,6 +292,11 @@ lognotice("%s%sPlease confirm presence on security token to unlock.", emojienabled() ? specialglyph(SPECIALGLYPHTOUCH) : "", emojienabled() ? " " : ""); + + /* notify user for a few secs on first try / + cleanup(strvfreeerasep) char *pin = NULL; + askpasswordauto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usecadd(now(CLOCKMONOTONIC), 5 * USECPERSEC), 0, &pin); + }

           if (has_uv && !FLAGS_SET(required, FIDO2ENROLL_UV_OMIT)) {
      

      ```

    Similar Projects

    This project is one of its kind!