read up on things like
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2
follow up on the idea of remote storing the luks header https://linuxconfig.org/how-to-use-luks-with-a-detached-header
No Hackers yet
Looking for hackers with the skills:
Nothing? Add some keywords!
This project is part of:
Hack Week 21
Comments
-
9 months ago by oertel | Reply
worked on the luks2.sh script from https://en.opensuse.org/SDB:LUKS2,_TPM2_and_FIDO2 to support the setup of just /boot/efi separate and / including /boot on lvm inside the crypted disk
#!/bin/bash LVM="" GRUB_MOUNT=$(df /boot/grub2 | tail -n1) GRUB_MOUNT=${GRUB_MOUNT%% *} set -- $(lsblk -p -r | grep "^$GRUB_MOUNT") DEV=$1 TYP=$6 MP=$7 case $TYP in lvm) LVM="lvm" LVM_GRUB=${GRUB_MOUNT#/dev/mapper/} GRUB_ROOT="($LVM/$LVM_GRUB)" case $MP in /) GRUB_PREFIX=($LVM/$LVM_GRUB)/boot/grub2 ;; /boot) GRUB_PREFIX=($LVM/$LVM_GRUB)/grub2 ;; /boot/grub2) GRUB_PREFIX=($LVM/$LVM_GRUB) ;; esac ;; part) LVM="" case $DEV in /dev/sda*) DISK=hd0 ;; /dev/sdb*) DISK=hd1 ;; /dev/sdc*) DISK=hd2 ;; esac PART=${DEV: -1} GRUB_PREFIX="($DISK.gpt$PART)" case $MP in /) echo "/ not encrypted, not needed here" ; exit 1 ;; /boot) GRUB_PREFIX="$GRUB_PREFIX/grub2" ;; esac ;; esac set -- $(lsblk -p -r | grep " /$") ROOT_DEV=$1 ROOT_TYP=$6 case $ROOT_TYP in crypt) GRUB_ROOT=crypto0 ;; esac set -- $(blkid | grep crypto_LUKS) #second param is UUID= eval $2 #drop the - dashes TARGET=${UUID//-/} GRUB_MODULES="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512 btrfs gcry_sha256 gcry_sha1 ext2 luks $LVM" grub2-install --target=x86_64-efi --modules="$GRUB_MODULES" CONFIG=$(mktemp /tmp/grub-config.XXXXX) cat >"$CONFIG" <<EOF cryptomount -u "$TARGET" set root=$GRUB_ROOT set prefix=$GRUB_PREFIX insmod normal normal EOF cat $CONFIG grub2-mkimage \ -p "$GRUB_PREFIX" \ -O x86_64-efi \ -c "$CONFIG" \ -o /tmp/image \ $GRUB_MODULES rm "$CONFIG" cp -v /tmp/image /boot/efi/EFI/opensuse/grubx64.efi -
9 months ago by oertel | Reply
hacked up a patch for systemd to have a chance to notice the user should touch the token on bootup
--- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -345,6 +345,13 @@ static int fido2_use_hmac_hash_specific_token( log_notice("%s%sPlease confirm presence on security to unlock.", emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "", emoji_enabled() ? " " : ""); + + if (!retry_with_up) { + /* notify user for a few secs on first try */ + _cleanup_(strv_free_erasep) char **pin = NULL; + ask_password_auto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usec_add(now(CLOCK_MONOTONIC), 5 * USEC_PER_SEC), 0, &pin); + } + retry_with_up = true; } -
9 months ago by oertel | Reply
for systemd on 15.4 this is:
--- systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:41:51 1.1 +++ systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:42:43 @@ -292,6 +292,11 @@ log_notice("%s%sPlease confirm presence on security token to unlock.", emoji_enabled() ? special_glyph(SPECIAL_GLYPH_TOUCH) : "", emoji_enabled() ? " " : ""); + + /* notify user for a few secs on first try */ + _cleanup_(strv_free_erasep) char **pin = NULL; + ask_password_auto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usec_add(now(CLOCK_MONOTONIC), 5 * USEC_PER_SEC), 0, &pin); + } if (has_uv && !FLAGS_SET(required, FIDO2ENROLL_UV_OMIT)) {
Similar Projects
This project is one of its kind!