read up on things like
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html https://en.opensuse.org/SDB:LUKS2,TPM2and_FIDO2
follow up on the idea of remote storing the luks header https://linuxconfig.org/how-to-use-luks-with-a-detached-header
No Hackers yet
Looking for hackers with the skills:
Nothing? Add some keywords!
This project is part of:
Hack Week 21
Comments
-
about 2 years ago by oertel | Reply
worked on the luks2.sh script from https://en.opensuse.org/SDB:LUKS2,TPM2and_FIDO2 to support the setup of just /boot/efi separate and / including /boot on lvm inside the crypted disk
```
!/bin/bash
LVM="" GRUBMOUNT=$(df /boot/grub2 | tail -n1) GRUBMOUNT=${GRUBMOUNT%% *} set -- $(lsblk -p -r | grep "^$GRUBMOUNT") DEV=$1 TYP=$6 MP=$7 case $TYP in lvm) LVM="lvm" LVMGRUB=${GRUBMOUNT#/dev/mapper/} GRUBROOT="($LVM/$LVMGRUB)" case $MP in /) GRUBPREFIX=($LVM/$LVMGRUB)/boot/grub2 ;; /boot) GRUBPREFIX=($LVM/$LVMGRUB)/grub2 ;; /boot/grub2) GRUBPREFIX=($LVM/$LVMGRUB) ;; esac ;; part) LVM="" case $DEV in /dev/sda) DISK=hd0 ;; /dev/sdb) DISK=hd1 ;; /dev/sdc*) DISK=hd2 ;; esac PART=${DEV: -1} GRUBPREFIX="($DISK.gpt$PART)" case $MP in /) echo "/ not encrypted, not needed here" ; exit 1 ;; /boot) GRUBPREFIX="$GRUB_PREFIX/grub2" ;; esac ;; esac
set -- $(lsblk -p -r | grep " /$") ROOTDEV=$1 ROOTTYP=$6 case $ROOTTYP in crypt) GRUBROOT=crypto0 ;; esac set -- $(blkid | grep crypto_LUKS)
second param is UUID=
eval $2
drop the - dashes
TARGET=${UUID//-/}
GRUBMODULES="luks2 partgpt cryptodisk gcryrijndael pbkdf2 gcrysha512 btrfs gcrysha256 gcrysha1 ext2 luks $LVM"
grub2-install --target=x8664-efi --modules="$GRUBMODULES"
CONFIG=$(mktemp /tmp/grub-config.XXXXX) cat >"$CONFIG" <<EOF cryptomount -u "$TARGET" set root=$GRUBROOT set prefix=$GRUBPREFIX insmod normal normal EOF
cat $CONFIG
grub2-mkimage \ -p "$GRUBPREFIX" \ -O x8664-efi \ -c "$CONFIG" \ -o /tmp/image \ $GRUB_MODULES rm "$CONFIG"
cp -v /tmp/image /boot/efi/EFI/opensuse/grubx64.efi
```
-
about 2 years ago by oertel | Reply
hacked up a patch for systemd to have a chance to notice the user should touch the token on bootup
``` --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -345,6 +345,13 @@ static int fido2usehmachashspecifictoken( lognotice("%s%sPlease confirm presence on security to unlock.", emojienabled() ? specialglyph(SPECIALGLYPHTOUCH) : "", emojienabled() ? " " : ""); + + if (!retrywithup) { + /* notify user for a few secs on first try */ + _cleanup(strvfreeerasep) char **pin = NULL; + askpasswordauto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usecadd(now(CLOCKMONOTONIC), 5 * USECPERSEC), 0, &pin); + } + retrywithup = true; }
```
-
about 2 years ago by oertel | Reply
for systemd on 15.4 this is:
``` --- systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:41:51 1.1 +++ systemd-v249.11+suse.129.g17d488c53a/src/shared/libfido2-util.c 2022/07/01 09:42:43 @@ -292,6 +292,11 @@ lognotice("%s%sPlease confirm presence on security token to unlock.", emojienabled() ? specialglyph(SPECIALGLYPHTOUCH) : "", emojienabled() ? " " : ""); + + /* notify user for a few secs on first try / + cleanup(strvfreeerasep) char *pin = NULL; + askpasswordauto("Please confirm presence on security token to unlock.", "drive-harddisk", NULL, "fido2-up", "fido2-up", usecadd(now(CLOCKMONOTONIC), 5 * USECPERSEC), 0, &pin); + }
if (has_uv && !FLAGS_SET(required, FIDO2ENROLL_UV_OMIT)) {```
Similar Projects
This project is one of its kind!