←back to thread

Bypassing disk encryption on systems with automatic TPM2 unlock

(oddlama.org)
189 points arjvik | 2 comments | 17 Jan 25 03:00 UTC | HN request time: 0s | source
Show context
keeperofdakeys ◴[17 Jan 25 05:15 UTC] No.42734325[source]
You can mitigate this by including PCRs that sign the kernel and initrd, however it means whenever you update you need to unlock manually. On Redhat-based distros this can be done with PCRs 8 and 9, though IIRC this may change on other distros.

Also AFAIK there is no standard way to guess the new PCRs on reboot so you can't pre-update them before rebooting. So you either need to unlock manually or use a network decryption like dracut-sshd.

replies(5): >>42734894 #>>42735137 #>>42735230 #>>42735303 #>>42740249 #
1. XorNot ◴[17 Jan 25 07:10 UTC] No.42734894[source]
It's ridiculous that there's no software implementation to do this, it's a huge problem.

Auto update should be able to include the kernel, initrd and grub cmdline from the running system I have no idea what's holding this back since evidently code already exists somewhere to do exactly that.

replies(1): >>42735307 #
2. Vogtinator ◴[17 Jan 25 08:36 UTC] No.42735307[source]
That's the design with sdbootutil in openSUSE (https://en.opensuse.org/Systemd-fde, https://github.com/openSUSE/sdbootutil).