(oddlama.org)

189 points arjvik | 1 comments | 17 Jan 25 03:00 UTC | HN request time: 0.211s | source

Show context

staff3203 ◴[17 Jan 25 05:22 UTC] No.42734355[source]▶

On my system, I used `tpm2-measure-pcr=yes` in `/etc/crypttab.initramfs`, then used `--tpm2-pcrs=0+2+7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000` with `systemd-cryptenroll`.

As soon as a volume is decrypted, initrd will write `volume-key` to PCR 15, so any further executables can no longer access the data stored in the TPM.

replies(2): >>42735476 #>>42736760 #

oddlama ◴[17 Jan 25 12:20 UTC] No.42736760[source]▶

>>42734355 #

This is great if you only have a single disk, but if you have multiple encrypted disks that are unlocked in the initrd this way, then if you can gain control flow by faking data on the last decrypted disk you can still gain access to all the previously unlocked partitions.

Of course you cannot unseal the secret from the TPM anymore.

replies(3): >>42737732 #>>42742055 #>>42742348 #

1. ◴[17 Jan 25 19:07 UTC] No.42742055[source]▶

>>42736760 #

↑

Bypassing disk encryption on systems with automatic TPM2 unlock