- #CREATE BOOT PARTITION OPENSUSE INSTALL#
- #CREATE BOOT PARTITION OPENSUSE FULL#
- #CREATE BOOT PARTITION OPENSUSE PASSWORD#
- #CREATE BOOT PARTITION OPENSUSE PC#
#CREATE BOOT PARTITION OPENSUSE FULL#
This scenario derives from the current approach to Full Disk Encrytion (FDE) with LUKS1: kernel and initrd worldwide readable. Ensure that a regular passphrase is always configured and known to avoid losing access to your system. Warning: The TPM must be re-enrolled after any change that modifies the kernel, initrd, boot loader, or its configuration. # systemd-cryptenroll -wipe-slot=tpm2 -tpm2-device=auto -tpm2-pcrs=4+7+8+9 $DEVICE
#CREATE BOOT PARTITION OPENSUSE PASSWORD#
cr_root $DEVICE none x-initrd.attach,tpm2-device=autoĪt the next reboot and any reboot in which any of the measured components have changed, you will be required to enter the password for the volume.Īfter a successful reboot, enroll the TPM.
Find the entry for the LUKS2 volume in /etc/crypttab (it may appear referenced by its UUID) and add the tpm2-device= option. Then add the ability to use the TPM to unlock the volume to the initrd, where $DEVICE should be substituted with the path to the partition containing the encrypted volume: # If it's not built into the grub binary, we'll need to load it # The tpm module won't measure anything if it's not loaded. To enable tpm support in GRUB2, add the following to /etc/grub.d/00_header above the check for whether BTRFS snapshots are enabled before running update-bootloader -refresh to regenerate the GRUB2 configuration. Without measuring the kernel command line, an attacker could simply boot the system with init=/bin/bash and allow the initrd to unlock the volume automatically. In order to unlock the root volume, we should consider PCRs 4,7,8, and 9. In configuring the bootloader to perform the appropriate measurements, we gain the ability to be certain that the initrd is a known component and allow the operating system to mount the encrypted volume without providing the passphrase again. Thus the user must always provide the passphrase during the bootloader process.Įnabling TPM support in GRUB2 isn't wasted effort, though. It cannot read them without unlocking the encrypted volume. GRUB2 needs to be able to read the kernel, initrd, and its own configuration to provide these measurements. In order to avoid an attacker simply booting the system with init=/bin/bash to allow the initrd to unlock the volume and provide otherwise unauthenticated administrator access to the system, we require that PCR 9 be a known value. We require PCR 8 be populated to ensure it has not been tampered with. It will provide measurements to PCR 9 when reading its own configuration, any additional commands executed, and the kernel command line.Īlthough Secure Boot will ensure that the kernel carries a valid signature and is trusted to execute on the host, the initrd is not signed. GRUB2 using the tpm module will provide the TPM with measurements when reading the kernel and initrd to PCR 8. PCR 7 measures whether the Secure Boot state has changed between enabled and disabled. The firmware populates PCR 4 after measuring the bootloader. We'll only focus on a subset of these for this document. #CREATE BOOT PARTITION OPENSUSE PC#
The full specification can be found in the PC Client Specific Platform Firmware Profile Specification.
Higher PCRs may be used by the boot loader, operating system, and applications. PCRs 0-7 are computed by the system firmware. These registered are populated by providing data inputs associated with each one and a hash is generated based on the contents. TPM objects are sealed by providing appropriate input to a preconfigured set of Platform Configuration Registers (PCRs).
Even if it did, there is no way to retrieve the key safely. GRUB2 doesn't support unsealing the key from the TPM. There is no way to boot a system with Full-Disk Encryption enabled without entering the password to the encrypted volume in GRUB2.
#CREATE BOOT PARTITION OPENSUSE INSTALL#
The current supported method to install an openSUSE system will Full-Disk Encryption is to encrypt the entire root volume, including /boot. This method can be used with Secure Boot enabled and, in fact, it should be encouraged. With these package versions we can apply the following scenarios: Warning: FIDO2 tokens need to implement the hmac-secret extension.
0 kommentar(er)
