This adds verification of LUKS header change at both sealing and unse…

…aling of TPM Disk Unlock Key. Fixes linuxboot#1092. Supersedes linuxboot#1093 - Cherry-picks ed1c23a (credit to @hardened-vault) thank you!) - Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!) - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed. (linuxboot#1093 (comment)) - kexec-seal-key: Identical as in ed1c23a - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options) - Here, we cancel the diff output shown on screen linuxboot#1093 (comment) - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
tlaurion · May 3, 2022 · 49f0a39 · 49f0a39
1 parent 3234622
commit 49f0a39
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
@@ -51,8 +51,9 @@ tpm extend -ix 4 -ic generic \
 
 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
-	diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt \
-		&& echo "Headers of LUKSes to be unlocked via TPM do not change."
+	if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
+		echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
+  fi
 	confirm_boot="n"
 	read \
 		-n 1 \

diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
@@ -24,7 +24,7 @@ tpm nv_readvalue \
 || die "Unable to read key from TPM NVRAM"
 
 for tries in 1 2 3; do
-	read -s -p "Enter unlock password (blank to abort): " tpm_password
+	read -s -p "Enter disk unlock key passphrase (blank to abort): " tpm_password
 	echo
 
 	if [ -z "$tpm_password" ]; then
@@ -44,6 +44,14 @@ for tries in 1 2 3; do
 
 	pcrs
 	warn "Unable to unseal disk encryption key"
+	if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then
+		if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
+			warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate."
+		fi
+	else
+		warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt" 
+		warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu."
+	fi
 done
 
 die "Retry count exceeded..."