LUKS header change validation at both sealing and unsealing of TPM Di…

…sk Unlock Key. Fixes linuxboot#1092. Supersedes linuxboot#1093 - Cherry-picks ed1c23a (credit to @hardened-vault) thank you!) - Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!) - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed. (linuxboot#1093 (comment)) - kexec-seal-key: Identical as in ed1c23a - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options) - Here, we cancel the diff output shown on screen linuxboot#1093 (comment) - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." Signed-off-by: Thierry Laurion <[email protected]>
tlaurion · May 2, 2024 · ca5b861 · ca5b861
1 parent f1d3509
commit ca5b861
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
@@ -57,6 +57,9 @@ tpmr extend -ix 4 -ic generic ||
 # Check to continue
 if [ "$unseal_failed" = "y" ]; then
 	confirm_boot="n"
+	if diff "$(dirname $INITRD)/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
+		echo "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
+	fi
 	read \
 		-n 1 \
 		-p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \

diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
@@ -40,6 +40,14 @@ for tries in 1 2 3; do
 
 	DEBUG $(pcrs)
 	warn "Unable to unseal disk encryption key"
+	if [ -e /boot/kexec_lukshdr_hash.txt -a -e /tmp/luksDump.txt ]; then
+		if ! diff /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
+			warn "Encrypted LUKS(es) container(s) headers changed since they were measured and sealed in TPM for Disk Unlock key. You might want to investigate."
+		fi
+	else
+		warn "No encrypted LUKS container(s) headers were found/comparable under /boot/kexec_lukshdr_hash.txt"
+		warn "You might need to setup a new boot default and Disk Unlock Key from Options->Boot Options->Show OS boot menu."
+	fi
 done
 
 die "Retry count exceeded..."