The document discusses using a Trusted Platform Module (TPM) to securely store encryption keys for disk encryption on Linux. It describes configuring TPM to measure and seal an encryption key file using PCR registers. Modifications are made to initramfs and cryptroot scripts to support unsealing the key during boot without user input by using the TPM. While TPM provides secure storage, integrating it with Linux disk encryption requires additional configuration to get the key unsealed and passed to cryptsetup during early boot stages.

1. Yurii Bilyk | 2016
Trusted Computing - real pain in
practice?

2. WHO AM I
# root

3. • WE are Security Group
• WE are ALL Engineers (Almost;)
• WE are OWASP Lviv Chapter
• WE are Legio… oops
blog: http://owasp-lviv.blogspot.com
skype: y.bilyk
TEAM

4. •The Problem
•Intro to TPM
•Intel Trusted Execution
•Linux disk encryption
•Take it ALL together
Agenda

5. The Problem
Even NASA has..

6. The Problem
You want protect you software
from copying out of server
You don’t fully control the h/w
server where it’s installed
This server will be installed in
China

7. The Solution (Idea)
First idea was about HSM
(Hardware Security Module)
But it’s expensive (1k-5k $ per
server) and didn't meet some
requirements
Finally we decided to use TPM

8. What is TPM?
Just another abbreviation

9. TPM (Basic Info)
• Cheap H/W module with some cryptographic
hardware blocks (5-10$)
• Have two versions 1.2 & 2.0
• Contain small protected non-volatile storage
• Could be built-in or plugged-in
• Could be used as secure random generator for
keys, etc.

10. TPM (Basic Info)

11. TPM (Attacks)
• Version 1.1 is vulnerable against RESET attack
http://www.cs.dartmouth.edu/~pkilab/sparks/
• Version 2.0 is more flexible and mature, but
supported less that version 1.2 (on OS level)
• Version 1.2 physically connected via LPC bus where
data is transferred in plaintext
• Version 2.0 supports more features and crypto
algorithms than version 1.2

12. TPM Components

13. TPM Components (PCR)

14. TPM Components (PCR)
• Reset all registers, transfer execution to Core
Root of Trust Measurement
• Measure next stage of firmware into PCR[0]
and data into PCR[1]
– Hardware test and configuration
• Code always measured first, then executed
• New PCR value is SHA-1 hashed then
concatenated with previous hash;
permanently written to PCR
• Option ROMs and data into PCR[2] and [3]
• MBR into PCR[4], partition table in PCR[5]
PCR[0]
PCR[1]
PCR[2]
PCR[3]
PCR[4]
PCR[5]
PCR[6]
PCR[7]
PCR[8]
PCR[9]
PCR[10]
PCR[11]
PCR[12]
PCR[13]
PCR[14]
PCR[15]
PlatformConfigurationRegisters
Stephen.lamb@microsoft.com
http://blogs.technet.com/steve_lamb

15. TPM PCR (Windows Vista)

16. TPM PCR (Trusted Grub)

17. TPM PCR (Trusted Grub2)
https://github.com/Sirrix-AG/TrustedGRUB2

18. Dynamic Root of Trust
In God we trust, the rest we test

19. Intel TXT (Basic info)
• Implements dynamic root of trust
instead of static
• Need Intel VT-d support (virtualization)
• Need SINIT CPU instruction support
• In some cases need specific module for
your CPU added into the GRUB
folder/config

20. Intel TXT (Key Features)
You can verify and measure your
kernel/modules in protected
environment
You are fully detached from your
static measurements of platform
It uses TPM PCR for storing
measurements

21. Intel TXT (Useful Links)
http://hg.code.sf.net/p/tboot/code
https://software.intel.com/en-
us/articles/intel-trusted-execution-
technology

22. Linux Disk Encryption
It’s better to encrypt everything

23. The Problem (Encryption)
Basically we just need to encrypt
our custom software to be
protected
But we need protect OS and boot
loader from offline attacks
So we encrypted all

24. Linux Disk Encryption
• We decided to use LUKS (block level
encryption)
• Used KEY file for encryption/decryption
• We can use several keys for
decryption/encryption the same
partition
• But..

25. Linux Disk Encryption (LUKS)
• Many Linux distributives have problems
with LUKS and KEY file configuration
• This is problem for decrypting root fs
during boot
• After boot you can use any mode
(passphrase or key file), but we needed
encrypted root fs

26. Linux Disk Encryption (LUKS)

27. Linux Disk Encryption (LUKS)

28. LUKS and TPM (Links)
https://github.com/shpedoikal/tpm-luks

29. It’s not rocket science, is it?
Take it ALL together

30. Linux and TPM
• You need to physically install TPM and enable
support in BIOS
• You need TPM kernel module (usually included in
the Linux distributive)
• You need to setup trousers daemon that do all
communications with TPM
• You need install tpm-tools that allows you to
configure TPM and use sealing/unsealing feature

31. Linux and TPM (Links)
https://sourceforge.net/projects/trousers/fil
es/tpm-tools/

32. LUKS and TPM
• So we have TPM that seals encryption KEY
• We have LUKS encrypted partitions
• We have TrustedGrub that can measure our platform
and allow/disallow TPM to unseal the encryption
KEY
• We even installed Intel tboot module to add
dynamic measurements
• Job is almost done!
• But..

33. LUKS and TPM (Problems)
We found that you need add some
workarounds to get LUKS key file
decryption working
We also need to modify initramfs to
add TPM operations support during
boot
We have to deal with TPM
measurements process (it’s not so
obvious)

34. LUKS and TPM (Fixing LUKS)
Create file /etc/dracut.conf.d/01-luks-workaround.cfg with content
#-------------------------- luks-workaround.cfg -----------------------------------
# Fedora & Centos dracut fix to use LUKS key file
omit_dracutmodules+="systemd"
# Include dm_crypt and lvm modules into initram
add_dracutmodules+="crypt lvm"
#-------------------------------------------------------------------------------------------

35. LUKS and TPM (Fixing TPM) #1
Create file /etc/dracut.conf.d/02-tpm-tune.cfg with content
#-------------------------- 02-tpm-tune.cfg -----------------------------------
# Include specific TPM driver into initramfs
add_drivers+="tpm_module“
# Include tpm module
# tpm module isn't default so 99tpm folder should be located in the
#/usr/lib/dracut/modules.d
add_dracutmodules+=" tpm“
# Add some tools needed to unseal encryption key during mounting rootfs
install_items+="/usr/bin/kill /usr/bin/awk /etc/hosts /lib64/libtspi.so.1
/lib64/libssl.so.10
/lib64/libresolv.so.2 /etc/nsswitch.conf /sbin/ifconfig /usr/sbin/tcsd
/usr/bin/tpm_unsealdata
/var/lib/tpm/system.data /lib64/libnss_files.so.2 /lib64/libnss_dns.so.2"
#-------------------------------------------------------------------------------------------

36. LUKS and TPM (Fixing TPM) #2
Create file /usr/lib/dracut/modules.d/99tpm/module-setup.sh with content
#!/bin/bash# called by dracut
check() {# Don't install this module by default
return 1
}# called by dracut
depends() {
echo crypt
return 0
}# called by dracut
install() {
#add tss user in /etc/passwd, it will be used by trousers
egrep '^tss:' /etc/passwd >> "$initdir/etc/passwd"
egrep '^tss:' /etc/group >> "$initdir/etc/group"
#fix TCSD config user/group owner
cp /etc/tcsd.conf "$initdir/etc/tcsd.conf"
chown tss:tss "$initdir/etc/tcsd.conf"
}

37. LUKS and TPM (Fixing TPM) #3
Edit file /usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh
#You need to find "if [ $ask_passphrase -ne 0 ]; then" section and delete/comment it #out and add new logic:
if [ $ask_passphrase -ne 0 ]; then
/sbin/modprobe tpm_module
if [ -f /dev/urandom ]; then
/bin/mknod -m 644 /dev/urandom c 1 9
fi
/sbin/ifconfig lo 127.0.0.1
PID=`ps -eaf | grep tcsd | grep -v grep | awk '{print $2}'`
if [[ "" == "$PID" ]]; then
/usr/sbin/tcsd -f &
sleep 3
fi
mkdir -p /mnt
mount -o ro /dev/sda1 /mnt
## copy unsealed key to tmpfs partition ##
mkdir -p /key_tmpfs
mount tmpfs /key_tmpfs -t tmpfs -o size=32m
/usr/bin/tpm_unsealdata -z -i /mnt/disk_sealed.key -o /key_tmpfs/disk_unsealed.key
cryptsetup luksOpen --key-file=/key_tmpfs/disk_unsealed.key "$device" "$luksname" && ask_passphrase=0
umount /key_tmpfs
##
if [[ "" != "$PID" ]]; then
kill -9 $PID
fi
umount /mnt
unset PID
fi

38. LUKS and TPM (Fixes Summary)
1. Added workaround to get LUKS key file
support working
2. Created new darcut module (99tpm) and
dracut config file that included needed
kernel modules, tools and do some
configurations during initramfs generation
3. Modified dracut crypt module that allows us
to use TPM sealed key file instead of
passphrase

39. LUKS and TPM (Password less)
https://www.youtube.com/watch?v=
hcMMTphhMZs

40. LUKS and TPM (Sealing Key)
1. Some additional step before sealing key is
initializing TPM with known password (all
zeros), that allows us seal/unseal key w/o
entering any password, only use PCR
measurements
2. To seal key file you need boot into the OS
with installed TPM, TrustedGrub and tpm-
tools
3. Then run tpm_sealdata and specify PCRs
that will be used to seal data and input key
file

41. LUKS and TPM (Sealing Key)
1. Initialize TPM with know password:
• tpm_takeownership -z
2. To seal key file:
• tpm_sealdata -z -p 11 -p 17 -p 18 -p 19 -i
/boot/disk.key -o
/boot/disk_sealed.key

42. Summary
• In some OS TPM as secure storage of
encryption key is used by default (for ex.
Windows Vista and higher)
• In Linux you need all that magic by yourself
Except usual scenarios (ex. tpm-luks scripts)
• TPM is still used no so often and integration
into the OS (Linux) could be not enough to
work out of the box

43. Questions?
Just for fun

44. Thank YOU!