GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → grawity → tpm_futurepcr

grawity / tpm_futurepcr

Licence: MIT license
Calculate future (next boot) TPM PCRs after a kernel upgrade

Programming Languages

python
139335 projects - #7 most used programming language

Labels

tpm2lukssecure-bootin-dire-need-of-refactoringand-i-have-no-energy-left-for-that

Projects that are alternatives of or similar to tpm futurepcr

meta-secure-core
OpenEmbedded layer for the use cases on secure boot, integrity and encryption
Stars: ✭ 80 (+321.05%)
Mutual labels:  tpm2, secure-boot
trezorLuks
A wrapper around "cryptsetup" to use a key from a Trezor device instead of a password
Stars: ✭ 20 (+5.26%)
Mutual labels:  luks
AttestationSamples
A small subset of the submitted sample data from https://github.com/GrapheneOS/Auditor. It has a sample attestation certificate chain per device model (ro.product.model) along with a subset of the system properties from the sample as supplementary information.
Stars: ✭ 25 (+31.58%)
Mutual labels:  secure-boot
multizone-linux
MultiZone® Security Enclave for Linux
Stars: ✭ 18 (-5.26%)
Mutual labels:  secure-boot
arch-secure-boot
UEFI Secure Boot for Arch Linux + btrfs snapshot recovery
Stars: ✭ 60 (+215.79%)
Mutual labels:  secure-boot
udiskie-dmenu
Manage removable devices in couple of keystrokes!
Stars: ✭ 30 (+57.89%)
Mutual labels:  luks
tpm2-abrmd
TPM2 Access Broker & Resource Management Daemon implementing the TCG spec.
Stars: ✭ 97 (+410.53%)
Mutual labels:  tpm2
qemu-exynos-bootrom
Emulating Exynos 4210 BootROM in QEMU
Stars: ✭ 49 (+157.89%)
Mutual labels:  secure-boot
scripts
Collection of useful scripts for Linux (git, docker, LUKS, Archlinux...)
Stars: ✭ 36 (+89.47%)
Mutual labels:  luks
cryptctl
A disk encryption utility that helps setting up LUKS-based disk encryption using randomly generated keys, and keeps all keys on a dedicated key server.
Stars: ✭ 23 (+21.05%)
Mutual labels:  luks
ansible-archlinux
Automated arch linux desktop environment
Stars: ✭ 56 (+194.74%)
Mutual labels:  luks
u2f-luks
No description or website provided.
Stars: ✭ 29 (+52.63%)
Mutual labels:  luks
go-uefi
Linux UEFI library written in pure Go.
Stars: ✭ 78 (+310.53%)
Mutual labels:  secure-boot
arch-config
Scripts and Ansible playbook to setup Arch Linux on ZFS.
Stars: ✭ 36 (+89.47%)
Mutual labels:  luks
AttestationServer
Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a remote attestation implementation with email alerts to go along with the local implementation based on QR code scanning in the app.
Stars: ✭ 64 (+236.84%)
Mutual labels:  secure-boot
arch-install
A highly configurable script automatically installing Arch Linux.
Stars: ✭ 32 (+68.42%)
Mutual labels:  luks
LUKS-OPs
A bash script to automate the most basic usage of LUKS volumes in Linux VPS
Stars: ✭ 30 (+57.89%)
Mutual labels:  luks
unlock-luks-partition
Unlock a LUKS partition via SSH
Stars: ✭ 31 (+63.16%)
Mutual labels:  luks
SELoader
Secure EFI Loader designed to authenticate the non-PE files
Stars: ✭ 38 (+100%)
Mutual labels:  secure-boot
disk-encryption-hetzner
Encrypt a hetzner server from the "serverbörse" and unlock it remote via ssh
Stars: ✭ 122 (+542.11%)
Mutual labels:  luks
View All Similar Projects ➔

The tpm_futurepcr script allows pre-calculating what the future PCR4 value will be after a kernel upgrade, before you reboot. This is useful when your rootfs is LUKS-encrypted with a key sealed by the TPM against PCR4 (among others).

This script only recognizes measurements done by native UEFI LoadImage() – i.e. hashes of PE/COFF executables such as vmlinuz.efi. (Although it does parse the TPM 1.2 event log, it does not (yet) recognize measurements done by TrustedGRUB on BIOS systems, and in fact I'm not entirely sure whether the entire premise of sealing data against user-specified PCR values is even possible in the TPM 1.2 API.)

As an additional hack, this script also recognizes systemd-boot and updates its EV_IPL event according to the future kernel command line.

This script will understand the event log in both SHA1-only (TPM 1.2) and Crypto-Agile (TPM 2.0, Linux kernel 5.3+) formats.

Warning

Until Linux 5.17, neither systemd-boot nor EFISTUB measure the loaded initrd images, making it unsafe to rely on PCR4 alone. (Starting with Linux 5.17, the initrd measurements are now stored in PCR9; this script does not yet support pre-calculating it.) Additionally, only systemd-boot measures the command line into PCR8; EFISTUB on its own does not.

It is recommended to use PCR-based sealing (whether it is PCR4 with tpm_futurepcr or PCR7 with Secure Boot) only with a combined systemd-stub "kernel + initramfs" image, such as the one produced by mkinitcpio -U.

Dependencies

  • python-signify (for calculating Authenticode digests)
  • tpm2-tools (for reading current PCR values in kernels older than v5.12)

Installation

python setup.py install

Usage

Normally sealing data against PCRs starts by creating a "policy" which specifies the PCR values. In the Intel TPM 2.0 stack, this is done with tpm2_createpolicy:

tpm2_createpolicy -P -L sha256:0,2,4,7 -f policy.bin

This automatically uses current PCR values, and can be written to do so explicitly:

tpm2_pcrlist -L sha256:0,2,4,7 -Q -o pcrvalues.bin
tpm2_createpolicy -P -L sha256:0,2,4,7 -F pcrvalues.bin -f policy.bin

To do the same with future PCR values, use tpm_futurepcr:

tpm_futurepcr -L 0,2,4,7 -o pcrvalues.bin
tpm2_createpolicy -P -L sha256:0,2,4,7 -F pcrvalues.bin -f policy.bin
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].