Handle TPM2 + passphrase

Question

Handle TPM2 + passphrase

codicodi opened this issue 2 years ago · comments

codicodi commented 2 years ago

A while ago systemd got support for TPM2 + passphrase setup:
systemd/systemd#22563

It would be nice if booster supported unlocking such volumes as well

Anatol Pomozov · Answer 1 · Wed Dec 14 2022 10:48:06 GMT+0800 (China Standard Time)

I added booster boilerplate to handle PIN. Now I need to use the pincode to unseal the value.

I am looking for help from someone who understands the tpm2-tss API and can translate the systemd's change into go-tpm equivalent. See booster's tpm2Unseal() function and its new parameter password that is sha256 hashed content on PIN.

Anatol Pomozov · Answer 2 · Thu Dec 15 2022 01:34:42 GMT+0800 (China Standard Time)

Alright, I think I figured out the logic. I improved booster code and the test shows it is able to unlock a drive locked with systems tpm+pin.

Please pull the changes from wip branch and test it with your setup.

codicodi · Answer 3 · Thu Dec 15 2022 06:20:55 GMT+0800 (China Standard Time)

Thanks for looking into this.
Unlocking does indeed work, but the whole procedure appears a bit messy.
First, booster asks for a passphrase which I guess refers to a recovery key also enrolled on this drive. I entered it incorrectly and booster asked for a PIN next. I entered the PIN (correctly) and booster once again showed the passphrase prompt, but the system booted after a short while anyway without me entering anything.

Interestingly the log complains about no tpm devices being found just before obtaining password for the tpm2 token

booster.log

Anatol Pomozov · Answer 4 · Sat Dec 17 2022 02:23:14 GMT+0800 (China Standard Time)

Booster tries to unlock all possible LUKS slots in parallel. Such an algorithm would work well if slots are non-interactive (non-PIN tpm, clevis, ...). The first valid slot unlocks the partition, and other slots processors get canceled.

In your case, you have 2 interactive slots that require some sort of pin/password. So the prompts you see are interleaved.

My guess you expected to see only 1 interactive slot processed at a time. But which one should be processed/prompted first? And why?

codicodi · Answer 5 · Sat Dec 17 2022 03:32:00 GMT+0800 (China Standard Time)

A TPM2 PIN is supposed to be safe, yet convenient (lowish entropy; easy to type). If a user went to trouble of enrolling it, it's probably the preferable way of unlocking.
Regular passphrases (including recovery key) could be tried next. Correct me if I'm wrong, but I think the order no longer matters since booster can just keep asking until given passphrase matches one of the slots.