-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PCR binding support #15
Comments
I agree, but the main "issue" I have is that I'd like to figure out how we should re-seal the key. If we lock the key to a state, we should be able to take that key and say "this is the future state you should unseal towards". This is what enables this feature to work on systems that intend to upgrade. It could possibly interface a bit with the systemd tooling written to figure out the future PCR states. But curently this is both an UX issue (how do we document and communicate this) along with a technical one (I don't know how to implement this). |
OK, that is a good point. I just thought about the PCR 0+7 use case when I wrote this (tying the key to secure boot and thus to some CA potentially under your control), where it is not too likely that the PCRs will change. On the other hand, a SSH key like that has - in contrast to the LUKS encryption which I mentally compared it to - no recovery method if the PCRs do need to change, so there really should be an upgrade path. I did not think about this difference when opening the issue. |
I don't necessarily think that is true. If you keep a reasonably updated system you need to update
Thanks for opening it. And do feel free to write down how you envision this to work. I'm open for UX suggestions so I have more opinions to base things off on. |
I am much more lost than you when it comes to a vision how re-sealing might work, I simply did not think about it at all 😅. But should I manage to think of something I will write it down 😄. |
You can outline how you think the PCR binding should work :) The resealing can come later. |
I probably thought way too naive about this, I just thought of a cmdline similar to |
The systemd syntax for It has support to do something like So |
I'm a bit stuck on trying to understand how I should best implement Policy sessions for the keys and also support resealing through
I also don't quite understand how @chrisfenner sorry for poking you, but as I'll probably end up implementing more stuff for |
I haven't tinkered with this much, but I spent a while being confused by these as well, and this is as far as I can understand from my notes and the TPM 2.0 spec (part 1, page 129):
In other words, for user-level access:
and for admin-level access:
|
Hm, I have sorta been able to write up a thing where even if the key is created with an auth value that has a policy policy with a PolicyPCR thing I was able to change the auth value of the key without presenting any session and a nilled out PasswordAuth. Which seems strange to me, but I need to try and rewrite that test to see if I grasped why that was allowed. I also found some notes on the unimplemented object auth policy of |
After batting my head with some new knowledge I've come to a couple of realizations. The way people usually deal with this is a combination of Using However, I am wondering if it's better to produce a |
check how clevis does it: |
I'm not too impressed by the clevis implementation either. See: latchset/clevis#121 |
I think generally the way to deal with changing PCR values is to not bind against the values, but against a public key who's private key is used to sign PCR policies. See Maybe |
Sure, but then you are now dealing with two keys. One key which is the ssh key, and one key to sign the policy. What do we do with this signing key? Is this shared pr machine, do we store it on the FS or do we also seal this towards the TPM?
I started writing some Go code to wrap |
It could be nice to support binding a key to the state of user-selectable PCRs at creation time, e.g. to restrict keys to be used only with some sort of verified boot. This can indirectly be achieved by storing the
.tpm
file on a filesystem backed by a LUKS partition which itself is then bound to PCR state, but for unencrypted systems it might still be nice to directly support this. Also, the.tpm
files could theoretically be leaked into an unverified boot session and then used with incorrect PCR state, natively binding the key within the TPM would mitigate this.The text was updated successfully, but these errors were encountered: