Bypassing disk encryption on systems with automatic TPM2 unlock – https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/
oddlama writes: '"Most TPM2 unlock setups fail to verify the LUKS identity of the decrypted partition. Since the initrd must reside in an unencrypted boot partition, an attacker can inspect it to learn how it decrypts the disk and also what type of filesystem it expects to find inside. By recreating the LUKS partition with a known key, we can confuse the initrd […]"' #tpm #linux #Encryption
=> More informations about this toot | More toots from kernellogger@fosstodon.org
@kernellogger Thanks for the great article and documentation! Ironically I started fiddling with TPM-based LUKS decryption during bootup recently and I asked myself those questions (as most guides online will only suggest measuring PCR 1 and 7, e.g. when using Clevis. Which might be sufficient if the threat model is considering it secure enough).
I fear securing bootup on Linux will take years, even if the tools like systemd's features are already in place.
=> More informations about this toot | More toots from elfy@chaos.social
text/geminiThis content has been proxied by September (ba2dc).