Comments (5)
anatol
commented on September 28, 2024
I added booster boilerplate to handle PIN. Now I need to use the pincode to unseal the value.
I am looking for help from someone who understands the tpm2-tss API and can translate the systemd's change into go-tpm equivalent. See booster's tpm2Unseal() function and its new parameter password that is sha256 hashed content on PIN.
from booster.
anatol
commented on September 28, 2024
Alright, I think I figured out the logic. I improved booster code and the test shows it is able to unlock a drive locked with systems tpm+pin.
Please pull the changes from wip branch and test it with your setup.
from booster.
codicodi
commented on September 28, 2024
Thanks for looking into this.
Unlocking does indeed work, but the whole procedure appears a bit messy.
First, booster asks for a passphrase which I guess refers to a recovery key also enrolled on this drive. I entered it incorrectly and booster asked for a PIN next. I entered the PIN (correctly) and booster once again showed the passphrase prompt, but the system booted after a short while anyway without me entering anything.
Interestingly the log complains about no tpm devices being found just before obtaining password for the tpm2 token
from booster.
anatol
commented on September 28, 2024
Booster tries to unlock all possible LUKS slots in parallel. Such an algorithm would work well if slots are non-interactive (non-PIN tpm, clevis, ...). The first valid slot unlocks the partition, and other slots processors get canceled.
In your case, you have 2 interactive slots that require some sort of pin/password. So the prompts you see are interleaved.
My guess you expected to see only 1 interactive slot processed at a time. But which one should be processed/prompted first? And why?
from booster.
codicodi
commented on September 28, 2024
A TPM2 PIN is supposed to be safe, yet convenient (lowish entropy; easy to type). If a user went to trouble of enrolling it, it's probably the preferable way of unlocking.
Regular passphrases (including recovery key) could be tried next. Correct me if I'm wrong, but I think the order no longer matters since booster can just keep asking until given passphrase matches one of the slots.
from booster.
Related Issues (20)
- `vconsole: true` blocks booting w/ booster exit status 71 HOT 9
- Is it possible to boot without switching root? HOT 6
- cannot reliably unlock encrypted partition with fido2-assert
- LVM on LUKS no password asked HOT 10
- Missing Intel volume management device driver (NVMe)
- systemd-boot now can default to `/efi` as the folder for initramfs images. How does booster cope with that? HOT 7
- quiet option breaks loading
- Improve fsck handling
- Read-only flag for root fs should overwrite the read-write flag
- booster fails when loading microcode image first HOT 5
- Add support for bcachefs
- Boot isn't silent
- ```vconsole: true``` causes systems with encrypted root to freeze. HOT 1
- No keyboard input on Linux >=6.7.6 kernel HOT 3
- Additional mount operation
- [Help/Question] Network Bound Disk Unlocking (Clevis) using Tang on Alpine Linux HOT 3
- recovering clevis token fails HOT 1
- Stuck at waiting for all modules to load HOT 1
- Booster doesn't pass init process arguments properly
- booster lack ability to generate a unified kernel image(uki) uki.efi HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from booster.