mirror, mirror on the wall

mirror, mirror on the wall

Encrypt root partition with LUKS and decrypt with TPM without password prompt

Posted on .

Tested on CentOS 6.5

From BIOS choose boot mode "Legacy Only" and check if TPM is enabled and install CentOS with encrypted root partition:
/dev/sda1	/boot
/dev/sda2	swap
/dev/sda3	/ (encrypted)

Post install configuration:

# yum install tpm-tools

# /etc/init.d/tcsd start
(If TPM is not enabled or is missing will see error)
# tpm_takeownership -z
(If see error need to clear TPM because ownership has been taken already)
# wget --no-check-certificate https://projects.sirrix.com/svn/trustedgrub/release/TrustedGRUB-1.1.5.tar.gz

# tar zxvf TrustedGRUB-1.1.5.tar.gz

# cd TrustedGRUB-1.1.5/

# yum install automake gcc glibc-devel glibc-devel.i686 libgcc.i686

# ./build_tgrub.sh

# cp default /boot/grub/

# cd TrustedGRUB-1.1.5/

# make install

# rm -rf /boot/grub/stage*

# rm -rf /boot/grub/*1_5

# cp ./stage1/stage1 /boot/grub

# cp ./stage2/stage2 /boot/grub

# ./grub/grub --no-floppy
	root (hd0,0)
	setup (hd0)
# vi /usr/share/dracut/modules.d/90crypt/cryptroot-ask.sh
after line 104 add following:
        if [ $ask_passphrase -ne 0 ]; then
                /sbin/modprobe tpm_infineon
                /bin/mknod -m 644 /dev/urandom c 1 9 
                ifconfig lo
                /usr/sbin/tcsd -f &
                sleep 3
                mkdir /mnt
                mount -t ext4 /dev/sda1 /mnt
                /usr/bin/tpm_unsealdata -z -i /mnt/sealed_key | cryptsetup luksOpen "$device" "$luksname" && ask_passphrase=0
                umount /mnt
# vi /sbin/dracut
edit line 335 to:
	if ! ( umask 077; cd "$initdir"; find . |cpio -H newc -o --quiet| \
# dracut --add-drivers tpm_infineon -I "/usr/sbin/tcsd /etc/tcsd.conf /usr/bin/tpm_unsealdata /var/lib/tpm/system.data /etc/passwd /etc/group /etc/nsswitch.conf /lib64/libnss_files.so.2 /etc/hosts /lib64/libnss_dns.so.2 /sbin/ifconfig" luks-2.6.32-431.el6.x86_64.img

(Use version number of running kernel)
# cp luks-2.6.32-431.el6.x86_64.img /boot

# vi /boot/grub/menu.lst
	Replace initramfs with luks
# reboot

Add LUKS password and login.

# killall tcsd

# /etc/init.d/tcsd start

# echo YourLUKSpassword | tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p 14 -o /boot/sealed_key

# history -c
(Clear YourLUKSPassword from bash history)
# reboot

System will boot without password prompt for LUKS.
Few steps should be changed and the example from above will work on Ubuntu 14.04

# apt-get install automake gcc-multilib texinfo

In TrustedGRUB-1.1.5/stage[12]/Makefile.am replace 'pkglib_DATA' with 'pkgdata_DATA' otherwise TrustedGRUB will not compile.

Create /boot/grub/menu.lst
title Ubuntu
        root (hd0,0)
        kernel /vmlinuz-3.16.0-30-generic root=/dev/mapper/ubuntu--vg-root ro quiet
        initrd /initrd.img-3.16.0-30-generic 

# vim /usr/share/initramfs-tools/scripts/local-top/cryptroot
Add at line 251
        if [ $count -eq 1 ]; then
                modprobe -q tpm_infineon
                mknod /dev/tpm c 10 224
                ifconfig lo
                mkdir /mnt
                mount /dev/sda1 /mnt
                mkdir -p /var/lib/tpm
                cp /mnt/system.data /var/lib/tpm
                sleep 3
                tpm_unsealdata -z -i /mnt/sealed_key | cryptsetup luksOpen "$cryptsource" "$crypttarget" && ask_passphrase=0
                umount /mnt
Replace line
if [ -z "$cryptkeyscript" ]
if [ -z "$cryptkeyscript" ] && [ $ask_passphrase -eq 1 ]; then
Replace line
if [ ! -e "$NEWROOT" ]
if [ ! -e "$NEWROOT" ] && [ $ask_passphrase -eq 1 ]; then
# vim /usr/sbin/mkinitramfs
Add at line 296
        copy_exec /usr/sbin/tcsd /sbin
        copy_exec /usr/bin/tpm_unsealdata /sbin
        copy_exec /etc/passwd   /etc
        copy_exec /etc/group    /etc
        copy_exec /etc/hosts    /etc
        copy_exec /etc/nsswitch.conf /etc
        copy_exec /lib/x86_64-linux-gnu/libnss_files.so.2 /lib
        copy_exec /lib/x86_64-linux-gnu/libnss_dns.so.2 /lib

# cp /var/lib/tpm/system.data /boot



Creative Commons