Hello all,
This is spawned from another recent thread on this list, with the subject
"Is tpm2-measure-pcr really an additional security?", started by Yann
Diorcet. There's some confusion of what scenario exactly is being discussed
in that thread, and in an attempt to clarify I think I came up with
10.03.2025 18:16, Adrian Vovk wrote:
Hello,
Just to see if I understand your concern correctly, I'll try boiling it
down to its simplest, by cutting out the need for two partitions. Here's
the scenario:
- An attacker replaces the real rootfs with a malicious one that just drops
to a shell. The
Le 10/03/2025 à 17:27, Adrian Vovk a écrit :
Hello,
On Mon, Mar 10, 2025, 12:06 Mikko Rapeli wrote:
Hi,
On Mon, Mar 10, 2025 at 11:16:25AM -0400, Adrian Vovk wrote:
> Hello,
>
> Just to see if I understand your concern correctly, I'll try
boiling it
> down to its
On Mon, Mar 10, 2025 at 09:10:59PM +, aplanas wrote:
> On 2025-03-10 19:04, Adrian Vovk wrote:
>
> > Presuming a system like this:
> > - We've got a Linux desktop system
> > - We have two dm-verity protected /usr partitions
> > - We have one encrypted rootfs
> > - We're using systemd-repart to
On 2025-03-10 18:25, Diorcet Yann wrote:
Le 10/03/2025 à 17:27, Adrian Vovk a écrit :
2) Just before opening the var LUKS:
PCR15=0 or something predictable
cryptsetup is used to open var and update PCR15 thanks to
tpm2-measure-pcr=yes. but in this case /dev/sda1 is replaced with the
original
Hi,
Sorry for my english, i'm not english native.
Le lun. 10 mars 2025 à 10:04, Lennart Poettering
a écrit :
>
> On Sa, 08.03.25 19:52, Diorcet Yann (diorcet.y...@gmail.com) wrote:
>
> > Hello,
> 61;7802;1c>
> > I'm in the process of using SecureBoot, TPM2.0 and LUKS2 to protect an
> > industrial
On 2025-03-10 08:41, Andrei Borzenkov wrote:
On Mon, Mar 10, 2025 at 11:03 AM aplanas wrote:
On 2025-03-08 18:52, Diorcet Yann wrote:
> - Fake the second (using UUID/PARTLABEL/...) but using LUKS partition
> from the "good" root partition
This is done by "systemd-pcrfs[-root]". The attack
On Sa, 08.03.25 19:52, Diorcet Yann (diorcet.y...@gmail.com) wrote:
> Hello,
61;7802;1c>
> I'm in the process of using SecureBoot, TPM2.0 and LUKS2 to protect an
> industrial embedded computer.
>
> I have a chain of trust in the UEFI (own secure boot keys/certificates),
> signed grub2, all files u
On Mon, Mar 10, 2025 at 11:03 AM aplanas wrote:
>
> On 2025-03-08 18:52, Diorcet Yann wrote:
>
> > But in the case of multiple partitions unlocked by the initrd, I can't
> > figure why an attacker couldn't succeed to :
> >
> > - Clone the original disk (notably ESP)
> >
> > - Replace root partitio
