Handle TPM2 + passphrase
codicodi opened this issue · 5 comments
A while ago systemd got support for TPM2 + passphrase setup:
systemd/systemd#22563
It would be nice if booster supported unlocking such volumes as well
I added booster boilerplate to handle PIN. Now I need to use the pincode to unseal the value.
I am looking for help from someone who understands the tpm2-tss
API and can translate the systemd's change into go-tpm
equivalent. See booster's tpm2Unseal()
function and its new parameter password
that is sha256 hashed content on PIN.
Alright, I think I figured out the logic. I improved booster code and the test shows it is able to unlock a drive locked with systems tpm+pin.
Please pull the changes from wip
branch and test it with your setup.
Thanks for looking into this.
Unlocking does indeed work, but the whole procedure appears a bit messy.
First, booster asks for a passphrase which I guess refers to a recovery key also enrolled on this drive. I entered it incorrectly and booster asked for a PIN next. I entered the PIN (correctly) and booster once again showed the passphrase prompt, but the system booted after a short while anyway without me entering anything.
Interestingly the log complains about no tpm devices being found just before obtaining password for the tpm2 token
Booster tries to unlock all possible LUKS slots in parallel. Such an algorithm would work well if slots are non-interactive (non-PIN tpm, clevis, ...). The first valid slot unlocks the partition, and other slots processors get canceled.
In your case, you have 2 interactive slots that require some sort of pin/password. So the prompts you see are interleaved.
My guess you expected to see only 1 interactive slot processed at a time. But which one should be processed/prompted first? And why?
A TPM2 PIN is supposed to be safe, yet convenient (lowish entropy; easy to type). If a user went to trouble of enrolling it, it's probably the preferable way of unlocking.
Regular passphrases (including recovery key) could be tried next. Correct me if I'm wrong, but I think the order no longer matters since booster can just keep asking until given passphrase matches one of the slots.