TPM Encryption does not fail if secureboot is not enabled #8995
Comments
|
An alternate OS could not retrieve the encryption keys from the TPM (an attacker modifying the firmware, or bootloader, or decryption tool (or analogues in e.g. an embedded device without a full OS) - whether directly, or by booting from a different boot device / program - will mean the PCRs don't have the same value and render the decryption key unavailable) - but the point of this ticket is to provide a configurable mechanism to ensure that SecureBoot is enabled whenever TPM encryption is enabled. |
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
|
But there is some other issue if for some reason secure boot was not enabled but the disk still got encrypted… if you notice the error and activate secure boot you cannot read the data afterwards anymore. |
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
|
From slack, goal is a Talos configuration option in the config file that checks that SecureBoot is enabled, and if it is not, the system will do ... something
|
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit cf5effa)
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit cf5effa)
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit cf5effa)
Fixes siderolabs#8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit cf5effa)
Bug Report
Description
If the host machine has secureboot disabled, but the TPM available, Talos proceeds to install. There is no way to restrict the encryption. An attacker could boot an alternate OS and retrieve the encryption keys.
It would be great to have an additional config parameter in the tpm encryption requiring secure boot to be enabled, else disk encryption fails.
The text was updated successfully, but these errors were encountered: