this post was submitted on 17 Jan 2025
42 points (95.7% liked)

Technology

60578 readers
3530 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
42
Bypassing disk encryption on systems with automatic TPM2unlock (oddlama.org)
submitted 2 days ago by exu@feditown.com to c/technology@lemmy.world
3 comments fedilink hide all child comments
 

cross-posted from: https://feditown.com/post/981497

Note this post evaluates Linux systems. Microsoft presumably has a different, hopefully better, implementation.

top 3 comments
sorted by: hot top controversial new old
[โ€“] IHawkMike@lemmy.world 12 points 2 days ago* (last edited 2 days ago)

Microsoft uses TPM PCRs 7+11 for BitLocker which is more secure than the Linux implementations mentioned in the article.

PCR 7 is the Secure Boot measurement which means it can't be unlocked unless every signed boot component has not been tampered with up to the point of unlock by the EFI bootloader. PCR 11 is simply flipped from a 0 to a 1 by the bootloader to protect the keys from being extracted in user land from an already booted system.

The article is correct that most Linux implementations blindly following these kinds of "guides" are not secure. Without additional PCRs, specifically 8 and 9 measuring the grub commands (no single-user bypass) and initrd (which is usually on an unencrypted partition), it is trivial to bypass. But the downside of using these additional PCRs is that you need to manually unlock with a LUKS2 password and reseal the keys in TPM whenever the kernel and or initrd updates.

Of course to be really secure, you want to require a PIN in addition to TPM to unlock the disk under any OS. But Microsoft's TPM-only implementation is fairly secure with only a few advanced vulnerabilities such as LogoFAIL and cold boot attacks.

[โ€“] Kusimulkku@lemm.ee 4 points 2 days ago* (last edited 1 day ago)

I was really intrigued when I heard openSUSE Aeon would be defaulting to automatic TPM unlocking. I thought it would be nice, it just boots into my login screen and that's handy since I'd just have to write one password (instead of writing luks unlocking password and my login password, I would just write the login password).

Then I realized I can just set my account to autologin and I'll still have to write just one password (luks) with the added benefit that it doesn't automatically unlock/decrypt the system. Oh well.