「Trusted Platform Module」の版間の差分
Kusanaginoturugi (トーク | 投稿記録) (→使用方法: == Using TPM 1.2 == の中に移動) |
Kusanaginoturugi (トーク | 投稿記録) (→トラブルシューティング: == Using TPM 2.0 == を追加) |
||
| 93行目: | 93行目: | ||
{{Note|上記の方法では複数の鍵を生成・使用することはできません。}} |
{{Note|上記の方法では複数の鍵を生成・使用することはできません。}} |
||
| + | |||
| + | == Using TPM 2.0 == |
||
| + | |||
| + | {{Expansion|This section is a stub. You can help by expanding it with information on how to set up and use a TPM 2.0 device.}} |
||
| + | |||
| + | Many informative resources to learn how to configure and make use of TPM 2.0 services in daily applications are available from the [https://tpm2-software.github.io/ tpm2-software community]. |
||
| + | |||
| + | === Checking support === |
||
| + | |||
| + | A TPM 2.0 chip has been a requirement for computers certified to run Windows 10 since 2016-07-28.[https://www.computerworld.com/article/3101427/microsoft-mandates-windows-10-hardware-change-for-pc-security.html] Linux has support for TPM 2.0 since version 3.20[https://www.phoronix.com/scan.php?page=news_item&px=Linux-3.20-TPM-2.0-Security] and should not require any other steps to be enabled on a default Arch install. |
||
| + | |||
| + | Two ways to verify whether TPM 2.0 is setup without specific software: |
||
| + | |||
| + | * checking the logs, e.g., by running {{ic|1=journalctl -k --grep=tpm}} as root |
||
| + | * read the value of {{ic|/sys/class/tpm/tpm0/device/description}}[https://github.com/tpm2-software/tpm2-tools/issues/604#issuecomment-342784674] or {{ic|/sys/class/tpm/tpm0/tpm_version_major}} |
||
| + | |||
| + | === Data-at-rest encryption with LUKS === |
||
| + | |||
| + | There are two methods for unlocking a LUKS volume using a TPM. An older method using {{Pkg|clevis}}, and a newer method using ''systemd-cryptenroll''. The newer method will be detailed first. |
||
| + | |||
| + | Using either method, an encrypted volume or volumes may be unlocked using keys stored in a TPM, either automatically at boot or manually at a later time. Using a TPM for this purpose ensures that your drives will not unlock unless certain conditions are met, such as your firmware not having been modified and [[Secure Boot]] not having been disabled (see [[#Accessing PCR registers]]). |
||
| + | |||
| + | {{Warning|If you use this method on your root volume, this means that, as long as the previously mentioned certain conditions are met, your computer will '''unlock automatically''' at boot without needing to enter an encryption password. |
||
| + | * This means that access to data is not protected in case the hardware gets stolen. |
||
| + | * Be aware that this method makes you more vulnerable to [[Wikipedia:Cold boot attack|cold boot attacks]], because even if your computer has been powered off for a long time (ensuring the memory is completely cleared), an attacker could simply turn it on and wait for the TPM to load the key automatically. This may be a concern for high-value targets. |
||
| + | }} |
||
| + | |||
| + | ==== systemd-cryptenroll ==== |
||
| + | |||
| + | Since version 248, [[systemd]] has had native support for enrolling LUKS keys in TPMs. This functionality is managed through the ''systemd-cryptenroll'' command. This method requires the following: |
||
| + | |||
| + | * A LUKS2 device (currently the default type used by [[Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt|cryptsetup]]), |
||
| + | * If you intend to use this method on your root partition, use of the {{ic|systemd}} and {{ic|sd-encrypt}} hooks in the initramfs. See [[Mkinitcpio#HOOKS]] and [[Dm-crypt/System_configuration#Using_sd-encrypt_hook|Using sd-encrypt hook]]. |
||
| + | |||
| + | To begin, run the following command to list your installed TPMs: |
||
| + | |||
| + | $ systemd-cryptenroll --tpm2-device=list |
||
| + | |||
| + | A key may be enrolled in both the TPM and the LUKS volume using only one command. The following example binds the key to PCRs 0 and 7 (the system firmware and [[Secure Boot]] state): |
||
| + | |||
| + | # systemd-cryptenroll --tpm2-device=''/path/to/tpm2_device'' --tpm2-pcrs=0,7 /dev/sdX |
||
| + | |||
| + | where {{ic|/dev/sdX}} is the full path to the encrypted LUKS volume and {{ic|''/path/to/tpm2_device''}} is the full path to the TPM as given in the output of the first command. |
||
| + | |||
| + | {{Tip|If your computer has only one TPM installed, which is usually the case, you may instead specify {{ic|1=--tpm2-device=auto}} to automatically select the only available TPM.}} |
||
| + | |||
| + | To test that the key works, run the following command while the LUKS volume is closed: |
||
| + | |||
| + | # /usr/lib/systemd/systemd-cryptsetup attach ''mapping_name'' /dev/sdX - tpm2-device=''/path/to/tpm2_device'' |
||
| + | |||
| + | where {{ic|''mapping_name''}} is your chosen name for the volume once opened. If the volume successfully unlocks, you are ready to add the required information to the [[crypttab]] so that [[systemd]] can automatically unlock the device at boot. |
||
| + | |||
| + | {{hc|/etc/crypttab|2= |
||
| + | # Example crypttab file. Fields are: name, underlying device, passphrase, cryptsetup options. |
||
| + | |||
| + | # Unlock /dev/sdX using the only available TPM, naming it myvolume |
||
| + | myvolume /dev/sdX - tpm2-device=auto |
||
| + | }} |
||
| + | |||
| + | {{Note|While you may specify the UUID of your LUKS volume in place of the pathname {{ic|/etc/crypttab}}, the ''systemd-cryptenroll'' command itself currently only supports pathnames.}} |
||
| + | |||
| + | If the volume you wish to unlock contains your root filesystem, you must take the following additional steps: |
||
| + | |||
| + | * Ensure you are using {{ic|systemd}} and {{ic|sd-encrypt}} in the {{ic|HOOKS}} array of {{ic|/etc/mkinitcpio.conf}} |
||
| + | * Configure your initramfs to unlock the root volume with one of the following methods: |
||
| + | ** Specifying the root volume using the configuration outlined above in {{ic|/etc/crypttab.initramfs}} (see tip at the top of [[Dm-crypt/System_configuration#Using_sd-encrypt_hook|Using sd-encrypt hook]]) |
||
| + | ** Setting {{ic|1=rd.luks.options=''XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX''=tpm2-device=auto}} in addition to {{ic|rd.luks.uuid}} or {{ic|rd.luks.name}} in the kernel command line |
||
| + | |||
| + | To remove a key enrolled using this method, run: |
||
| + | |||
| + | # systemd-cryptenroll /dev/sdX --wipe-slot=''slot_number'' |
||
| + | |||
| + | where {{ic|''slot_number''}} is the numeric LUKS slot number in which your TPM key is stored. |
||
| + | |||
| + | Alternatively, run: |
||
| + | |||
| + | # systemd-cryptenroll /dev/sdX --wipe-slot=tpm2 |
||
| + | |||
| + | to remove all TPM-associated keys from your LUKS volume. |
||
| + | |||
| + | See {{man|1|systemd-cryptenroll}} and {{man|5|crypttab}} for more information and examples. |
||
| + | |||
| + | ==== Clevis ==== |
||
| + | |||
| + | {{Pkg|clevis}} allows binding a LUKS volume to a system by creating a key and encrypting it using the TPM, and sealing the key using PCR values which represent the system state at the time of the Clevis pin creation. |
||
| + | |||
| + | {{Warning|Set a strong backup password in case the TPM unsealing fails, using: |
||
| + | |||
| + | {{bc|# cryptsetup luksAddKey /dev/sdX}} |
||
| + | }} |
||
| + | |||
| + | To bind a LUKS volume to the TPM, use: |
||
| + | |||
| + | # clevis luks bind -d /dev/sdX tpm2 '{}' |
||
| + | |||
| + | where {{ic|'{}'|}} contains the configuration. Even with no parameters, the drive cannot be decrypted from another computer (unless the attacker knows the backup password). |
||
| + | |||
| + | To seal the LUKS key against, for example, the UEFI settings and the [[Secure Boot]] policy, use: |
||
| + | |||
| + | {{bc|'{"pcr_ids":"1,7"}'}} |
||
| + | |||
| + | If the UEFI or Secure Boot settings are modified, the TPM will compute different PCR values and decryption will fail. This gives protection against [[wikipedia:Evil maid attack|evil maid attacks]]. |
||
| + | |||
| + | For a list of parameters, see {{man|1|clevis-encrypt-tpm2|CONFIG}}. |
||
| + | |||
| + | For a full explanation of the meanings of PCRs, see the [https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf TCG specification] (§ 2.3.4). |
||
| + | |||
| + | To generate a new Clevis pin after changes in system configuration that result in different PCR values, for example updating the UEFI when PCR 0 is used, run |
||
| + | |||
| + | {{hc|# cryptsetup luksDump /dev/sdX|output= |
||
| + | Tokens: |
||
| + | ''token slot'': clevis |
||
| + | Keyslot: ''keyslot'' |
||
| + | }} |
||
| + | |||
| + | to find the slot used for the Clevis pin, then |
||
| + | |||
| + | # clevis luks regen -d /dev/sdX -s ''keyslot'' |
||
| + | |||
| + | To remove the Clevis binding, run: |
||
| + | |||
| + | # clevis luks unbind -d /dev/sdX -s ''keyslot'' |
||
| + | |||
| + | {{Warning|Double check you have chosen the right slot, or you might lose access to your volume.}} |
||
| + | |||
| + | You can unlock a TPM-bound volume using: |
||
| + | |||
| + | # clevis luks unlock -d /dev/sdX |
||
| + | |||
| + | For automated decryption of volumes in [[Dm-crypt/System_configuration#crypttab|/etc/crypttab]], [[enable]] {{ic|clevis-luks-askpass.path}}. |
||
| + | |||
| + | For automated decryption of the root volume, use [[Booster]], [[Dracut]] or [https://github.com/kishorv06/arch-mkinitcpio-clevis-hook mkinitcpio-clevis-hook]. Booster automatically decrypts LUKS volumes bound using Clevis out of the box. Dracut and mkinitcpio-clevis-hook needs the following extra packages: |
||
| + | |||
| + | * {{Pkg|libpwquality}} |
||
| + | * {{Pkg|luksmeta}} |
||
| + | * {{Pkg|nmap}} (For Dracut) |
||
| + | * {{Pkg|tpm2-tools}} (For mkinitcpio-clevis-hook) |
||
| + | |||
| + | followed by an initramfs regeneration: |
||
| + | |||
| + | Dracut: |
||
| + | # dracut -f |
||
| + | |||
| + | mkinitcpio-clevis-hook: |
||
| + | # mkinitcpio -P |
||
| + | |||
| + | === Other good examples of TPM 2.0 usage === |
||
| + | |||
| + | * SSH: {{Pkg|tpm2-pkcs11}}'s [https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/SSH.md SSH configuration] and [https://incenp.org/notes/2020/tpm-based-ssh-key.html Using a TPM for SSH authentication] (2020-01) |
||
| + | * [https://threat.tevora.com/secure-boot-tpm-2/ Configuring Secure Boot + TPM 2] (2018-06, Debian) |
||
| + | * [https://www.youtube.com/watch?v=XwaSyHJIos8 Using the TPM - It's Not Rocket Science (Anymore)] - Johannes Holland & Peter Huewe (2020-11, Youtube): examples for OpenSSL with {{Pkg|tpm2-tss-engine}} |
||
== トラブルシューティング == |
== トラブルシューティング == |
||
2021年7月21日 (水) 11:13時点における版
Trusted Platform Module (TPM) はセキュアな暗号プロセッサの国際規格です。暗号鍵をデバイスに統合することによりハードウェアを保護する専用のマイクロプロセッサとして設計されています。
実際に TPM を Secure Boot や Key Storage など様々なセキュリティアプリケーションで使うことができます。
当然ながら TPM が使えるのは TPM ハードウェアに対応しているデバイスだけです。あなたのハードウェアは TPM をサポートしているのに認識されない場合、BIOS の設定で TPM を有効にする必要があります。
目次
バージョン
TPM 2.0 が搭載されたシステムで tcsd を実行すると以下のようになります:
# cat /sys/class/tpm/tpm0/device/description TPM 2.0 Device
# tcsd -f TCSD TDDL ioctl: (25) Inappropriate ioctl for device TCSD TDDL Falling back to Read/Write device support. TCSD TCS ERROR: TCS GetCapability failed with result = 0x1e
この記事では主に TPM 1.2 を扱っています。
Using TPM 1.2
ドライバー
TPM ドライバーは新しいカーネルならネイティブで含まれていますが、ロードする必要があります:
# modprobe tpm
さらに、使用しているチップセットにあわせて、以下のモジュールのどれかをロードしてください:
# modprobe tpm_{atmel,bios,infineon,nsc,tis,crb}
使用方法
TPM は tcsd によって管理します。Trusted Computing リソースを管理するユーザー空間のデーモンで、(TSS の仕様によれば) TPM デバイスドライバーの唯一の表玄関です。tcsd は AUR パッケージの trousersAUR に含まれています。IBM によって開発・リリースされており、/etc/tcsd.conf で設定することが可能です。
tcsd を起動して出力を監視するには、次を実行:
# tcsd -f
もしくは tcsd.service を起動・有効化してください。
tcsd を実行したら、tpm-toolsAUR もインストールすると良いでしょう。TPM を管理するためのコマンドラインツールが多数入っています。
他の便利なツール:
- tpmmanager — tpm-tools の Qt フロントエンド。
- openssl_tpm_engine — TSS API と対話する OpenSSL エンジン。
- tpm_keyring2 — TPM ベースの eCryptfs 鍵を管理するキーマネージャ。
- https://sourceforge.net/projects/trousers || tpm_keyring2AUR[リンク切れ: アーカイブ: aur-mirror]
- opencryptoki — Linux の PKCS#11 実装。IBM の暗号ハードウェアを使用するためのドライバーやライブラリ、テスト用のソフトウェアトークンが含まれています。
基本
まずは基本的なバージョン情報を確認してください:
$ tpm_version
そしてセルフテストを実行:
$ tpm_selftest -l info TPM Test Results: 00000000 ... tpm_selftest succeeded
SSH 鍵のセキュア化
TPM を使って鍵を保護する方法は複数存在しますが、以下では simple-tpm-pk11-gitAUR を使用する簡単な方法を説明します。
まず、新しいディレクトリを作成して鍵を生成してください:
$ mkdir ~/.simple-tpm-pk11 $ stpm-keygen -o ~/.simple-tpm-pk11/my.key
鍵を設定:
~/.simple-tpm-pk11/config
key my.key
SSH を設定して適切な PKCS11 プロバイダを使用する:
~/.ssh/config
Host *
PKCS11Provider /usr/lib/libsimple-tpm-pk11.so
これで PKCS11 プロバイダで鍵を生成することができます:
$ ssh-keygen -D /usr/lib/libsimple-tpm-pk11.so
Using TPM 2.0
Many informative resources to learn how to configure and make use of TPM 2.0 services in daily applications are available from the tpm2-software community.
Checking support
A TPM 2.0 chip has been a requirement for computers certified to run Windows 10 since 2016-07-28.[1] Linux has support for TPM 2.0 since version 3.20[2] and should not require any other steps to be enabled on a default Arch install.
Two ways to verify whether TPM 2.0 is setup without specific software:
- checking the logs, e.g., by running
journalctl -k --grep=tpmas root - read the value of
/sys/class/tpm/tpm0/device/description[3] or/sys/class/tpm/tpm0/tpm_version_major
Data-at-rest encryption with LUKS
There are two methods for unlocking a LUKS volume using a TPM. An older method using clevis, and a newer method using systemd-cryptenroll. The newer method will be detailed first.
Using either method, an encrypted volume or volumes may be unlocked using keys stored in a TPM, either automatically at boot or manually at a later time. Using a TPM for this purpose ensures that your drives will not unlock unless certain conditions are met, such as your firmware not having been modified and Secure Boot not having been disabled (see #Accessing PCR registers).
systemd-cryptenroll
Since version 248, systemd has had native support for enrolling LUKS keys in TPMs. This functionality is managed through the systemd-cryptenroll command. This method requires the following:
- A LUKS2 device (currently the default type used by cryptsetup),
- If you intend to use this method on your root partition, use of the
systemdandsd-encrypthooks in the initramfs. See Mkinitcpio#HOOKS and Using sd-encrypt hook.
To begin, run the following command to list your installed TPMs:
$ systemd-cryptenroll --tpm2-device=list
A key may be enrolled in both the TPM and the LUKS volume using only one command. The following example binds the key to PCRs 0 and 7 (the system firmware and Secure Boot state):
# systemd-cryptenroll --tpm2-device=/path/to/tpm2_device --tpm2-pcrs=0,7 /dev/sdX
where /dev/sdX is the full path to the encrypted LUKS volume and /path/to/tpm2_device is the full path to the TPM as given in the output of the first command.
To test that the key works, run the following command while the LUKS volume is closed:
# /usr/lib/systemd/systemd-cryptsetup attach mapping_name /dev/sdX - tpm2-device=/path/to/tpm2_device
where mapping_name is your chosen name for the volume once opened. If the volume successfully unlocks, you are ready to add the required information to the crypttab so that systemd can automatically unlock the device at boot.
/etc/crypttab
# Example crypttab file. Fields are: name, underlying device, passphrase, cryptsetup options. # Unlock /dev/sdX using the only available TPM, naming it myvolume myvolume /dev/sdX - tpm2-device=auto
If the volume you wish to unlock contains your root filesystem, you must take the following additional steps:
- Ensure you are using
systemdandsd-encryptin theHOOKSarray of/etc/mkinitcpio.conf - Configure your initramfs to unlock the root volume with one of the following methods:
- Specifying the root volume using the configuration outlined above in
/etc/crypttab.initramfs(see tip at the top of Using sd-encrypt hook) - Setting
rd.luks.options=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=tpm2-device=autoin addition tord.luks.uuidorrd.luks.namein the kernel command line
- Specifying the root volume using the configuration outlined above in
To remove a key enrolled using this method, run:
# systemd-cryptenroll /dev/sdX --wipe-slot=slot_number
where slot_number is the numeric LUKS slot number in which your TPM key is stored.
Alternatively, run:
# systemd-cryptenroll /dev/sdX --wipe-slot=tpm2
to remove all TPM-associated keys from your LUKS volume.
See systemd-cryptenroll(1) and crypttab(5) for more information and examples.
Clevis
clevis allows binding a LUKS volume to a system by creating a key and encrypting it using the TPM, and sealing the key using PCR values which represent the system state at the time of the Clevis pin creation.
To bind a LUKS volume to the TPM, use:
# clevis luks bind -d /dev/sdX tpm2 '{}'
where '{}' contains the configuration. Even with no parameters, the drive cannot be decrypted from another computer (unless the attacker knows the backup password).
To seal the LUKS key against, for example, the UEFI settings and the Secure Boot policy, use:
'{"pcr_ids":"1,7"}'
If the UEFI or Secure Boot settings are modified, the TPM will compute different PCR values and decryption will fail. This gives protection against evil maid attacks.
For a list of parameters, see clevis-encrypt-tpm2(1) § CONFIG.
For a full explanation of the meanings of PCRs, see the TCG specification (§ 2.3.4).
To generate a new Clevis pin after changes in system configuration that result in different PCR values, for example updating the UEFI when PCR 0 is used, run
# cryptsetup luksDump /dev/sdX
Tokens:
token slot: clevis
Keyslot: keyslot
to find the slot used for the Clevis pin, then
# clevis luks regen -d /dev/sdX -s keyslot
To remove the Clevis binding, run:
# clevis luks unbind -d /dev/sdX -s keyslot
You can unlock a TPM-bound volume using:
# clevis luks unlock -d /dev/sdX
For automated decryption of volumes in /etc/crypttab, enable clevis-luks-askpass.path.
For automated decryption of the root volume, use Booster, Dracut or mkinitcpio-clevis-hook. Booster automatically decrypts LUKS volumes bound using Clevis out of the box. Dracut and mkinitcpio-clevis-hook needs the following extra packages:
- libpwquality
- luksmeta
- nmap (For Dracut)
- tpm2-tools (For mkinitcpio-clevis-hook)
followed by an initramfs regeneration:
Dracut:
# dracut -f
mkinitcpio-clevis-hook:
# mkinitcpio -P
Other good examples of TPM 2.0 usage
- SSH: tpm2-pkcs11's SSH configuration and Using a TPM for SSH authentication (2020-01)
- Configuring Secure Boot + TPM 2 (2018-06, Debian)
- Using the TPM - It's Not Rocket Science (Anymore) - Johannes Holland & Peter Huewe (2020-11, Youtube): examples for OpenSSL with tpm2-tss-engine
トラブルシューティング
tcsd.service が起動しない
パーミッションの問題が原因で tcsd.service サービスが起動できないのかもしれません [4]。以下のコマンドで解決できる可能性があります:
# chown tss:tss /dev/tpm* # chown -R tss:tss /var/lib/tpm