Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/boot/boot.sh startup script should use TPM counters #155

Closed
osresearch opened this issue Apr 3, 2017 · 0 comments
Closed

/boot/boot.sh startup script should use TPM counters #155

osresearch opened this issue Apr 3, 2017 · 0 comments
Labels
enhancement installation security

Comments

@osresearch
Copy link
Collaborator

The TPM counters should be used in some way to record the version of the startup script (issue #154) to protect against rollback attacks.
osresearch added a commit that referenced this issue Apr 12, 2017
@osresearch
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110)
353a0ef 
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
@osresearch osresearch mentioned this issue Apr 12, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement installation security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@osresearch