Shamir's Secret Sharing on any enrollment method

[nbouchinet-anssi]

Describe the solution you'd like
I've seen multiple issues that asks for a way to combine secrets, like those two: #20936 and #19229

I'm currently working on a patch that might address this problem. The patch is intended to bring Shamir's Secret Sharing to
the systemd-cryptenroll and systemd-cryptsetup code in order to combine any kind of current secret enrollment methods.

This patch will also make it possible to combine multiple same enrollment methods like for exemple TPM2 + FIDO2 Token 1 + FIDO2 Token 2.

Describe alternatives you've considered
Aside from this patch, I first implemented a small Proof of Concept which combine FIDO2-HMAC derivation using a TPM2 sealed seed to get my hands on the systemd code without Shamir's Secret Sharing, but i'm note satisfied with this method as it only permits a combination of TPM2 + FIDO2.

The systemd version you checked that didn't have the feature you are asking for
249

[poettering]

Hmm, what's the precise usecase here? I mean, can see why one might combine a TPM2 device and a FIDO2 device. But SSSS is way over the top for that afaics. i.e. it allows n-out-of-m unlocking, but that's only worth it if n >= 2 and m is kinda "large". As long as it's just allowing two or so it's simple enough to combine them trivially and just enroll multiple combinations, no. So, do you really intend to use like 7 FIDO keys of which any 3 should suffice to unlock a volume? That sounds like an awfully artificial scenario to me though.

Note that right now we don't even treat multiple FIDO2 keys nicely, because we can't recognize them, hence we don't know which question to ask them. There's some ideas what to do about that in #19208. Before SSSS or any other combinatorial unlocking can be implemented we really have to fix that part first...

[nbouchinet-anssi]

What I'd like to see in systemd is a flexible factor-combination, the Shamir's Secret Sharing idea was an attempt to
address more use-cases in a single shot. The generic SSSS use-case idea was an encrypted volume containing sensitive
data that should only be unlocked if n/m users are reunited, in case of missing people.

I'm still ready to implement a factor-combination for systemd-crypt{setup,enroll} and thus help for the
#19208 issue.

Do you have an idea for the factor-combination implementation in mind that I should start with or shall I propose one ?

[j5k]

I would very much welcome a factor combination/shared secret like SSSS. Is there something planned or in development?

Because at the moment I'm using FIDO2 (with PIN and Fingerprint), but am still vulnerable about firmware issues and dependent on vendor trust.. This would be minimized, if we can share the secret.

[nbouchinet-anssi]

Hy, I have a working POC on my github repo, still have to clean up the code and add some tests but you can try it if you want. Feel free to open an issue on my repo !

[VannTen]

I have another use case, which is unlocking a LUKS partition with : the TPM (required) + 1 out of 3 fido2 (can lost up to two keys).

I intended to use shamir secret with https://github.com/latchset/clevis/ , but it does not support FIDO2 tokens.

@nbouchinet-anssi I'll check your branch if I get the time 👍

[j5k]

Any news on this in the meantime?

[nbouchinet-anssi]

Hello @j5k, I stopped my work on the PR for a long time, so this is quite old code, a far cry from the new state of upstream code. The PR is still a work in progress and needs a rebase and a huge refactor on which I will work on soon I hope.

[j5k]

That would be very nice! Thank you @nbouchinet-anssi !

[m00nwtchr]

I have another use case, which is unlocking a LUKS partition with : the TPM (required) + 1 out of 3 fido2 (can lost up to two keys).

I intended to use shamir secret with https://github.com/latchset/clevis/ , but it does not support FIDO2 tokens.

@nbouchinet-anssi I'll check your branch if I get the time 👍

You could do that (assuming a more trivial option to combine only 2 factors is added) by just enrolling the TPM + each of the keys as 3 separate combinations (3 LUKS keyslots).

[nbouchinet-anssi]

I've just read updates on #20936. It's been quite some time I've written this patch and now that I have a deeper understanding of TCG specs I join those who claim SSS is bloated for combining TPM and another factor. Before writing this patch I've also wrote another POC without SSS that permits combining TPM and any other systemd's supported factor. Like @m00nwtchr said, combined to multiple keyslot enrolling would result to @VannTen usecase.

I'd be glad to help implementing something like this, either using TSS policy combination capabilities or a home made one.

[jdauphant-dinum]

I've just read updates on #20936. It's been quite some time I've written this patch and now that I have a deeper understanding of TCG specs I join those who claim SSS is bloated for combining TPM and another factor. Before writing this patch I've also wrote another POC without SSS that permits combining TPM and any other systemd's supported factor. Like @m00nwtchr said, combined to multiple keyslot enrolling would result to @VannTen usecase.

I'd be glad to help implementing something like this, either using TSS policy combination capabilities or a home made one.

@nbouchinet-anssi I could be interested by that ^^