RFE: Allow passphrase in addition to TPM2 sealed secret in cryptsetup

[tobyp]

Is your feature request related to a problem? Please describe.
I'd like to be able to use both a TPM2 sealed secret and a passphrase to unlock encrypted volumes. The TPM enhances security by making the volume passphrase uncloneable and high-entropy, but if e.g. a laptop is stolen, the volume may end up accessible with no further hurdles. An additional passphrase can help remedy this with very little overhead. Passphrases with low entropy (e.g. a numeric PIN) can be feasible here due to the TPM2 dictionary attack lockout mechanism.

Describe the solution you'd like
I'd like to add an optional --tpm2-auth parameter to systemd-cryptenroll and systemd-cryptsetup which adds a password prompt and includes this password in a TPM2_PolicyAuthValue component to the HMAC secret policy. In this case the policy might be a PolicyAnd(PolicyAuth, PolicyPCR).

Describe alternatives you've considered
With the current choice of tpm2 and passphrase authorization, one can have either the "something you know" or the "something you have" kind of authorization, but not both at the same time. FIDO keys are similar in this regard. There is currently no way I know to achieve this 2-factor model. This change would be a simple and backward-compatible way to allow both.

The systemd version you checked that didn't have the feature you are asking for
248

I'm working on a PR for this change, but would be happy to receive comments and guidance.

[poettering]

Yes, makes a lot of sense. There's an item for this in the TODO list btw. Hence a PR would be very welcome.

Maybe call the new option --tpm2-with-pin=yes|no or so.

Hmm, iirc Windows enforces ratelimiting with the PIN, taking benefit of the fact the TPM can provide this. I think we should do so too (And initially maybe hardcode the number of attempts per time window). i.e. we'd need to use PolicyCounterTimer. I am pretty sure we should always do that when we allow pins, and never allow pins to be used without that, it should just be implied by the pin logic.

i.e. PolicyAnd(PolicyAuth, PolicyPCR, PolicyCounterTimer)

[grawity]

It seems Windows just uses the TPM's global DA lockout feature (as described here).

[poettering]

@grawity interesting. I think using PolicyCounterTimer is a bit nicer though (if we can make it work): so far all our TPM2 code (and FIDO2 similar) is careful to not actually "take possession" or use persistent resources of the security chip in any way. i.e. we don't modify the device's settings permanently, we don't store anything on them, but always upload what we need when starting authenticating and download the results when done, ending the session afterwards. This is really nice in multi-boot scenarios and general multi-tenancy, for example for TPM2 VM or container passthrough, because we securely bind to the device without requiring any explicit cleanup, without conflicting with anything, and with ability to scale upwards indefinitely: you can enroll as many disks to a single TPM2 and it will always just work.

Thus, PolicyCounterTimer fits really nicely into this mode, if we can make it work: it means each disk can have its own anti-hammering settings and not affect anyone else, because noone has to take possession the chip to use it.

Hope that makes sense?

[tobyp]

This seems all around plausible, and can just go in the same policy code that I'm already modifying. I'll have to freshen up on timers though :P

Also ACK --tpm2-with-pin, that's less TPM-jargon-y than "authValue".

[tobyp]

Upon review of the TPM specs, it looks like PolicyCounterTimer can only compare the TPM timer value against a constant value. We can't change this constant either. (If the constant changes, the policy changes, and then the key created with that policy also changes.) When you think about it, it's just not possible to create this sort of mechanism without the TPM having to remember something -- who else can we trust to decide whether an attempt is allowed or not?

We should just use the TPM Dictionary Attack Protection. This uses some standardized values in NV memory (so no allocations required) which have platform-specific default values (though I can't find the relevant spec just now, but TSS2 FAPI_Provision sets them to maxTries=5 and recoveryTime=1000 seconds). The DA lockout is global and automatically resets itself according to these parameters, so we shouldn't even need to touch it. The owner can additionally set an authValue and/or a policy for faster lockout reset.

Alternatively we could attempt to build some complex machinery with a (user chosen) NV index or two, possibly via PolicyAuthorizeNV and some cpHash work, but this would be very complicated, brittle, and possibly insecure. I only have a vague idea of how this might be done, and am not sure it would work at all.

[poettering]

Hmm, I just checked the docs, and yeah I guess you ar eright PolicyCounterTimer is not what I thought it was. Sniff. 😢

And yeah, it appears we should use that dictionary attack protection thingy. briefly googling for it i couldn't find any good example for that though.

[poettering]

Ah, it appears we might control the dictionary attack stuff via the NO_DA flag on keys.

[tobyp]

NO_DA is clear in the tpm2_seal call, so that's all good. What I'll do is to check whether I can't find the spec for the default values after all, or at least figure out what the Windows/Linux stacks do by default. I have no idea what the stacks on any other platforms are even called, are there any I should check as well?

[rinigus]

Ability to use short password with TPM2 lockout is something that could make TPM-based cryptsetup a default approach for many. It is a major functionality that is missing and would be great to get it implemented. It would allow to use TPM2 without PCR-based sealing as it would avoid a mess with kernel updates and, taking into account dictionary attack protection, should provide sufficient security for many of us.

As for defaults, TPM2 is configured by Windows 10 to allow 32 tries before healing time (10 minutes) kicks in (reference https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/manage-tpm-lockout, see TPM 2.0). According to Dell, default is 10 failures and it is changed by Windows (reference https://www.dell.com/support/kbdoc/en-ee/000142311/tpm-failure-tries-recovery-time-and-lockout-recovery).

Not sure whether the values above are outdated, haven't checked them myself. I guess those lockout values are in the ballpark of what can be used while defining appropriate policies.

[apyrgio]

For those interested in this issue, I tried to take a stub at it without patching systemd, just building on top of the existing functionality.

My idea was to:

1. Encrypt the TPM2 blob with a user password. Yes, that doesn't provide hardware-level protection against dictionary attacks, but it's a start.
2. Create an AF_UNIX key file backed by a systemd service, to be able to decrypt the TPM2 blob on boot.
3. Ask the user password via a systemd password agent.
4. [optional] Present a TPM2 OTP value when asking the password, to verify the integrity of the boot chain before the user types anything.

This has several drawbacks:

1. We cannot store an encrypted TPM2 blob in the LUKS header, since systemd-cryptenroll validates the input and expects an HMAC key.
2. If the keyfile service fails to present a valid TPM2 blob (e.g., because the PCRs have changed or the user never typed a valid password), systemd-cryptsetup will not ask the user for a recovery key.

The above issues are solvable, either by extending systemd, or reimplementing the core functionalities of systemd-cryptenroll / systemd-cryptsetup in user scripts. Doing one or the other securely though requires familiarity with the systemd internals, or the TSS API.

So, I'd like to ask if there's any progress on this issue, or if there are plans to implement this functionality soon.