#Measured Debian Boot with TPM 2.0 and UEFI
I travel a lot. (Well, at least in the pre-COVID era, I did.) This means I drag my Thinkpad X1 Carbon gen 6 laptop to many places, and often leave it unattended in hotel rooms. While my data is all encrypted-at-rest, getting access to the data when the machine is first powered on necessarily involves running some code that is neither encrypted nor authenticated: namely, the bootloader and enough of the operating system kernel to decrypt and mount volumes.
Furthermore, this process requires me to type in a passphrase every time I boot the machine, which exposes the passphrase to anyone observing surreptitiously, and is in general an annoyance.
To increase the complexity of someone instrumenting my laptop without my knowledge and in doing so gaining access to secrets as I use the compromised machine unawares, I decided I needed to explore the use of trusted computing technologies to protect my installation from tampering.
Measured boot
There are a number of technologies that can reduce (but of course not eliminate) the attack surface of a machine. For this purpose, I am limiting my evaluation of technologies to those that protect the boot sequence from most kinds of tampering. Other measures are required for runtime protection against zero-day remote exploits, physical attacks that employ USB DMA, tire irons, etc., as well as some advanced kinds of physical tampering.
My adversary is someone who intends to tamper with my machine without my knowledge, with the purposes of either making off with some information or instrumenting the machine such that information encrypted-at-rest is revealed to the attacker out-of-band. There's not a lot of value to me in tamper prevention: once someone's screwed with my machine, I am unlikely to trust it again regardless. My main goal is tamper detection. I thus settled on measured boot, which measures the sequence of executable code launched during the boot process in a way that is highly resistant to forgery: at the end of this process, this measurement can be used to verify that the machine has not been tampered with, as well as to unlock disk encryption keys that can be used to mount volumes without requiring the user enter a passphrase.
Juniper has a short page outlining the differences between measured boot and secure boot.
Requirements
From various places (see references for a list of such resources) I managed to piece together a working measured boot that unseals a LUKS decryption passphrase for the root partition on a trusted Debian bullseye installation. This provides both tamper detection (machine won't boot automatically if the passphrase cannot be unsealed) and protection for data-at-rest (via the use of dm-crypt for the root partition).
I had a few requirements going into this project:
- Use my laptop's existing TPM, which is the PTT in the (dreaded) Intel Management Engine
- Measure everything from the BIOS through the kernel, initrd, and kernel command line
- Require an expected boot chain measurement before automatically decrypting and mounting any data partitions
- Fall back to passphrase entry on failure
- Use my laptop's native UEFI boot manager (e.g., not systemd-boot) with no intermediate bootloader (like Trusted GRUB)
- Avoid the need for any persistent PKI
- Keep the implementation simple and avoid the need for any packages not in the main Debian repository
Work in Progress
The current implementation of my measured boot solution is available on GitHub. While I've put a lot of work into idiot-proofing it, there is still some not-insignificant setup required before it will install, so don't attempt this lightly.