| 7 Oct 2024 |
 ElvishJerricco | huh... yea I guess | 23:35:49 |
| ElvishJerricco | I mean, this is all a number of variations on my "udev hijacking" thing I've been shouting about for like a year and a half now | 23:36:17 |
| ElvishJerricco | though expanded beyond udev | 23:36:25 |
| ElvishJerricco | I think the most impactful solution overall is probably pcrphase, but that is a pain | 23:37:45 |
| ElvishJerricco | I mean, I would like if I could create one .pcrsig section containing signatures of all possible phases, and then my disk could declare which phase is allowed to decrypt it. But AFAIK that's not possible with the current scheme | 23:38:41 |
 mjm | yeah i don't totally understand how to use it | 23:38:42 |
| ElvishJerricco | mjm: The basic idea of pcrphase is that PCR 11 measures the components booted by the stub, and the current "phase". The phase is literally just a string that's measured when certain points are reached during boot. So to bind to the initrd phase, you bind to a measurement of your stub components + "enter-initrd". To bind to the "ready" phase, you bind to a measurement of your stub components + "enter-initrd" + "leave-initrd" + "sysinit" + "ready".
To make this all easier to maintain, you can predict these measurements, because PCR 11 should be zero before any of them. Then you can sign that prediction and attach it to your UKI. Your disk then is bound not to the measurements themselves, but to the public key associated with that signature. As long as the current phase as a prediction that was signed, the disk will be decrypted
| 23:42:14 |
| ElvishJerricco | * mjm: The basic idea of pcrphase is that PCR 11 measures the components booted by the stub, and the current "phase". The phase is literally just a string that's measured when certain points are reached during boot. So to bind to the initrd phase, you bind to a measurement of your stub components + "enter-initrd". To bind to the "ready" phase, you bind to a measurement of your stub components + "enter-initrd" + "leave-initrd" + "sysinit" + "ready".
To make this all easier to maintain, you can predict these measurements, because PCR 11 should be zero before any of them. Then you can sign that prediction and attach it to your UKI. Your disk then is bound not to the measurements themselves, but to the public key associated with that signature. As long as the current phase has a prediction that was signed, the disk will be decrypted
| 23:43:12 |
| ElvishJerricco | The problem IMO is that I want the disk to tell me what phase is allowed to decrypt it, not the signature | 23:43:33 |
| ElvishJerricco | because as is, any signature for any phase is also good for any other phase | 23:44:04 |
| mjm | so like for the root fs, i want to bind it to "enter-initrd" | 23:44:04 |
| ElvishJerricco | right | 23:44:10 |
| mjm | and then once the boot goes past that, the key can't be used | 23:44:23 |
| ElvishJerricco | yep | 23:44:28 |
| ElvishJerricco | so at that point your relying on backup keys to decrypt it | 23:44:44 |
| ElvishJerricco | which IMO should be the intended design of your system | 23:44:53 |
| ElvishJerricco | * so at that point you're relying on backup keys to decrypt it | 23:45:05 |
| ElvishJerricco | but, like I said, there are two other ways to mitigate the issue. I just think pcrphase is the most hardline "you won't break this" option | 23:46:12 |
| mjm | yeah | 23:46:46 |
| mjm | for a stop-gap, i could override the unlock unit to drop the condition? | 23:47:06 |
| mjm | so it would always need to decrypt | 23:47:13 |
| ElvishJerricco | I think so, yes | 23:47:41 |
| mjm | at least, assuming bcachefs unlock fails if you try to do it with an unencrypted filesystem | 23:48:10 |
| ElvishJerricco | as long as bcachefs unlock exits nonzero when used on an unencrypted file system, then the unit will fail, and sysroot.mount won't be started | 23:48:13 |
| ElvishJerricco | that would be mitigation style #1: "Ensure the decryption goes as planned" | 23:48:33 |
| mjm | yeah | 23:48:37 |
| ElvishJerricco | scary thought: I wonder if there's any way to trick initrd into not running the ExecStop of systemd-pcrphase-initrd.service.... | 23:51:25 |
| ElvishJerricco | Because then leave-initrd is never measured | 23:51:34 |
| mjm | you'd have to ensure none of the later phases get measured, right? | 23:53:58 |
| ElvishJerricco | yes | 23:54:09 |
