Use TPM2.0 to securely decrypt the hard drive in Linux -- unattended

Question

I spent several days trying to figure out how to securely decrypt a hard drive on remote location using TPM2.0 in Linux. I'm no security expert and this is my first battle with TPM2.0. I learned a lot, but I still have questions. Could someone help me with those:

• At the current time TrustedGRUB2 does not support TPM2.0, only TPM1.2. I couldn't find other projects with support for TPM2.0. Are there any?
• Can TPM2.0 stop the boot process?

The problem I'm trying to solve is such that:

• I have an encrypted / partition with /boot unencrypted
• The computer will be on someone else premises, so it should not be possible to steal a hard drive and read the data
• The boot process should be unattended -- the machine should not decrypt the drive and boot itself if something changed -- BIOS configuration, initram file (/boot is unencrypted, so fiddling with initram is possible)

I thought about this solution:

• LUKS key will be the value of PCR0
• PCR0 value should change, if someone will change something in BIOS, like reset it (if someone will steal the whole PC, not only the disk), enable USB boot.
• The PCR0 value used to decrypt the disk should be secure as much as secure is the OS running on it -- only way to read this unchanged PCR0 without changing the BIOS is to gain access to the OS, right?

I think that I achieved a level on which I can ask a legitimate question about this issue, but I cannot myself assess further the implications or holes in this.

Answer 1

On a Linux system, you can use clevis to "bind" a LUKS volume to the TPM2, and decrypt the root filesystem automatically in your case. For example:

clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"0"}'

or

clevis luks bind -d /dev/sda3 tpm2 '{"pcr_ids":"0,1"}'

You will need it to already be encrypted and have a passphrase, which the command above will prompt you for. You can leave the passphrase as a backup or remove it afterwards.

I'm not sure about using the PCR0 value itself as the key, since in my limited experience that value is pretty easy to access. I don't believe that is how "sealing" data against a PCR works but I don't know the exact relationship between the PCR value and the sealed value.

I have used clevis to bind a LUKS volume to the TPM2, and automatic decryption on boot-up when it's the root filesystem. I encrypted the device during install, and had success binding it manually and in a kickstart script. The clevis tool added TPM2 support early 2018 and made it out of the RHEL "beta" repo when RHEL 7.6 was released. I only got the automatic decryption to work on the full /dev/sd* volume, not any logical volumes. I found this link very helpful: https://blog.dowhile0.org/2017/10/18/automatic-luks-volumes-unlocking-using-a-tpm2-chip/

I believe PCR0 is supposed to change if the BIOS firmware is modified and PCR1 changes even if certain settings are modified. I don't know the best PCR(s) to pick; my information is from a single system and the PC Client specification defining PCR usage at https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf (Section 2.3.4, Table 1).