[Bug 1062623] Re: enable grub-2.00 boot-from-luks support

Thu Jun 13 21:57:38 UTC 2024

This was not strictly true of something we demonstrated in 2017: the 
capability based, formally verified, open source, Syracuse Assured Boot 
Loader Executive (SABLE), which used the "late launch" Dynamic Root of 
Trust for Measurement (DRTM) instructions available on AMD and Intel x86 
CPUs (skinit/senter) to decrypt an operating environment conditionally 
based on measurements of Trusted Computing Base (TCB) software modules 
extended into TPM Platform Configuration Registers (PCRs) matching 
values previously whitelisted by the system administrator. We were able 
to boot not only Ubuntu but also the formally verified seL4 microkernel. 
Upstream changes broke this. We have not had the resources both to 
maintain SABLE and patch the upstream changes, so SABLE has bit-rotted; 
when we obtain the necessary resources, we would really like again to be 
able to boot not only seL4 (our primary target) but also more popular 
kernels (primarily Linux where the distro that is our usual focus and 
tool is Ubuntu).

On 6/13/2024 8:40 AM, Julian Andres Klode wrote:
> ...
> Please note that encryption of /boot is security by obscurity: The data
> is encrypted, but not authenticated so it is still subject to chosen
> plaintext attacks, as is any encrypted data. You do not need obscurity
> for public knowledge like kernel and initrd content, it's only valuable
> for your personal private data.
> 
> A secure chain needs to authenticate the initrd against a certificate.
> For example, Ubuntu Desktop TPM FDE offers fully authenticated early
> boot environments...

-- 
Stuart W. Card, PhD: VP & Chief Scientist, Critical Technologies Inc.
Superior Engineering Solutions for Trustworthy Networked Autonomy
* Creativity * Diversity * Expertise * Flexibility * Integrity *
Suite 400 Technology Center, 4th Floor 1001 Broad St, Utica NY 13501
315-793-0248 x141 FAX -9710 <Stu.Card at critical.com> www.critical.com

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1062623

Title:
  enable grub-2.00 boot-from-luks support

Status in grub2 package in Ubuntu:
  Won't Fix

Bug description:
  (I suppose this comes too late in the release cycle to make the
  change, but perhaps it's simple enough:)

  With only minimal manual intervention, I found I could use today's
  Ubuntu Server 12.10 daily iso to install a system with luks+lvm and no
  separate /boot partition (which doesn't really have any security
  advantages, but it makes managing space on a smallish disk easier). If
  grub-installer could manage the final 2 steps below, it would all be
  fully automatic. Thanks!

  Steps:
  1: go through the default installer motions
  2: in partman, choose the manual option
  3: create a single, whole-disk primary partition, use it as a luks encrypted volume
  4: on top of that, create an lvm physical volume
  5: insert lvm logical volumes for swap and / (I used btrfs, probably irrelevant)
  6: finish remaining installer steps; find that grub install fails
  7: drop into shell, per alt+f2, and chroot to /target
  8: append "GRUB_CRYPTODISK_ENABLE=y" to /etc/default/grub
  9: run "grub-install /dev/sda" (replace sda etc etc), then "update-grub", reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1062623/+subscriptions