feat: provide an option to enforce SecureBoot for TPM enrollment

Fixes #8995 There is no security impact, as the actual SecureBoot state/configuration is measured into the PCR 7 and the disk encryption key unsealing is tied to this value. This is more to provide a way to avoid accidentally encrypting to the TPM while SecureBoot is not enabled. Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit cf5effa)
siderolabs · Jul 22, 2024 · ddc690d · ddc690d
1 parent 390b29d
commit ddc690d
Show file tree

Hide file tree

Showing 12 changed files with 85 additions and 11 deletions.
diff --git a/cmd/talosctl/cmd/mgmt/cluster/create.go b/cmd/talosctl/cmd/mgmt/cluster/create.go
@@ -20,6 +20,7 @@ import (
 	"github.com/dustin/go-humanize"
 	"github.com/siderolabs/go-blockdevice/blockdevice/encryption"
 	"github.com/siderolabs/go-kubeconfig"
+	"github.com/siderolabs/go-pointer"
 	"github.com/siderolabs/go-procfs/procfs"
 	sideronet "github.com/siderolabs/net"
 	"github.com/spf13/cobra"
@@ -465,7 +466,9 @@ func create(ctx context.Context, flags *pflag.FlagSet) (err error) {
 					provisionOptions = append(provisionOptions, provision.WithKMS(nethelpers.JoinHostPort("0.0.0.0", port)))
 				case "tpm":
 					keys = append(keys, &v1alpha1.EncryptionKey{
-						KeyTPM:  &v1alpha1.EncryptionKeyTPM{},
+						KeyTPM: &v1alpha1.EncryptionKeyTPM{
+							TPMCheckSecurebootStatusOnEnroll: pointer.To(true),
+						},
 						KeySlot: i,
 					})
 				default:

diff --git a/internal/pkg/encryption/keys/keys.go b/internal/pkg/encryption/keys/keys.go
@@ -47,7 +47,7 @@ func NewHandler(cfg config.EncryptionKey, options ...KeyOption) (Handler, error)
 
 		return NewKMSKeyHandler(key, cfg.KMS().Endpoint(), opts.GetSystemInformation)
 	case cfg.TPM() != nil:
-		return NewTPMKeyHandler(key)
+		return NewTPMKeyHandler(key, cfg.TPM().CheckSecurebootOnEnroll())
 	}
 
 	return nil, fmt.Errorf("malformed config: no key handler can be created")

diff --git a/internal/pkg/encryption/keys/tpm2.go b/internal/pkg/encryption/keys/tpm2.go
@@ -8,8 +8,10 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"fmt"
 	"io"
 
+	"github.com/foxboron/go-uefi/efi"
 	"github.com/siderolabs/go-blockdevice/blockdevice/encryption"
 	"github.com/siderolabs/go-blockdevice/blockdevice/encryption/luks"
 	"github.com/siderolabs/go-blockdevice/blockdevice/encryption/token"
@@ -32,17 +34,30 @@ type TPMToken struct {
 // TPMKeyHandler seals token using TPM.
 type TPMKeyHandler struct {
 	KeyHandler
+
+	checkSecurebootOnEnroll bool
 }
 
 // NewTPMKeyHandler creates new TPMKeyHandler.
-func NewTPMKeyHandler(key KeyHandler) (*TPMKeyHandler, error) {
+func NewTPMKeyHandler(key KeyHandler, checkSecurebootOnEnroll bool) (*TPMKeyHandler, error) {
 	return &TPMKeyHandler{
-		KeyHandler: key,
+		KeyHandler:              key,
+		checkSecurebootOnEnroll: checkSecurebootOnEnroll,
 	}, nil
 }
 
 // NewKey implements Handler interface.
 func (h *TPMKeyHandler) NewKey(ctx context.Context) (*encryption.Key, token.Token, error) {
+	if h.checkSecurebootOnEnroll {
+		if !efi.GetSecureBoot() {
+			return nil, nil, fmt.Errorf("failed to enroll the TPM2 key, as SecureBoot is disabled (and checkSecurebootOnEnroll is enabled)")
+		}
+
+		if efi.GetSetupMode() {
+			return nil, nil, fmt.Errorf("failed to enroll the TPM2 key, as the system is in SecureBoot setup mode (and checkSecurebootOnEnroll is enabled)")
+		}
+	}
+
 	key := make([]byte, 32)
 	if _, err := io.ReadFull(rand.Reader, key); err != nil {
 		return nil, nil, err

diff --git a/pkg/machinery/config/config/machine.go b/pkg/machinery/config/config/machine.go
@@ -388,6 +388,7 @@ type EncryptionKeyNodeID interface {
 
 // EncryptionKeyTPM encryption key sealed by TPM.
 type EncryptionKeyTPM interface {
+	CheckSecurebootOnEnroll() bool
 	String() string
 }
 

diff --git a/pkg/machinery/config/types/v1alpha1/schemas/v1alpha1_config.schema.json b/pkg/machinery/config/types/v1alpha1/schemas/v1alpha1_config.schema.json
@@ -1236,7 +1236,15 @@
       "type": "object"
     },
     "EncryptionKeyTPM": {
-      "properties": {},
+      "properties": {
+        "checkSecurebootStatusOnEnroll": {
+          "type": "boolean",
+          "title": "checkSecurebootStatusOnEnroll",
+          "description": "Check that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.\n",
+          "markdownDescription": "Check that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.",
+          "x-intellij-html-description": "\u003cp\u003eCheck that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.\u003c/p\u003e\n"
+        }
+      },
       "additionalProperties": false,
       "type": "object"
     },

diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
@@ -1431,6 +1431,15 @@ func (e *EncryptionKeyTPM) String() string {
 	return "tpm"
 }
 
+// CheckSecurebootOnEnroll implements the config.Provider interface.
+func (e *EncryptionKeyTPM) CheckSecurebootOnEnroll() bool {
+	if e == nil {
+		return false
+	}
+
+	return pointer.SafeDeref(e.TPMCheckSecurebootStatusOnEnroll)
+}
+
 // Slot implements the config.Provider interface.
 func (e *EncryptionKey) Slot() int {
 	return e.KeySlot

diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go
@@ -1596,7 +1596,16 @@ type EncryptionKeyKMS struct {
 }
 
 // EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by the TPM.
-type EncryptionKeyTPM struct{}
+type EncryptionKeyTPM struct {
+	//   description: >
+	//     Check that Secureboot is enabled in the EFI firmware.
+	//
+	//     If Secureboot is not enabled, the enrollment of the key will fail.
+	//     As the TPM key is anyways bound to the value of PCR 7,
+	//     changing Secureboot status or configuration
+	//     after the initial enrollment will make the key unusable.
+	TPMCheckSecurebootStatusOnEnroll *bool `yaml:"checkSecurebootStatusOnEnroll,omitempty"`
+}
 
 // EncryptionKeyNodeID represents deterministically generated key from the node UUID and PartitionLabel.
 type EncryptionKeyNodeID struct{}

diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go
diff --git a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go
diff --git a/website/content/v1.6/reference/cli.md b/website/content/v1.6/reference/cli.md
@@ -96,7 +96,7 @@ talosctl cluster create [flags]
       --bad-rtc                                  launch VM with bad RTC state (QEMU only)
       --cidr string                              CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24")
       --cni-bin-path strings                     search path for CNI binaries (VM only) (default [/home/user/.talos/cni/bin])
-      --cni-bundle-url string                    URL to download CNI bundle from (VM only) (default "https://github.com/siderolabs/talos/releases/download/v1.6.7-dirty/talosctl-cni-bundle-${ARCH}.tar.gz")
+      --cni-bundle-url string                    URL to download CNI bundle from (VM only) (default "https://github.com/siderolabs/talos/releases/download/v1.6.7/talosctl-cni-bundle-${ARCH}.tar.gz")
       --cni-cache-dir string                     CNI cache directory path (VM only) (default "/home/user/.talos/cni/cache")
       --cni-conf-dir string                      CNI config directory path (VM only) (default "/home/user/.talos/cni/conf.d")
       --config-patch stringArray                 patch generated machineconfigs (applied to all node types), use @file to read a patch from file
@@ -2849,7 +2849,7 @@ talosctl upgrade [flags]
       --debug                debug operation from kernel logs. --wait is set to true when this flag is set
   -f, --force                force the upgrade (skip checks on etcd health and members, might lead to data loss)
   -h, --help                 help for upgrade
-  -i, --image string         the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.6.7-dirty")
+  -i, --image string         the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.6.7")
       --insecure             upgrade using the insecure (encrypted with no auth) maintenance service
   -p, --preserve             preserve data
   -m, --reboot-mode string   select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Valid values are: ["default" "powercycle"]. (default "default")

diff --git a/website/content/v1.6/reference/configuration/v1alpha1/config.md b/website/content/v1.6/reference/configuration/v1alpha1/config.md
@@ -2377,6 +2377,10 @@ EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by
 
 
 
+| Field | Type | Description | Value(s) |
+|-------|------|-------------|----------|
+|`checkSecurebootStatusOnEnroll` |bool |<details><summary>Check that Secureboot is enabled in the EFI firmware.</summary>If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.</details>  | |
+
 
 
 
@@ -2496,6 +2500,10 @@ EncryptionKeyTPM represents a key that is generated and then sealed/unsealed by
 
 
 
+| Field | Type | Description | Value(s) |
+|-------|------|-------------|----------|
+|`checkSecurebootStatusOnEnroll` |bool |<details><summary>Check that Secureboot is enabled in the EFI firmware.</summary>If Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.</details>  | |
+
 
 
 

diff --git a/website/content/v1.6/schemas/v1alpha1_config.schema.json b/website/content/v1.6/schemas/v1alpha1_config.schema.json
@@ -1236,7 +1236,15 @@
       "type": "object"
     },
     "EncryptionKeyTPM": {
-      "properties": {},
+      "properties": {
+        "checkSecurebootStatusOnEnroll": {
+          "type": "boolean",
+          "title": "checkSecurebootStatusOnEnroll",
+          "description": "Check that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.\n",
+          "markdownDescription": "Check that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.",
+          "x-intellij-html-description": "\u003cp\u003eCheck that Secureboot is enabled in the EFI firmware.\nIf Secureboot is not enabled, the enrollment of the key will fail. As the TPM key is anyways bound to the value of PCR 7, changing Secureboot status or configuration after the initial enrollment will make the key unusable.\u003c/p\u003e\n"
+        }
+      },
       "additionalProperties": false,
       "type": "object"
     },