Blueprints. Securing Sensitive Files With TPM Keys

Transcription

1 Blueprints Securing Sensitive Files With TPM Keys

2

3 Blueprints Securing Sensitive Files With TPM Keys

4 Note Before using this information and the product it supports, read the information in Notices on page 39. First Edition (December 2009) Copyright IBM Corporation US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Chapter 1. Scope, requirements, and support Chapter 2. Overview Chapter 3. Determining if you have the right hardware Chapter 4. Installing and configuring Trusted Computing software Chapter 5. Generating a Trusted State sealed key Chapter 6. Setting up the dm-crypt loopback partition Overview Determining if you have the right hardware Installing and configuring Trusted Computing software Generating a Trusted State sealed key Setting up the dm-crypt loopback partition Securing sensitive files using a script Making the changes persistent across reboots Appendix A. Verify whether the secured partition is really secured Appendix B. Troubleshooting Notices Trademarks Chapter 7. Securing sensitive files using a script Chapter 8. Making the changes persistent across reboots Chapter 9. Securing sensitive files with TPM keys Scope, requirements, and support Copyright IBM Corp iii

6 iv Blueprints: Securing Sensitive Files With TPM Keys

7 Chapter 1. Scope, requirements, and support This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Systems to which this information applies System x running Linux Intended audience This blueprint targets Enterprise Linux administrators or users with an intermediate level of expertise. Scope and purpose This Blueprint provides the steps necessary to setup a loopback dm-crypt partition encrypted with a key sealed to a TPM 1.2 platform configuration register (PCR). Instructions for setting up TPM for other security functions are outside the scope of this blueprint. Test environment These instructions were tested on IBM System x 8212 running SLES11 and RHEL5.4 respectively. Hardware requirements To be able to use the functions of TPM, your hardware must be built with a Trusted Platform Module (TPM) chip of version 1.2 or above. The TPM chip can usually be found in the current System x machines and Lenovo ThinkPad systems. To determine if your hardware can support TPM, follow the instructions in section Chapter 3, Determining if you have the right hardware, on page 5. Software requirements v SuSE Linux Enterprise System version 11 or above C/C++ Compiler and Tools package groups gettext-tools (Requirement for building tpm_tools v from source) v Red Hat Enterprise Linux version 5.3 or above Development Tools and Development Libraries package groups gettext-devel (Requirement for building tpm_tools v from source) grub v0.97 (Requirement for building trustedgrub v1.1.3 from source. This software is included with RHEL5.3 and 5.4 If your distribution does not have the correct version, you can also use the one included in trustedgrub v source package.) Other considerations It is important to note that the creation of TPM key demonstrated here is sealed with the PCRs that measures the MBR information, bootloader, boot command line, and the kernel image. If any of these changed, all files secured by this method will be inaccessible. Copyright IBM Corp

8 Author names Rajiv Andrade George Wilson Other contributors Monza Lui Subrata Modak Kersten Richter IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system. Community innovation integrates leading-edge technologies and best practices into Linux. IBM is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs. For more information about IBM and Linux, go to ibm.com/linux ( IBM Support Questions and comments regarding this documentation can be posted on the developerworks Security Blueprint Community Forum: The IBM developerworks discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and programming techniques with other developerworks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerworks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventions The following typographic conventions are used in this Blueprint: Bold Italics Monospace Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type. 2 Blueprints: Securing Sensitive Files With TPM Keys

9 Chapter 2. Overview Automatic logins can be realized by saving your password as a file and then reading that file when authorization is needed. To make sure this file is not compromised, the best practice is to combine cryptography and directory access control (DAC) by encrypting the password file and setting the proper authorization to it. However most automatic login software expect a plain password file. You can potentially automate the decryption of the password file when that file is needed during automatic logins, but then you will need yet another encrypted password file to decrypt the previous password file. Trusted Platform Module (TPM) provides a clean solution for this recursive problem. This solution makes use of a set of Platform Configuration Registers (PCRs) that can only be written by the TPM_extend operation. The TPM_extend operation makes the new PCR a hash of the concatenation of the current value with the new hash that is provided. By design, assigning an arbitrary value to an PCR isn't allowed and makes this TPM_extend operation very unique. This design makes key sealing possible. In a key sealing scenario, the PCR can store a signature of the data that you are extending. The key is sealed by tying it to a particular PCR value in a way that the key can only be retrieved later from the TPM. A key can also be sealed to more than one PCR. In this blueprint, you will seal a key to five PCRs (MBR information, bootloader, boot command line, or the kernel image). If any of these PCRs/parameters changes, mounting of the encrypted partition will not be possible. This feature prevents anyone from mounting the partition to other installed operating systems other than the one the partition was originally mounted to, making rootkit impossible. Note that if you need to change any of these five PCR values, after following the instructions in this blueprint, you will need to plan for migration. In the following sections, you will install needed software, create a sealed key, and then use the sealed key to set up the dm-crypt loopback partition. Then you will learn how to use a script to encrypt any file and save it in the dm-crypt partition while the original location of the file is replaced by a symbolic link to the encrypted file. In the last section, you will set up to automatically mount the dm-crypt loopback partition in each reboot. The following table listed the files and directories that are used in the instructions. You may prefer to use a different set of files and directories. If you do, make sure these files and directories have the correct DAC authorization. You can use the following table to record where you want these files and directories for easy reference. Table 1. Reference table for files and directories Description File to temporarily hold the key File of the sealed key Directory used to mount loopback device Mapper device of your secured partition Note: This device is always created in the mapper device directory File/Directory used in This Blueprint /home/temp_plain_key /home/sealed_key /home/secret_dir /dev/mapper/secret File/Directory you used /dev/mapper/ Copyright IBM Corp

10 Table 1. Reference table for files and directories (continued) Description Directory mapped to the above device, where your secured files will be made available to you in plain form File/Directory used in This Blueprint /home/plain File/Directory you used Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 4 Blueprints: Securing Sensitive Files With TPM Keys

11 Chapter 3. Determining if you have the right hardware Use this information to determine if you have the right hardware to use TPM and to determine which TPM chip version you have in your hardware. Determining TPM-readiness You can determine if your hardware is TPM-ready by looking at your BIOS. Note that the term TCG is sometimes used interchangeably with the term TPM in the BIOS. Make sure that the TCG/TPM feature is active and is cleared if available by following these steps: 1. Enter the BIOS and activate the TCG Feature. Steps to do so depends on the BIOS version. In this example, press F1 during power on. Then, from the main menu, choose Security TCG Feature Setup. The feature could be named differently, for example, Security Chip, in other BIOS versions. Note: If you cannot find similar feature in your BIOS, your hardware might not be equipped with any TPM chip. 2. Set TCG Security Feature option to Active and Clear TCG Security Feature option to Yes. Copyright IBM Corp

12 3. Save and Exit from the BIOS. Determining TPM version To determine which TPM chip version you have in your hardware, load the TPM modules. Follow these steps: 1. Insert tpm_tis module by running the following command: # modprobe tpm_tis # lsmod grep tpm tpm_tis tpm tpm_infineon,tpm_tis tpm_bios tpm 2. Determine the TCG version by issuing the following command: # cat /sys/devices/pnp0/00\:0*/caps Manufacturer: 0x4e534d20 TCG version: 1.2 Firmware version: 1.6 The above output shows that the TPM/TCG chip version is 1.2. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 6 Blueprints: Securing Sensitive Files With TPM Keys

13 Chapter 4. Installing and configuring Trusted Computing software The TCG has standardized a software stack that acts above the TPM chip and includes the TPM device driver and TSS. TSS is a Trusted Computing API that provides applications access to the TPM trusted computing functions. About this task The steps below explains how to install an open source implementation of such API, named TrouSerS, together with a group of userland tools that use this interface to implement various Trusted Computing solutions, including the one you are accomplishing. This table displays the four software programs that you will install in this section and where they should be installed from. Distro is defined as the software that comes with the distribution whereas source means you will have to download the software from sourceforge.net and build it from the source: Table 2. Installing software locations SLES11+ RHEL5.3+ Software Install Software From: TrouSerS distro distro tpm_tools v source source trustedgrub distro source cryptsetup distro distro Procedure 1. Check if your hardware and software requirements are fulfilled. See Hardware requirements on page 1 and Software requirements on page 1 in the Introduction. Also see Chapter 3, Determining if you have the right hardware, on page Install TrouSerS and its development packages. This tool is required for installing tpm-tools. To install TrouSerS, follow these steps: On SLES11, run: # yast -i trousers trousers-devel On RHEL5.4, run: # yum install trousers trousers-devel 3. Tpm-tools or above is required because of the data unsealing tool included in the package. The tpm-tools packages that come with SLES11 and RHEL5.4, however, do not fulfill this requirement. Therefore you need to download the latest tpm-tools package from trousers. For other distributions, use the version of tpm-tools that comes with your distribution, if it is or higher. The following instructions download and install tpm-tools # wget # tar xzf tpm-tools tar.gz # cd tpm-tools # sh bootstrap.sh #./configure --prefix=/usr # make # make install 4. Install the Trusted GRUB package. This package enables you to seal the encryption/decryption key to a PCR in later steps. Copyright IBM Corp

14 On SLES11: # yast -i trustedgrub Choose to uninstall the following two packages if asked: deinstallation of grub i586 deinstallation of bootcycle i586 On RHEL5.4: Build Trustedgrub from source. The latest version is downloadable from projects/trustedgrub/files/. At the time of the writing of this blueprint, version is the most current version. To install this version, follow these steps: # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/TrustedGRUB tgz/download # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/008_all_grub-0.97-AM_PROG_AS.patch/download # tar zvxf TrustedGRUB tgz # cd TrustedGRUB #./build_tgrub.sh # cp default /boot/grub # cd TrustedGRUB # cp../../008_all_grub-0.97-am_prog_as.patch. # patch -p0 < 008_all_grub-0.97-AM_PROG_AS.patch # make install # rm -rf /boot/grub/stage* # rm -rf /boot/grub/*1_5 # cp stage1/stage1 /boot/grub # cp stage2/stage2 /boot/grub # ls /boot/grub/ default grub.conf menu.lst stage1 stage2 The last step to install Trusted GRUB is to issue a grub command. This step needs a little explanation. You will use the grub command to tell Trusted GRUB which is the boot partition and disk. Before doing so, you need to determine what they are. Follow these steps: a. Determine which are the boot partition and disk by issuing the following: # fdisk -l Disk /dev/sda: GB, bytes 255 heads, 63 sectors/track, cylinders Units = cylinders of * 512 = bytes Device Boot Start End Blocks Id System /dev/sda1 * Linux /dev/sda e Linux LVM From the above output, /dev/sda1 is the boot partition (see the * under the Boot column). Whereas, /dev/sda is the disk. b. Translate the device name to understandable terms for grub. For example, replace /dev/sda by hd0 and /dev/sdb by hd1. Also, replace /dev/sda1 by hd0,0 and /dev/sdb3 by hd1,2. For example, the boot partition is /dev/sda1, which translates to hd0,0 and the disk is /dev/sda, which translates to hd0. c. Issue the grub command to get into the grub interface # grub d. Issue the following command to tell grub which is the boot partition: grub> root (hd0,0) e. Issue the following command to tell grub which is the disk: grub> setup (hd0) f. Issue the following command to exit grub: grub> quit 5. Install cryptsetup package so that the dm_crypt partition can be set up later. On SLES11: 8 Blueprints: Securing Sensitive Files With TPM Keys

15 #yast -i cryptsetup On RHEL5.4: # yum install cryptsetup-luks 6. Start the tcsd daemon. The tcsd daemon manages Trusted Computing related resources. #/etc/init.d/tcsd start Starting tcsd done # /etc/init.d/tcsd status Checking for service tcsd running 7. Take ownership of your TPM using the tpm_takeownership tool from the tpm_tools package. By including the -z flag, the storage root key (SRK) secret is set to 20 bytes of zeros (TSS_WELL_KNOWN_SECRET). You will be required to set owner password. Note that this password is in the top level of the keychain inside the TPM and will be used for permission to other TPM functions: #tpm_takeownership -z Enter owner password: Confirm owner password: 8. Perform a full power cycle (power off and then power on). What to do next You have now installed and configured the Trusted computing software needed. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Chapter 4. Installing and configuring Trusted Computing software 9

16 10 Blueprints: Securing Sensitive Files With TPM Keys

17 Chapter 5. Generating a Trusted State sealed key In this section, you will create a key (/home/sealed_key) that will be used to open the loopback dm-crypt partition. You will then seal this key to five different PCRs that were extended to MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image. Once a key is sealed to a PCR, TPM will only allow the key to be retrieved if the content of the PCR remained the same as it was at the moment of the key sealing. Because the key will be sealed to five different PCRs, anyone who attempts to boot the partition/machine from a different installed operating system will not succeed as the content of these PCRs will be different. About this task Care should be taken because if one of the parameters the key was sealed to (MBR information, bootloader, boot command line, or the kernel image) changes, you will be unable to unseal the key and all encrypted file in the dm-crypted directory will be inaccessible. Note that you will create a random key and save it temporarily to /home/temp_plain_key. From it we will seal the key to the five PCRs discussed above and create the /home/sealed_key. You will use this key in the next section to set up the lookback dm-crypt partition. Procedure 1. Insert the TPM modules again and start tcsd daemon. # modprobe tpm_tis # /etc/init.d/tcsd start 2. Create your random 256 bits (32 bytes) AES key and save it temporarily to /home/temp_plain_key file: # dd if=/dev/urandom of=/home/temp_plain_key bs=1 count= records in 32+0 records out 32 bytes (32 B) copied, s, 66.3 kb/s 3. Seal the temporary key to PCRs 4, 8, 9, 12 and 14 and outputs a sealed key to /home/sealed_key. The PCRs store the measurements of MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image respectively. # cat /home/temp_plain_key tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p14 -o /home/sealed_key 4. Back up the plain key to a secure storage and remove the on-system plain key. # cp /home/temp_plain_key <Some secure storage such as a USB drive> # rm -rf /home/temp_plain_key Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Copyright IBM Corp

18 12 Blueprints: Securing Sensitive Files With TPM Keys

19 Chapter 6. Setting up the dm-crypt loopback partition In this section, you will initiate an available loopback device (/dev/loop0) by associating it to a directory (/home/secret_dir). Then you will set up the device to be a LUKS-encrypted partition using the sealed key (/home/sealed_key) created in the last section. This partition will then be mapped to a mapper device (/dev/mapper/secret) and mounted at a plain directory (/home/plain) for use. About this task This example uses a loopback device to demonstrate how to set up a dm-crypt partition. However you can easily adopt these steps to set up an available physical device for the dm-crypt partition. You can do this by skipping any losetup steps and change the device name used in the commands from /dev/loop0 to your physical device name. Procedure 1. Set up the loopback device. a. Determine the first unused loopback device: # losetup -f /dev/loop0 b. Create a directory (/home/secret_dir) for initiating the loopback device. # dd if=/dev/urandom of=/home/secret_dir bs=1m count= records in 50+0 records out bytes (52 MB) copied, s, 3.5 MB/s c. Initiate your choice of an unused loopback device by associating it with the directory you just created: # losetup /dev/loop0 /home/secret_dir 2. Ensure that the dm_crypt was loaded. # modprobe dm_crypt On SLES11, you should see the following output: # lsmod grep -i dm_crypt dm_crypt crypto_blkcipher dm_crypt dm_mod dm_crypt On RHEL5.4, you should see the following output: # lsmod grep -i dm_crypt dm_crypt dm_mod dm_crypt,dm_mirror,dm_multipath,dm_raid45,dm_log 3. Unseal and retrieve the key (/home/sealed_key) from the TPM and use it to initialize the loopback device (/dev/loop0) to be a Linux Unified Key Setup (LUKS) partition. # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksformat --key-file=- /dev/loop0 Command successful. Similar to taking ownership of the TPM, specify the -z flag in the tpm_unsealdata command to use the TSS_WELL_KNOWN_SECRET SRK as the SRK password to decrypt (using the SRK) and unseal our key, thus avoided being prompted for password. The tpm_unsealdata command returns the value of the unsealed key if the PCRs contains the proper values. This unsealed (and plain) key is then used to format the loopback device as an encrypted device. 4. Unseal the key (/home/sealed_key) from the TPM and use it to mount the LUKS-encrypted device (/dev/loop0) to a device-mapper device (secret). The mapping will appear under the /dev/mapper/ directory. 6. Create a directory and mount it to the mapped LUKS-encrypted device. This directory will contain the decrypted version of your secret files when successfully mounted. Copyright IBM Corp

20 # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret key slot 0 unlocked. Command successful. 5. Format the mapped device as normal block device so that it can be used to hold files you would like to encrypt. # mkfs.ext3 /dev/mapper/secret 6. Create a directory and mount it to the mapped LUKS-encrypted device. This directory will contain the decrypted version of your secret files when successfully mounted. # mkdir -p /home/plain # mount /dev/mapper/secret /home/plain Verify the mount is successful by running the following command: # mount /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /dev/mapper/secret on /home/plain type ext3 (rw) 7. If you want to unmount the partition, run these commands: # umount /home/plain # cryptsetup remove secret # losetup -d /dev/loop0 Note: Never forget to remove the mapped device (secret). If you do not, anyone can mount it later without being prompted for any authorization data. 8. If you want to mount the partition again at a later time, run these commands: # losetup /dev/loop0 /home/secret_dir # tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret # mount /dev/mapper/secret /home/plain Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 14 Blueprints: Securing Sensitive Files With TPM Keys

21 Chapter 7. Securing sensitive files using a script After you have set up the dm-crypt loopback partition, move your sensitive files to this partition and replace the original file by a symbolic link to the new location. This practice centralizes your secured files and removes the need to encrypt each file separately. Note that if the plain partition is unmounted and any parameter sealed in the key (MBR information, bootloader, boot command line, or the kernel image) changes, the symbolic link will not work and the files will not be accessible. About this task The following shell script automates moving a particular file to the decrypted loopback partition (/home/plain) and replaces the original file location with a symbolic link to the loopback path. You will need to edit this script if your secured partition does not reside at /home/plain. #!/bin/sh # # PATH=$PATH:/sbin/bin PLAIN_DIR=/home/plain #Vertify if the plain directory is mounted # Change to name of your dm-crypt loopback partition if[-f$1] then if (mount grep $PLAIN_DIR) then mv $1 $PLAIN_DIR; else echo "dm_crypt partition not mounted" exit $RETVAL fi #create our symbolic link ln -s $PLAIN_DIR/`basename $1` `echo $1 sed "s \./ $PWD/ " ` else echo "File not found" fi To use this script: Procedure 1. Copy this script to a file. For example, centralize_secure_file.sh. 2. Edit the script with the name of your dm-crypt loopback partition if you are not using /home/plain. 3. Give the script the permission to be executed, for example: # chmod 700 centralize_secure_file.sh 4. Run the script against files you want to encrypt. #./centralize_secure_file.sh <sensitive_file> For example: #./centralize_secure_file.sh mysecret 5. Check if the file is now moved to your dm-crypt loopback partition and if a symbolic link is created in place of the original file location, for example: # ls /home/plain mysecret # ls -l mysecret lrwxrwxrwx 1 root root :26 mysecret -> /home/plain/mysecret Copyright IBM Corp

22 Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. 16 Blueprints: Securing Sensitive Files With TPM Keys

23 Chapter 8. Making the changes persistent across reboots Follow these steps in order to make this change persistent. Procedure 1. Automate insertion of the TPM related modules. On SLES11: Edit the /etc/sysconfig/kernel file to include the TPM device driver module (tpm_tis) to the MODULES_LOADED_ON_BOOT list. Module names should be separated by a space in this list. Create the file if it does not exist. The following entry shows an example where e1000e and tpm_tis modules will be loaded automatically on boot: MODULES_LOADED_ON_BOOT="e1000e tpm_tis On RHEL5.4: Edit the /etc/rc.modules file to include a line with modprobe tpm_tis. Create the file if it does not exist and assign execution permission. The following entry shows an example /etc/rc.modules file: # cat /etc/rc.modules modprobe tpm_tis # chmod 755 /etc/rc.modules 2. Add the TSS daemon to boot at all runlevel operations. On SLES11, do the following: #insserv /etc/init.d/tcsd On RHEL5.4, run the following commands: # chkconfig --level tcsd on # chkconfig --list tcsd tcsd 0:on 1:on 2:on 3:on 4:on 5:on 6:on 3. Automate setting up of the dm-crypt loopback partition on every boot. a. Create the file /etc/init.d/dm_crypt_sealed_mount with the following code: #!/bin/sh # # dm-crypt encrypted partition handling # ### BEGIN INIT INFO # Provides: dm_crypt_sealed_mount # Required-Start: tcsd # Required-Stop: # Should-Start: tcsd # Default-Start: 3 5 # Default-Stop: 0126 # Short-Description: Handles a sealed dm_crypt loopback partition ### END INIT INFO PATH=/sbin:/bin:/usr/bin:$PATH SECRET_DIR=/home/secret_dir PLAIN_DIR=/home/plain SEALED_KEY=/home/sealed_key case "$1" in start "") if (mount grep $PLAIN_DIR) then echo "dm_crypt sealed partition is already mounted." else losetup /dev/loop0 $SECRET_DIR tpm_unsealdata -z -i /home/sealed_key cryptsetup luksopen --key-file=- /dev/loop0 secret Copyright IBM Corp

24 mount /dev/mapper/secret $PLAIN_DIR fi ;; stop "") if (mount grep $PLAIN_DIR) then umount $PLAIN_DIR cryptsetup remove secret losetup -d /dev/loop0 echo "dm_crypt partition umounted" else echo "dm_crypt sealed partition ins t mounted." fi ;; *) echo "Usage: $0 [start stop]" exit ;; esac exit b. Edit the script with the names of the files and directories you used to replace /home/secret_dir (the directory where the loopback device associate with), /home/plain (the directory where the secured files are saved to), and /home/sealed_key (the sealed key file). c. Set the script to the right permission: # chmod 755 /etc/init.d/dm_crypt_sealed_mount d. Unmount the dm-crypt loopback partition so that you can test the script # umount /home/plain # cryptsetup remove secret # losetup -d /dev/loop0 e. Test the script to see if it works: # /etc/init.d/dm_crypt_sealed_mount key slot 0 unlocked. Command successful. f. Verify if the script is working: # mount /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /proc on /var/lib/ntp/proc type proc (ro) /dev/mapper/secret on /home/plain type ext3 (rw) g. Add the script to all runlevel operations so it can be run when the system boots. On SLES11 execute this: # insserv /etc/init.d/dm_crypt_sealed_mount On RHEL5.4, add entry /etc/init.d/dm_crypt_sealed_mount to /etc/rc.d/rc.local: # cat /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don t # want to do the full Sys V style init stuff. touch /var/lock/subsys/local /etc/init.d/dm_crypt_sealed_mount 4. Reboot the machine: 18 Blueprints: Securing Sensitive Files With TPM Keys

25 # reboot 5. After your machine has finished rebooting, you will see the same output as when you verified the script in step 3.f: # cat /etc/mtab /dev/sda4 on / type ext3 (rw,acl,user_xattr) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) debugfs on /sys/kernel/debug type debugfs (rw) udev on /dev type tmpfs (rw) devpts on /dev/pts type devpts (rw,mode=0620,gid=5) fusectl on /sys/fs/fuse/connections type fusectl (rw) securityfs on /sys/kernel/security type securityfs (rw) /dev/mapper/secret on /home/plain type ext3 (rw) What to do next Your dm-crypt loopback partition is now set up to persist across a reboot. Next you can use the script created in the section Chapter 7, Securing sensitive files using a script, on page 15 to move your sensitive files to the secured partition. Remember that any changes to the five parameters (MBR information, bootloader, boot command line, and the kernel image) correspond to the PCRs will cause the sealed key to become invalid. Extreme care must be taken to avoid the situation where data is unrecoverable. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Chapter 8. Making the changes persistent across reboots 19

26 20 Blueprints: Securing Sensitive Files With TPM Keys

27 Chapter 9. Securing sensitive files with TPM keys Support for the Trusted Platform Module (TPM) has been available in enterprise Linux distributions since SLES 11 and RHEL5.3. TPM is implemented based on Trusted Computing Group (TCG) specification and one of its many useful applications is to handle dm-crypt passphrases. When using encrypted partitions, one must typically enter one or more passphrases during the boot sequence to allow the kernel to decrypt them. While this is perhaps a desirable characteristic for laptops, it is an impediment to automation in the server environment. TPM can be used in this environment to wrap the passphrases and provide them automatically to the cryptsetup command. This blueprint describes how to realize TPM-protected dm-crypt passphrases on your system. Scope, requirements, and support This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Systems to which this information applies System x running Linux Intended audience This blueprint targets Enterprise Linux administrators or users with an intermediate level of expertise. Scope and purpose This Blueprint provides the steps necessary to setup a loopback dm-crypt partition encrypted with a key sealed to a TPM 1.2 platform configuration register (PCR). Instructions for setting up TPM for other security functions are outside the scope of this blueprint. Test environment These instructions were tested on IBM System x 8212 running SLES11 and RHEL5.4 respectively. Hardware requirements To be able to use the functions of TPM, your hardware must be built with a Trusted Platform Module (TPM) chip of version 1.2 or above. The TPM chip can usually be found in the current System x machines and Lenovo ThinkPad systems. To determine if your hardware can support TPM, follow the instructions in section Chapter 3, Determining if you have the right hardware, on page 5. Software requirements v SuSE Linux Enterprise System version 11 or above C/C++ Compiler and Tools package groups gettext-tools (Requirement for building tpm_tools v from source) v Red Hat Enterprise Linux version 5.3 or above Development Tools and Development Libraries package groups gettext-devel (Requirement for building tpm_tools v from source) Copyright IBM Corp

28 grub v0.97 (Requirement for building trustedgrub v1.1.3 from source. This software is included with RHEL5.3 and 5.4 If your distribution does not have the correct version, you can also use the one included in trustedgrub v source package.) Other considerations It is important to note that the creation of TPM key demonstrated here is sealed with the PCRs that measures the MBR information, bootloader, boot command line, and the kernel image. If any of these changed, all files secured by this method will be inaccessible. Author names Rajiv Andrade George Wilson Other contributors Monza Lui Subrata Modak Kersten Richter IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system. Community innovation integrates leading-edge technologies and best practices into Linux. IBM is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs. For more information about IBM and Linux, go to ibm.com/linux ( IBM Support Questions and comments regarding this documentation can be posted on the developerworks Security Blueprint Community Forum: The IBM developerworks discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and programming techniques with other developerworks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerworks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventions The following typographic conventions are used in this Blueprint: Bold Italics Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. 22 Blueprints: Securing Sensitive Files With TPM Keys

29 Monospace Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type. Overview Automatic logins can be realized by saving your password as a file and then reading that file when authorization is needed. To make sure this file is not compromised, the best practice is to combine cryptography and directory access control (DAC) by encrypting the password file and setting the proper authorization to it. However most automatic login software expect a plain password file. You can potentially automate the decryption of the password file when that file is needed during automatic logins, but then you will need yet another encrypted password file to decrypt the previous password file. Trusted Platform Module (TPM) provides a clean solution for this recursive problem. This solution makes use of a set of Platform Configuration Registers (PCRs) that can only be written by the TPM_extend operation. The TPM_extend operation makes the new PCR a hash of the concatenation of the current value with the new hash that is provided. By design, assigning an arbitrary value to an PCR isn't allowed and makes this TPM_extend operation very unique. This design makes key sealing possible. In a key sealing scenario, the PCR can store a signature of the data that you are extending. The key is sealed by tying it to a particular PCR value in a way that the key can only be retrieved later from the TPM. A key can also be sealed to more than one PCR. In this blueprint, you will seal a key to five PCRs (MBR information, bootloader, boot command line, or the kernel image). If any of these PCRs/parameters changes, mounting of the encrypted partition will not be possible. This feature prevents anyone from mounting the partition to other installed operating systems other than the one the partition was originally mounted to, making rootkit impossible. Note that if you need to change any of these five PCR values, after following the instructions in this blueprint, you will need to plan for migration. In the following sections, you will install needed software, create a sealed key, and then use the sealed key to set up the dm-crypt loopback partition. Then you will learn how to use a script to encrypt any file and save it in the dm-crypt partition while the original location of the file is replaced by a symbolic link to the encrypted file. In the last section, you will set up to automatically mount the dm-crypt loopback partition in each reboot. The following table listed the files and directories that are used in the instructions. You may prefer to use a different set of files and directories. If you do, make sure these files and directories have the correct DAC authorization. You can use the following table to record where you want these files and directories for easy reference. Table 3. Reference table for files and directories Description File to temporarily hold the key File of the sealed key Directory used to mount loopback device Mapper device of your secured partition Note: This device is always created in the mapper device directory File/Directory used in This Blueprint /home/temp_plain_key /home/sealed_key /home/secret_dir /dev/mapper/secret File/Directory you used /dev/mapper/ Chapter 9. Securing sensitive files with TPM keys 23

30 Table 3. Reference table for files and directories (continued) Description Directory mapped to the above device, where your secured files will be made available to you in plain form File/Directory used in This Blueprint /home/plain File/Directory you used Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Determining if you have the right hardware Use this information to determine if you have the right hardware to use TPM and to determine which TPM chip version you have in your hardware. Determining TPM-readiness You can determine if your hardware is TPM-ready by looking at your BIOS. Note that the term TCG is sometimes used interchangeably with the term TPM in the BIOS. Make sure that the TCG/TPM feature is active and is cleared if available by following these steps: 1. Enter the BIOS and activate the TCG Feature. Steps to do so depends on the BIOS version. In this example, press F1 during power on. Then, from the main menu, choose Security TCG Feature Setup. The feature could be named differently, for example, Security Chip, in other BIOS versions. Note: If you cannot find similar feature in your BIOS, your hardware might not be equipped with any TPM chip. 2. Set TCG Security Feature option to Active and Clear TCG Security Feature option to Yes. 24 Blueprints: Securing Sensitive Files With TPM Keys

31 3. Save and Exit from the BIOS. Determining TPM version To determine which TPM chip version you have in your hardware, load the TPM modules. Follow these steps: 1. Insert tpm_tis module by running the following command: # modprobe tpm_tis # lsmod grep tpm tpm_tis tpm tpm_infineon,tpm_tis tpm_bios tpm 2. Determine the TCG version by issuing the following command: # cat /sys/devices/pnp0/00\:0*/caps Manufacturer: 0x4e534d20 TCG version: 1.2 Firmware version: 1.6 The above output shows that the TPM/TCG chip version is 1.2. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Installing and configuring Trusted Computing software The TCG has standardized a software stack that acts above the TPM chip and includes the TPM device driver and TSS. TSS is a Trusted Computing API that provides applications access to the TPM trusted computing functions. Chapter 9. Securing sensitive files with TPM keys 25

32 About this task The steps below explains how to install an open source implementation of such API, named TrouSerS, together with a group of userland tools that use this interface to implement various Trusted Computing solutions, including the one you are accomplishing. This table displays the four software programs that you will install in this section and where they should be installed from. Distro is defined as the software that comes with the distribution whereas source means you will have to download the software from sourceforge.net and build it from the source: Table 4. Installing software locations SLES11+ RHEL5.3+ Software Install Software From: TrouSerS distro distro tpm_tools v source source trustedgrub distro source cryptsetup distro distro Procedure 1. Check if your hardware and software requirements are fulfilled. See Hardware requirements on page 1 and Software requirements on page 1 in the Introduction. Also see Chapter 3, Determining if you have the right hardware, on page Install TrouSerS and its development packages. This tool is required for installing tpm-tools. To install TrouSerS, follow these steps: On SLES11, run: # yast -i trousers trousers-devel On RHEL5.4, run: # yum install trousers trousers-devel 3. Tpm-tools or above is required because of the data unsealing tool included in the package. The tpm-tools packages that come with SLES11 and RHEL5.4, however, do not fulfill this requirement. Therefore you need to download the latest tpm-tools package from trousers. For other distributions, use the version of tpm-tools that comes with your distribution, if it is or higher. The following instructions download and install tpm-tools # wget # tar xzf tpm-tools tar.gz # cd tpm-tools # sh bootstrap.sh #./configure --prefix=/usr # make # make install 4. Install the Trusted GRUB package. This package enables you to seal the encryption/decryption key to a PCR in later steps. On SLES11: # yast -i trustedgrub Choose to uninstall the following two packages if asked: deinstallation of grub i586 deinstallation of bootcycle i586 On RHEL5.4: Build Trustedgrub from source. The latest version is downloadable from projects/trustedgrub/files/. At the time of the writing of this blueprint, version is the most current version. To install this version, follow these steps: 26 Blueprints: Securing Sensitive Files With TPM Keys

33 # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/TrustedGRUB tgz/download # wget TrustedGRUB-1.1.3/TrustedGRUB-1.1.3/008_all_grub-0.97-AM_PROG_AS.patch/download # tar zvxf TrustedGRUB tgz # cd TrustedGRUB #./build_tgrub.sh # cp default /boot/grub # cd TrustedGRUB # cp../../008_all_grub-0.97-am_prog_as.patch. # patch -p0 < 008_all_grub-0.97-AM_PROG_AS.patch # make install # rm -rf /boot/grub/stage* # rm -rf /boot/grub/*1_5 # cp stage1/stage1 /boot/grub # cp stage2/stage2 /boot/grub # ls /boot/grub/ default grub.conf menu.lst stage1 stage2 The last step to install Trusted GRUB is to issue a grub command. This step needs a little explanation. You will use the grub command to tell Trusted GRUB which is the boot partition and disk. Before doing so, you need to determine what they are. Follow these steps: a. Determine which are the boot partition and disk by issuing the following: # fdisk -l Disk /dev/sda: GB, bytes 255 heads, 63 sectors/track, cylinders Units = cylinders of * 512 = bytes Device Boot Start End Blocks Id System /dev/sda1 * Linux /dev/sda e Linux LVM From the above output, /dev/sda1 is the boot partition (see the * under the Boot column). Whereas, /dev/sda is the disk. b. Translate the device name to understandable terms for grub. For example, replace /dev/sda by hd0 and /dev/sdb by hd1. Also, replace /dev/sda1 by hd0,0 and /dev/sdb3 by hd1,2. For example, the boot partition is /dev/sda1, which translates to hd0,0 and the disk is /dev/sda, which translates to hd0. c. Issue the grub command to get into the grub interface # grub d. Issue the following command to tell grub which is the boot partition: grub> root (hd0,0) e. Issue the following command to tell grub which is the disk: grub> setup (hd0) f. Issue the following command to exit grub: grub> quit 5. Install cryptsetup package so that the dm_crypt partition can be set up later. On SLES11: #yast -i cryptsetup On RHEL5.4: # yum install cryptsetup-luks 6. Start the tcsd daemon. The tcsd daemon manages Trusted Computing related resources. #/etc/init.d/tcsd start Starting tcsd # /etc/init.d/tcsd status Checking for service tcsd done running Chapter 9. Securing sensitive files with TPM keys 27

34 7. Take ownership of your TPM using the tpm_takeownership tool from the tpm_tools package. By including the -z flag, the storage root key (SRK) secret is set to 20 bytes of zeros (TSS_WELL_KNOWN_SECRET). You will be required to set owner password. Note that this password is in the top level of the keychain inside the TPM and will be used for permission to other TPM functions: #tpm_takeownership -z Enter owner password: Confirm owner password: 8. Perform a full power cycle (power off and then power on). What to do next You have now installed and configured the Trusted computing software needed. Related reference: Chapter 1, Scope, requirements, and support, on page 1 This blueprint applies to System x running Linux. You can learn more about this blueprint, including the intended audience, the scope and purpose, the hardware and software requirements for the tasks detailed in this blueprint, and the types of support available to you. Generating a Trusted State sealed key In this section, you will create a key (/home/sealed_key) that will be used to open the loopback dm-crypt partition. You will then seal this key to five different PCRs that were extended to MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image. Once a key is sealed to a PCR, TPM will only allow the key to be retrieved if the content of the PCR remained the same as it was at the moment of the key sealing. Because the key will be sealed to five different PCRs, anyone who attempts to boot the partition/machine from a different installed operating system will not succeed as the content of these PCRs will be different. About this task Care should be taken because if one of the parameters the key was sealed to (MBR information, bootloader, boot command line, or the kernel image) changes, you will be unable to unseal the key and all encrypted file in the dm-crypted directory will be inaccessible. Note that you will create a random key and save it temporarily to /home/temp_plain_key. From it we will seal the key to the five PCRs discussed above and create the /home/sealed_key. You will use this key in the next section to set up the lookback dm-crypt partition. Procedure 1. Insert the TPM modules again and start tcsd daemon. # modprobe tpm_tis # /etc/init.d/tcsd start 2. Create your random 256 bits (32 bytes) AES key and save it temporarily to /home/temp_plain_key file: # dd if=/dev/urandom of=/home/temp_plain_key bs=1 count= records in 32+0 records out 32 bytes (32 B) copied, s, 66.3 kb/s 3. Seal the temporary key to PCRs 4, 8, 9, 12 and 14 and outputs a sealed key to /home/sealed_key. The PCRs store the measurements of MBR information, bootloader stage2 part1, bootloader stage2 part2, boot command line, and the kernel image respectively. # cat /home/temp_plain_key tpm_sealdata -z -p 4 -p 8 -p 9 -p 12 -p14 -o /home/sealed_key 4. Back up the plain key to a secure storage and remove the on-system plain key. 28 Blueprints: Securing Sensitive Files With TPM Keys