You are not logged in.
Hi !
I've successfully set up the following :
* Secure Boot with my own keys
* Full disk encryption bound to TPM PCR 7 (Secure Boot State) + additional pin
With this setup, can I get rid of the the additional TPM2 pin, and solely rely on the GDM login password to secure the laptop ?
Are steps like https://wiki.archlinux.org/title/PAM#Se … figuration enough to make the system as secure as a Luks prompt ?
And a bonus question, is a BIOS password necessary ? since disabling Secure Boot will disable automatic decryption of the drive and revert to the Luks password/recovery key prompt, it's fairly obvious if someone tries to mess with the system I suppose.
Thanks !
Last edited by Cvlc (2022-07-02 00:43:41)
Offline
Hi,
Bumping this up with a couple additional info.
Here are the default settings from my TPM
$ tpm2_getcap properties-variable
....
TPM2_PT_LOCKOUT_COUNTER: 0x0
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
...I am using Systemd-homed, so the default seems to be 10 attempts per minute, from https://man.archlinux.org/man/homectl.1.en :
Configures a rate limit on authentication attempts for this user. If the user attempts to authenticate more often than the specified number, on a specific system, within the specified time interval authentication is refused until the time interval passes. Defaults to 10 times per 1min.
One difference is that the TPM counter/timer is probably not reset after a reboot, otherwise it seems pretty similar.
Another main difference is that the attack surface is greater, since unlocking the Luks volume automatically with the TPM makes the system vulnerable to misconfiguration, bugs in GDM etc...
Other than that, It looks pretty safe, what else could an attacker do (mostly worried about a thief for my use-case), even if the laptop boots up to a lock screen ?
Thanks for the tips !
Offline