[Contribution] Module for dracut to allow 2FA on LUKS
44 views
Skip to first unread message
Raffaele Florio
Aug 9, 2018, 5:13:54 AM8/9/18
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
I wrote a module for dracut to allow 2FA on LUKS. Currently it's a beta version. AFAIK a native solution for dracut already exists, however it isn't compatible with systemd and the latter is enabled by default. Furthermore it uses GPG, but because there is already the LUKS support I prefer to use the latter. Furthermore I find more useful a completely encrypted volume.
> How it works?
A target LUKS volume will be decrypted and attached iff the user provides a password for another LUKS volume on which there is a key for the first volume. So the user provides "something that possesses" (e.g. an SD card) and "something that knows" (i.e. the password to unlock the SD card). In this way to unlock the LUKS volume an attacker (excluding EM attack) needs a copy of the volume and its password. I think that it's very useful to unlock the root volume in this way.
Currently this relation is specified with a kernel cmdline parameter: rd.luks.2fa=UUID=keyfile_UUID:keyfile_path:UUID=target_UUID[:timeout]. This parameter is translated by a systemd-generator to a systemd.service.
> Why?
I wrote this module because it's very common to have a single USB controller that doesn't support any form of reset. For this reason I prefer to have that controller permanently attached to a USBVM, so completely hidden from dom0. Obviously it requires some other way (e.g. SD card reader) to read another LUKS volume. From what I saw it's very common to have a separate SD card reader that supports reset. So after the boot the SD card reader could be attached to another qube (strongly reccomended). In this way future SD cards aren't attached to dom0.
What do you think? How could it be improved?
Best Regards,
Raffaele.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXw2ov1HEFPFo+AVy07vJZYtrAOMFAltsBXgACgkQ07vJZYtr
AOMeyA//RO4xEV9HaaMayRkubpSHraWjy08rmAyUakMt2sbmDvNOCYmShIMk9iMs
kP6rHvq2mqEZaHdPGFlZpV5VK0mfKf39X2Z54M/A1LrmLlRWb3GDab18aEzzmscw
+/uEIH0naqYNQSnB1Gl+YflmLAGascdYdBYdHpeF0PGGjxMeY5GbPSRE7cdGH5bv
WejPKaBvBGGuHi9vmK6xFK/R+qI/lkA/mfIy4V/XTaKvLRw4yJ/sRaBbLKKwMSGd
2cjUaeR5xU5hmzWifkzZMC8UlOZKlfJZByYq5YGMK4HyOdQbxjB7X+oXnQ8lZuxu
AGMLVOahyJIyRD1ZW2qsPpN/RmKwpccdKsMMgyIoip/wSlvXEHeRgzdWb7Oi32SM
99295Z/yECcKK/L7NqNxUkZKcN3khlCPSdD3Q7ZnMhHibnCXXjvJF3OFCg/ABSCg
2F6+zNASoJ8H+wk6ft0XyyM+u4owX+YJiStc0q9Zc8L4J+FP5OH9FWlEb9qtPk1f
EH9asjn/2aJoyJeCF/cXu+jD9VLQFjiMSvfkXRRxSRsD3mgZEnShDG6ecjog3lLF
hsL3wxVyJkrqCUbIZUhwYhhldLpqmel03LtS7U336Ya9Cy/3zkiit5WRYYCdZdQ5
N+AkgFu4e7DtUr2IkeVDeNUjHJ+1lqA5eXjBMR5eGPQI5cKsbug=
=DKV4
-----END PGP SIGNATURE-----
Raffaele Florio
Aug 10, 2018, 6:03:23 AM8/10/18
to qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
There is a discussion about its security model at https://github.com/QubesOS/qubes-issues/issues/2712
Hash: SHA256
Best Regards,
Raffaele.
-----BEGIN PGP SIGNATURE-----
AOMWpw/9Gf10egH/hkzruEFOeiK9OTr5hlsWRO8gvd0POAMolGDCHoiU+r8Ol+li
/x2AvuLXzUDx0Cov9KXXKiARS0UqQ/HRssZL5K4WI9VNOzgM4kcjqubld7yfJBJj
yhnmUx6QuyXqejSFtJq7JwlpKDGY9rkGBt+v30DjY0/btCx4+Ah6lsrnuXotGtlR
2Ta/NcO7WmqYtHyS2M/MpCbUGtmZTAh0MrGU8WAQS/MTqvjYJV8DfnGSodaOfYDw
imc+Jfep1MvtQrtqyg2u6rmxWF9EpqgHMTI/16je6GQGRctbpgfILNjs27bqSPNk
Nn8myaBtdDB2x4o1Wy6JMRwCTzqiIRIHrlmxiP9add+vIh7QagnPH/CdsSgp5P3f
Y4uAHO76EjGOzkGJWsoqTvR6RjfOQg9bUBZPZYeqjbQY0fs3bta5sDizdyk6aFhW
qlQzFcOPfmljYxvBawDMiqm4HV5Dp4IyOqnSwK9XoO4Ljd9CMSTZElo+6qUZ0XWO
GCzBAjAxDeIqULIqH3VqWUW7bDRWgiX18r0wWNCv+axFdLBkBWlHNQv7AKgGiCwo
wIYYTBa6fL5na6iNxbBsAvLRAlwNr5uDFunCByxzFhUif6QuXvID+Qpsoo2EfpCo
XYSqIDkfJpzGtgAlYv0YEixHkvN9YtWRRCBh8iSltVYN/k/TLXQ=
=g1hh
-----END PGP SIGNATURE-----
tier...@gmail.com
Aug 10, 2018, 8:06:41 AM8/10/18
to qubes-devel
Raffaele Florio
Aug 11, 2018, 3:11:17 AM8/11/18
to tier...@gmail.com, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Thanks! I'll wait your opinion!
Hash: SHA256
Best Regards,
Raffaele.
-----BEGIN PGP SIGNATURE-----
AOMN5hAAsNUgqro1Pw98v3bgBhBjP7z1O2ECLM8xq5S9kK4464kO+HF0YMVvVCju
jnmrbfNdzvUOzX8LL8/dnALUnvzghCPnOMnF85wfHfrYEbAAmkPTseu1QNvBRdmj
/ziWlvChjX4awsmUQySAgPI0TXvFyXBHUDtXTF2ybQx99Vih+8WSwmG6bDJcgrI5
bTeF2jMNZolUFPH4bzdKnoWQ80fGGeg0kYIZhppi6xMp0b+7ih6gU6/aCAOtwFiE
oZBla1Gip4JcwMZ1BL2g83B0HD24f9cL5TJ4LQD791qNhajhrGKX7RVzBf0fjdg5
/FsflJeS9gT2BEoPPq5nAKAZru0jgtu1g5MDjGQj0RxqA/AsX0NjLQ9DkS+xXRxt
5/d2WfAGSLCley3C79V9FgrLckV7gmvSFSOmQGPk/yD1KTMqhMkqBPokcY9FNyaX
BbyHi1N48m53wnYFiloN260RZCm7HgQQ1AFJpfW7/gWEy+Sbv/Brk1psBjWeE1bG
Y8GD8NJ2dEfURU1yRccrFpW7xZ3TLMJAtkAKaQ+DQeEmRsnXxTBSJ8ShWmMjvDl9
dpm02y9xdr3bAJtyoGai52J71wbh32+06yLpKV9mXQn1m1/6nJLkVx/AKdHSY42Z
6wNjNeIRkNLUFCOuBW22KyYr19fAePVGRlCxkoGB+KPrIPIWzKo=
=6NtH
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages