opsecfail

Kurşungeçirmez Arch Linux kurulumu

2025-02-03

WIP

https://wiki.archlinux.org/title/Installation_guide

Disk bölümlendirme §

fdisk /dev/nvme0n1
/dev/nvme0n1p1 /efi  512M FAT32 type:1
/dev/nvme0n1p2 /     32G  BTRFS type:23
/dev/nvme0n1p3 /home 100% BTRFS type:42

Disk biçimlendirme §

mkfs.fat -F 32 /dev/nvme0n1p1
cryptsetup luksFormat /dev/nvme0n1p2
cryptsetup open /dev/nvme0n1p2 root
mkfs.btrfs /dev/mapper/root
mkfs.btrfs /dev/nvme0n1p3
mount /dev/nvme0n1p2 /mnt
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi
mkdir /mnt/home
mount /dev/nvme0n1p3 /mnt/home
pacstrap -K /mnt base linux linux-firmware intel-ucode btrfs-progs dosfstools efibootmgr sbctl tpm2-tools neovim man-db iwd
  1. base: temel Arch paketleri.
  2. linux: Linux cekirdegi.
  3. linux-firmware: Linux firmware dosyalari. Kablosuz ag adaptorunun calismasi icin gerekli.
  4. intel-ucode: Intel islemciler icin yazilim guncellemeleri.
  5. btrfs-progs: BTRFS dosya sistemi icin araclar.
  6. dosfstools: FAT dosya sistemi icin araclar.
  7. sbctl: Secure Boot anahtarlarimizi yonetmek ve bu anahtarlarla UKI (Unified Kernel Image) dosyalarini imzalamak icin gerekli.
  8. efibootmgr: UEFI boot entry’leri olusturmak icin gerekli. Her cihazdaki UEFI implementasyonu gerektigi gibi duzgun calismayabiliyor, bu durumda systemd-boot kullanilabilir.
  9. tpm2-tools: systemd-cryptenroll ile TPM kullanarak sifreli / (root) bolumunu otomatik olarak desifre ettirmek icin gerekli bagimlilik.
  10. neovim: Konfigurasyon dosyalarini duzenlemek icin bir metin editoru.
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/Turkey /etc/localtime
nvim /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "KEYMAP=us" > /etc/vconsole.conf
echo "a315" > /etc/hostname

mkinitcpio ayarları §

/etc/mkinitcpio.conf.d/hooks.conf

HOOKS=(base systemd autodetect modconf keyboard sd-vconsole sd-encrypt block filesystems)

/etc/mkinitcpio.d/linux.preset

#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs-linux.img"
default_uki="/efi/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

#fallback_config="/etc/mkinitcpio.conf"
fallback_image="/boot/initramfs-linux-fallback.img"
fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"
mkdir --parents /efi/EFI/Linux
mkinitpcio --allpresets
systemctl enable systemd-homed systemd-timesyncd systemd-networkd systemd-resolved iwd
passwd root
efibootmgr --delete-bootnum --bootnum 0000
efibootmgr --delete-bootnum --bootnum 0001
efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader '\EFI\Linux\arch-linux.efi'
efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader '\EFI\Linux\arch-linux-fallback.efi'
efibootmgr --bootorder 0000,0001
exit
umount -R /mnt
reboot
sbctl create-keys
sbctl enroll-keys
sbctl sign --save /efi/EFI/systemd/systemd-bootx64.efi
sbctl status
reboot
systemd-cryptenroll /dev/gpt-auto-root-luks --tpm2-device=auto --tpm2-pcrs=0+7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000 /dev/nvme0n1p2
reboot

Only binding to PCRs measured pre-boot (PCRs 0-7) opens a vulnerability from rogue operating systems. A rogue partition with metadata copied from the real root filesystem (such as partition UUID) can mimic the original partition. Then, initramfs will attempt to mount the rogue partition as the root filesystem (decryption failure will fall back to password entry), leaving pre-boot PCRs unchanged. The rogue root filesystem with files controlled by an attacker is still able to receive the decryption key for the real root partition. See Brave New Trusted Boot World and BitLocker documentation for additional information.

A solution for the root volume is to bind to an empty PCR 15 using –tpm2-pcrs=other_pcrs+15:sha256=0000000000000000000000000000000000000000000000000000000000000000. If you set any rd.luks kernel parameters or use /etc/crypttab.initramfs, additionally add the tpm2-measure-pcr=yes option to rd.luks.options= or the fourth field in /etc/crypttab.initramfs; this is not required when relying on GPT partition automounting. After the root volume is unlocked in early userspace, PCR 15 will change and the enrolled key will no longer be retrievable.

https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

https://news.ycombinator.com/item?id=42734355

homectl create opsecfail --storage=luks --fs-type=btrfs --member-of=wheel,tss,input