A cikin 'yan shekarun nan, TPM 2.0 kayayyaki sun tafi daga zama sirrin kayan aiki zuwa wani yanki na gama gari na kowace kwamfuta ta zamani tare da UEFI da Secure Boot. Wannan labarin ya bayyana abin da / dev/tpm0 da / dev/tpmrm0 suke da kuma yadda ake amfani da tpm2_pcrread da tpm2_pcrextend. (kazalika ainihin umarnin sa a cikin tpm2-tools), da kuma bayanin yadda suka dace cikin ma'auni na taya, ɓoyayyen faifai, da sanya hannu kan manufofin PCR a cikin Linux.
Takaddun bayanai masu fa'ida sun wanzu, amma an warwatse a tsakanin shafukan mutum mai tsari, shigarwar wiki, da kuma saƙo mai yawa; Anan muna tattara duk mahimman bayanai (PCRs, misalai masu amfani, haɗari da kariya) don haka mutane masu fasaha, ko da ba ƙwararrun TPM ba ne, za su iya yin aiki tare da waɗannan kayan aikin ba tare da yin ɓacewa cikin cikakkun bayanai ba.
Menene TPM 2.0 kuma me yasa zaku iya kulawa
Amintaccen Platform Module guntu ce ta tsaro wacce ke rayuwa akan uwayen uwa (ko a cikin CPU kamar fTPM/Intel PTT) kuma tana aiki azaman amintaccen shago, janareta na lambar bazuwar, da tushen dogaro ga tsarin. Yana da m: idan ba ku yi amfani da shi ba, ba ya yin kome., amma lokacin da kuka haɗa shi cikin kwararar boot ɗinku da ɓoyayyen faifai, yana ba da tabbaci na gaskiya da maɓallai masu kariya na hardware.
A aikace, TPM 2.0 yana ba ku damar manyan hanyoyin amfani guda biyu a cikin ɓoyayyen faifai: a) ƙirƙira / adana maɓalli mai ƙarfi da kuma kare amfani da shi tare da PIN tare da makulli mai ƙarfi; b) kunna abin da ake kira boot ɗin aunawa, inda Ana auna kowane ɓangaren taya a cikin bayanan PCR, don haka maɓallin "ba a nannade" kawai idan tsarin ba a lalata shi ba (kuma ba zaɓi tare da PIN ɗin riga-kafi ba).
/dev/tpm0 da /dev/tpmrm0: bambance-bambance da lokacin amfani da kowannensu
A Linux za ku ga na'urorin haruffa biyu lokacin da akwai TPM 2.0. /dev/tpm0 shine "raw" dubawa na TPMyayin da /dev/tpmrm0 yana fallasa samun dama ta Manajan Albarkatu (mai sarrafa wanda ke haɓaka abokan ciniki, sarrafa zaman da albarkatu), kasancewar wanda tpm2-kayan aikin ya ba da shawarar a mafi yawan al'amuran.
Idan ba ku da tabbacin ko akwai TPM ko babu, kuna iya gwada shi. Idan /sys/class/tpm/ babu komai ko umarnin wiki bai dawo da komai ba, babu TPM ganuwa: Maiyuwa baya wanzuwa a zahiri ko ƙila a kashe shi a cikin firmware.
# ¿Hay TPM 2.0?
ls /sys/class/tpm/
cat /sys/class/tpm/tpm*/tpm_version_major
# Dispositivos
ls -l /dev/tpm*
Lokacin da nodes na na'ura biyu suke, tpm2-kayan aikin za su gano /dev/tpmrm0 kullum kuma suyi amfani da shi ta atomatik. Idan kana buƙatar tilasta na'ura, yawancin kayan aikin suna karɓa -tcti ko amfani da masu canjin yanayi na TCTI, amma don ayyuka na gama gari ba yawanci ba ne.
TPM PCRs: Yadda suke aiki da abin da suke aunawa
Rajistar Kanfigareshan Platform sune bayanan da ke adana hashes (yawanci SHA-256) na yanayin mahimman abubuwan da aka gyara a kowane lokacin taya. An fara su zuwa sifili a zagayowar wutar lantarki kuma za'a iya "ƙara" kawai: kar a sake rubutawa ko gogewa (sai dai a lokuta masu ɓarna kamar PCR 16).
Babban aikin shine tsawo: new_value = SHA256(darajar_yanzu || SHA256(bayanai))Wannan shine yadda ake haɗa ma'auni tare ba tare da barin damar sake saiti ba. Ana amfani da wannan ƙirar don auna firmware, daidaitawa, Secure Boot, kernel, initrd, da sigogin kernel, da sauransu.
A kan kayan aikin zamani za ku ga 24 PCRs (0-23). Abubuwan da suka fi dacewa a cikin taya UEFI tare da systemd sune:
PCR 0: lambar firmware.
- PCR 1: saitin firmware (saitin UEFI).
- PCR 7: Amintaccen Matsayin Boot da takaddun shaida da ya dogara.
- PCR 9: initrd(s) ana auna ta kwaya.
- PCR 11: UKI (Haɗin Kernel Hoton) da alamomin lokaci ta hanyar systemd-stub/systemd-pcrphase.
- PCR 12: layin umarni kernel.
Karanta kuma ƙara PCRs tare da tpm2-tools: tpm2_pcrread da tpm2_pcr_extend
A cikin tpm2-kayan aikin ana yin karatun da su tpm2_pcrread da kari tare da tpm2_pcrextend. Wani lokaci za ku ga "tpm2_pcr_extend" ana magana da shi azaman aikin haɓakawa, amma Ainihin umarnin suite shine tpm2_pcrextend.
Don duba halin yanzu na PCRs SHA-256, yana da sauki kamar:
# Leer PCRs en SHA-256 (ejemplos de índices habituales)
sudo tpm2_pcrread sha256:0,1,7,9,11,12
# O todos los PCRs SHA-256 disponibles
tpm2_pcrread sha256:all
Don tsawaita PCR tare da zaton bayanan sabani (a matsayin misali na koyarwa, zaton /etc/passwd), ƙididdige SHA-256 kuma ƙara shi. Tuna: TPM baya karɓar manyan bayanai, amma zanta, ta iyaka da ƙira.
# 1) Guardar el hash de /etc/passwd
echo -n $(sha256sum /etc/passwd | cut -d' ' -f1) > passwd.sha
# 2) Extender PCR 7 (ejemplo) con el hash previo
sudo tpm2_pcrextend 7:sha256=$(cat passwd.sha)
# 3) Ver el nuevo valor del PCR 7
tpm2_pcrread sha256:7
Idan kuna son sake yin lissafin tsawaitawa a wajen TPM, Kuna haɗa ƙimar PCR na yanzu (binary) tare da sabon zanta kuma kun sake yin amfani da SHA-256 don duba sakamakon.
Za a iya sake saita PCR?
A ƙarƙashin yanayin al'ada, a'a. Falsafa ita ce PCR kawai tana girma tare da kariAkwai togiya ɗaya: PCR 16 yawanci ana tanadar don “debug” kuma ana iya sake saita shi a wasu kwarara, amma ba shi da amfani azaman tushen tsaro na manufofin ku.
Auna Boot, LUKS, da systemd-cryptenroll: Haɗa Pieces Tare
Lokacin da kuka haɗa TPM cikin ɓoyayyen faifan ku, zaku iya “daure” maɓallin buɗewa zuwa saitin PCRs. Idan a cikin taya na yanzu waɗannan PCR suna da ƙima iri ɗaya kamar lokacin da kuka yi rajistar maɓallin, TPM ba a rufe kuma ana buɗe ƙarar LUKS ta atomatik (tare da ko ba tare da PIN ɗin riga-kafi ba, ya danganta da tsarin ku).
Ana yin wannan da kyau tare da systemd-cryptenroll da systemd-cryptsetup. Manufar ita ce ƙirƙirar ƙarar ku, shigar da maɓallin TPM, kuma ƙara maɓallin dawo da. don haka ba za a bar ku ba idan ma'aunai sun canza (misali, bayan sabunta firmware ko kernel).
# Ejemplo: crear LUKS, matricular TPM y añadir recuperación (pseudoflujo)
# 1) Crear el volumen con contraseña temporal
sudo cryptsetup luksFormat /dev/nvme0n1p2
# 2) Matricular TPM en LUKS usando PCRs concretos y PIN
sudo systemd-cryptenroll \
--tpm2-device=auto \
--tpm2-with-pin=yes \
--tpm2-pcrs=1+2+3+4 \
--wipe-slot=empty \
/dev/nvme0n1p2
# 3) Añadir clave de recuperación aleatoria
sudo systemd-cryptenroll --recovery-key /dev/nvme0n1p2
# 4) Abrir con TPM o con recovery cuando proceda
systemd-cryptsetup attach root /dev/nvme0n1p2 - tpm2-device=auto
Idan kun yi la'akari da rashin daidaituwa (misali, kun tsawaita PCR 4 da gangan), TPM ba zai sake sakin maɓallin ba kuma kuna buƙatar amfani da maɓallin dawo da. Kuna iya daga baya sake shigar da TPM tare da sabbin ƙima na yanzu ta amfani da -wipe-slot=tpm2 da wani kisa na systemd-cryptenroll.
Waɗanne PCRs za su zaɓa kuma me yasa
Yawancin PCRs masu dacewa da kuke haɗawa, mafi girman filin da kuke ragewa, amma sau da yawa za ku sake yin rajista bayan cancantar canje-canje. Wasu ma'auni masu amfani:
- PCR 7 (Tabbataccen Boot): Ya kamata ya kasance mai ƙarfi sosai idan saitin maɓallin ku bai canza ba.
- PCR 0/1 (firmware da sanyi): Waɗannan ba safai suke canzawa ba; suna buƙatar sake yin rajista bayan sabunta firmware ko canza BIOS/UEFI.
- PCR 9/11/12 (kwaya, initrd, UCI da cmdline): Waɗannan suna canzawa akai-akai idan ba kwa amfani da UCI ko tsayayye sa hannu/siyasa.
A wasu mahallin an gan shi don haɗa PCR 7 kawai, dogaro da Secure Boot mai tabbatar da kwaya da initrd idan an fara su kamar yadda aka sanya hannu akan UCI da amfani da systemd-boot wanda. baya bada izinin gyara sigogin kwaya lokacin da SB ke aiki. Wannan yana aiki, amma idan Secure Boot ɗinku ya dogara da maɓallan ɓangare na uku (kamar Microsoft 3rd Party) yana da sauƙi don tsara wani madadin taya wanda ke adana PCR 7 don haka Ba shine zaɓi mafi ƙuntatawa ba.
Manufofin UKI da PCR sun sanya hannu: kwanciyar hankali ba tare da rasa tsaro ba
Magani mai amfani don gujewa sake yin rajista duk lokacin da ka sabunta kwaya shine amfani UKI (Haɗin Kan Kernel Hoton) da manufar PCR da aka sanya hannuKuna samar da maɓalli biyu, ɗaure maɓalli na jama'a zuwa TPM akan rajista, kuma sanya hannu akan UKI bayan kowace sabuntawa. TPM ya amince da sa hannun kuma yana ba da damar buɗewa koda takamaiman hash na kernel ya canza.
Kayan aikin ma'auni na systemd da mataimaki na systemd-ukify suna yin hakan cikin sauƙi: ukify fakitin kernel, initrd da cmdline cikin UKI (yawanci ana aunawa a cikin PCR 11) da alamun ma'auni na tsarin tsarin. Tare da mkinitcpio, ana iya haɗa ukify don haka bayan shigar sa hannu ya kashe kanta.
# Esquema típico (pseudocomandos)
# 1) Crear claves para política PCR firmada
openssl genpkey -algorithm RSA -out /etc/kernel/pcr-initrd.key.pem -pkeyopt rsa_keygen_bits:3072
openssl req -new -x509 -key /etc/kernel/pcr-initrd.key.pem -out /etc/kernel/pcr-initrd.pub.pem -subj "/CN=UKI PCR Policy"
# 2) Configurar ukify/mkinitcpio para generar UKI y firmar política
# (consultar man ukify y systemd-measure para parámetros)
# 3) Matricular en LUKS atando PCRs y clave pública de la política
sudo systemd-cryptenroll \
--tpm2-device=auto \
--wipe-slot=tpm2 \
--tpm2-with-pin=yes \
--tpm2-pcrs=0+1+2+7 \
--tpm2-public-key=/etc/kernel/pcr-initrd.pub.pem \
--tpm2-public-key-pcrs=11 \
/dev/nvme0n1p2
Ta wannan hanyar, Manufar ku ta tsaya tsayin daka kan sauye-sauyen kernel/initrd muddin kuna ci gaba da sanya hannu kan UKI tare da maɓallin ku.Idan kun sabunta kalmomin shiga ko canza saitin PCR, kuna buƙatar sake yin rajista.
Misalai na sarƙoƙi na aunawa tare da systemd
Yayin taya, systemd-stub da systemd-pcrphase suna tsawaita PCRs a takamaiman lokuta. Misali, ana yin rikodin “enter-initrd” a cikin PCR 11, ƙyale buɗaɗɗen ya kasance mai aiki a cikin initrd kawai (rage vectors inda maharin yayi ƙoƙarin sake amfani da maɓallin daga baya).
A cikin tsarin tare da UCI, ana auna abun ciki na UKI a cikin PCR 11; a cikin tsarin ba tare da UKI ba, kernel matakan initrds a cikin PCR 9 kuma bootloader na iya auna cmdline a cikin PCR 12. Tabbatar cewa kun rufe initrd da cmdline a cikin manufofin ku, ko kuma wani zai iya. bayan gida initrd ko taya tare da m cmdline kamar init=/bin/bash.
Hatsari na gaske: takalmin sanyi, shakar TPM, da ƙari
Me zai iya faruwa ba daidai ba? Abubuwa da yawa da ya kamata ku sani lokacin yin ƙirar ƙira. Cold boot harin har yanzu suna da amfani: idan buɗewar ta cika ta atomatik, maharin na iya maimaita ƙoƙari mara iyaka. Madaidaicin ragi shine buƙatar PIN ɗin riga-kafi (PBA), rage yunƙurin zuwa ɗaya kowace zagayowar wutar lantarki.
Wani nau'in shine hare-haren da ake kaiwa bas din TPMCPU yana buƙatar maɓalli, TPM yana aika shi; idan an danna mahadar, za a iya zub da maɓallin. Don wannan karshen, systemd yana aiwatar da "ruɓan sigar sigar" don a ɓoye musayar; A madadin, amfani da fTPM/Intel PTT ko rufaffen ƙwaƙwalwar ajiya yana rage fallasa. Akwai zanga-zangar jama'a masu araha (har ma tare da masu sarrafa microcontrollers) waɗanda ke nuna yuwuwar akan manyan kwamfyutocin alama.
Hakanan an sami raunin ilimi da na aiki: TPM-Fail, faultTPM (tare da sanannen tasiri akan AMD) da harka bitpixie (CVE-2023-21563)Wannan ba yana nufin TPM ba ta da amfani, amma yakamata ku ci gaba da sabunta firmware ɗin ku, fahimtar ƙirar barazanar ku, kuma kada ku amince da shi a makance.
Matsayin BitLocker akan waɗannan barazanar
A cikin duniyar Windows, ɓoyayyen faifai mafi yaɗuwa shine BitLocker. Yanzu an lura da cewa Tsarin sa na asali (buɗewa ta atomatik tare da TPM kawai) Yana barin ƙofa a buɗe ga duka boot ɗin sanyi da tashar tashar TPM, saboda baya aiwatar da ɓoyayyen sigar tsarin tsarin. Wannan yana sa wasu kwamfutocin kamfanoni su zama masu saurin kai hari cikin mintuna.
Shawarar akwai don kunna pre-boot Tantance kalmar sirri ta hanyar manufofi / rajista ko CLI, wani abu wanda bai isa ya fallasa ga matsakaita mai amfani ba. Har ila yau, tuna don bincika inda aka adana maɓallin dawo da: sau da yawa yana zaune a cikin asusun Microsoft na mai amfani, wanda Wani kusurwar haɗari ne idan ba a sarrafa ba.
Zalunci/Dabarun Kare: Maye gurbin tushen LUKS don tilasta kalmar sirrinku
Akwai vector mai ban sha'awa lokacin da babu tabbacin riga-kafi. Mai hari zai iya rufe ainihin ɓangaren LUKS, musanya shi da wani LUKS da UUID daya da kalmar sirri da ya sani, kuma kunna kwamfutar. Tun lokacin da ma'aunin PCR ya yi daidai, TPM yana fitar da maɓallin, amma bai dace da LUKS na jabu ba, don haka initrd zai faɗakar da maɓallin "farfadowa". Ta hanyar shigar da kalmar sirri da aka sani ga maharin, tsarin ku yana aiki azaman tushen tushe a cikin initrd, sannan zaku iya tsara satar maɓallin asali (misali, ta hanyar hawa ainihin kwafin akan hanyar sadarwa da amfani da systemd-cryptsetup).
Share raguwa: kunna pre-boot Tantance kalmar sirri, ba da damar systemd-pcrphase don ɗaure buɗewa kai tsaye zuwa lokacin initrd, kuma la'akari da aunawa/daure girman girman LUKS shima (yana buƙatar ƙira mai kyau don guje wa munanan da'irori).
Zaɓin rarrabawa da maɓalli na biyu: mafi kyawun aiki
Kiyaye maballin dawowa Ya zama dole: idan TPM ko motherboard sun mutu, maɓallin ku da ke daure da TPM ba shi da amfani. LUKS yana ba da damar ramummuka da yawa (TPM yana amfani da ɗaya, farfadowa yana amfani da wani). Bugu da ƙari, rabuwa da / da / gida yana da fa'idodi: kuna iya nema m ma'auni tare da TPM a / kuma yi amfani da maɓalli mai ƙarfi ko na'urar FIDO2/YubiKey don / gida, rage dogaro gabaɗaya a cikin injin guda ɗaya.
Me zai faru idan kun sabunta firmware ko kernel?
Idan kun canza firmware ko taɓa zaɓuɓɓukan UEFI, PCRs kamar 0/1 zasu canza kuma TPM ba zata saki maɓallin ba har sai kun sake yin rajista. Ga kernel da initrd, canje-canje suna akai-akaiIdan ba ku yi amfani da UCI tare da manufar sanya hannu ba, kowane sabuntawa zai iya tilasta ku yin amfani da zaɓin dawo da kuma sake yin rajista daga baya. Tare da sa hannun UKI, kawai kun sanya hannu kuma shi ke nan.
Bayanan Al'umma da Dubawa
A cikin wasu shahararrun jagororin wasu rarraba an ba da shawarar ɗaure kawai PCR 7 a duk lokacin amfani da UCI da systemd-boot, dogara ga Secure Boot's safeguards da rashin iya gyara cmdline. Yana aiki, amma akwai haɗari idan kun dogara ga ɓangare na uku. An kuma rubuta kwaro a baya inda bugawa Shigar zai haifar da harsashi mai dawowa bayan buɗewa; yana da kyau ku ci gaba da sabunta nau'ikan ku don guje wa abubuwan mamaki.
An raba maganganu masu ban sha'awa a cikin 2025/06: Laifin TPM yana ci gaba da shafar AMD zuwa wani matsayi; wikis sun kara takamaiman sashe akan manufofin PCR da aka sanya hannu; da mai sakawa don rarrabawa wanda ke ba da FDE tare da TPM kamar yadda aka gwada fasalin gwaji, tare da wasu hiccups masu amfani (yana buƙatar dawo da taya ta farko, dogaro akan snaps, ɓoyayyen faifai sau biyu), batun da ya cancanci ƙarin bincike mai zurfi.
An buga wani bibiya da aka mayar da hankali kan ɓoyayyen faifai a cikin Windows a cikin 2025/07. Ƙarshen ƙarshe yana ƙarfafa buƙatar PBA da ɓoye tashar TPM., da kuma iyakance dogaro ga maɓallan ɓangare na uku a cikin Secure Boot.
Tukwici na aiki tare da tpm2-kayan aikin da tsarin
Don amfanin yau da kullun: Sanya tpm2-tools da tpm2-tss. Yana amfani da /dev/tpmrm0 ta tsohuwa, da tpm2_pcrread/tpm2_pcrextend don gwaji da gwaji tare da PCRs. Guji fadada PCRs tare da bayanan sabani: yi wannan a cikin labs ko amfani da PCR 16 don gwaji.
Lokacin yin rajista tare da systemd-cryptenroll: -tpm2-na'urar = atomatik gano TPM; -tpm2-tare da fil yana ƙara PBA; -tpm2-pcrs=… zaɓi PCR naku; –tpm2-public-key=… da –tpm2-public-key-pcrs=… kunna manufar PCR da aka sanya hannu (misali, an ɗaure da PCR 11 don UKI). Kar a manta – goge-ramin lokacin da kake son tsaftace ramin da ya gabata.
Idan ba ku da TPM da systemd suna sa ku jira kan taya
Lokaci-lokaci, bayan sabuntawa, sabis na ƙoƙarin yin amfani da TPM duk da cewa injin ku ba ya ganuwa, yana haifar da ƙarewar lokaci akan taya. Da farko duba cewa babu /dev/tpm* ya bayyana ko shigar da /sys/class/tpm.
# Verificación rápida
ls /dev/tpm*
ls /sys/class/tpm/
Idan babu TPM, duba naka /etc/crypttab Ba ku da zaɓuɓɓuka kamar tpm2-device=autoIdan akwai, share su kuma sake gina initrd naku. Hakanan zaka iya kashe lokacin awo akan kwamfutoci ba tare da TPM ba:
# 1) Eliminar referencias TPM en /etc/crypttab y regenerar initrd
sudo mkinitcpio -P # (o dracut/rebuildinitrd según distro)
# 2) Evitar carga de módulos TPM si el firmware publica algo extraño
echo -e "blacklist tpm\nblacklist tpm_tis\nblacklist tpm_crb" | sudo tee /etc/modprobe.d/no-tpm.conf
# 3) Opcional: evitar pcrphase si te da problemas
sudo systemctl mask systemd-pcrphase.service
Wannan yana kawar da jira mara amfani idan kayan aikinku basu da TPM. Idan daga baya kun kunna TPM a cikin BIOS/UEFI, cire jerin baƙaƙen kuma cire abin rufe fuska na naúrar don dawo da ma'auni.
Ayyuka masu kyau da yanke shawara
Wasu mutane suna jin tsoron TPM saboda "akwatin baƙar fata," kamar fayafai masu ɓoye kansu. Wannan shakku ne mai ma'ana. Yi la'akari da samfurin barazanar ku kuma yana daidaita amfani, keɓantawa, da kiyayewa. Ga mutane da yawa, TPM+PBA+ da suka sanya hannu UKI babbar tsalle ce ta tsaro ba tare da wuce gona da iri ba.
A kan kayan aikin da ke ba shi damar, ƙara rufaffen ƙwaƙwalwar ajiya kuma a guji dogaro da maɓallan ɓangare na uku a cikin Secure Boot; iyakance sarkar zuwa maɓallan ku a duk lokacin da zai yiwu. Ci gaba da sabunta firmware da kernel don haɗa ragi don raunin da aka buga.
Mastering / dev/tpm0, / dev/tpmrm0, da tpm2_pcrread/tpm2_pcr_extend ayyuka yana buɗe ƙofar don auna taya da ɓoye ɓoyayyen faifai a cikin Linux; tare da UCI da manufar PCR da aka sanya hannu, kuna samun kwanciyar hankali na aiki, da ƙara PIN ɗin riga-kafi shima yana kare ku daga ƙarin hare-hare masu amfani. Makullin shine zaɓi PCRs da kyau, sanya hannu akan abin da ke canzawa akai-akai kuma koyaushe kiyaye maɓallin dawo da kyau koyaushe..
