#3355 PR open: Storing and reading Self Encrypted Disk (SED) password from TPM¶
Labels: enhancement
prolez opened issue at 2024-12-04 14:11:¶
Relax-and-Recover (ReaR) Pull Request Template¶
Please fill in the following items before submitting a new pull request:
Pull Request Details:¶
-
Type: Enhancement
-
Impact: Low
-
Reference to related issue (URL): https://github.com/rear/rear/issues/3074
-
How was this pull request tested? on production environment
-
Description of the changes in this pull request: Add functions in unlock-opal-disks to offer storing password in TPM2
jsmeix commented at 2024-12-06 13:46:¶
@prolez
thank you for your enhancement for ReaR!
We are currently in the final process of releasing ReaR 2.8,
cf.
https://github.com/rear/rear/issues/3238#issuecomment-2516532775
so we cannot include this PR in the current ReaR 2.8.
We will have a look for the subsequent ReaR 3.0.
I am not a SED user so I cannot try out things on my own.
I can only comment from what I notice form plain looking
at the code changes of this pull request in
https://github.com/rear/rear/pull/3355/files
I notice at_password and when I see something like
"password" or "encryption" or "key" in the code
it indicates the code deals with some kind of "secret value"
and then I am wondering if the code deals sufficiently well
with secrets.
See the inital comments in usr/share/rear/conf/default.conf
currently online at
https://github.com/rear/rear/blob/master/usr/share/rear/conf/default.conf#L13
how to deal sufficiently well with secrets.
See also the function LogSecret() in
usr/share/rear/lib/_input-output-functions.sh
currently online at
https://github.com/rear/rear/blob/master/usr/share/rear/lib/_input-output-functions.sh#L462
See also our "Relax-and-Recover Security Architecture" document at
https://relax-and-recover.org/documentation/security-architecture
which reads (excerpt)
To facilitate protecting secrets even from
verbose tracing of the Bash scripts (set -x),
it is important to wrap statements
that handle secrets like this:
# set a variable with a secret
{ VAR='secret_value' ; } 2>>/dev/$SECRET_OUTPUT_DEV
# use the variable with the secret
{ COMMAND $SECRET_ARGUMENT ; } 2>>/dev/$SECRET_OUTPUT_DEV
For an example how the latter is used see
usr/share/rear/rescue/default/500_ssh.sh
online at
https://github.com/rear/rear/blob/master/usr/share/rear/rescue/default/500_ssh.sh
For an example how the latter is used to get user input
in a confidential way, see the comment of the UserInput function
in usr/share/rear/lib/_input-output-functions.sh
currently online at
https://github.com/rear/rear/blob/master/usr/share/rear/lib/_input-output-functions.sh#L1090
To verify that your code deals sufficiently well with secrets
run it in ReaR debugscript mode with '-D' e.g. like
# rear -D mkrescue
and then carefully inspect your ReaR log file
and verify that no secret value appears therein.
[Export of Github issue for rear/rear.]