Recently, a new attack technique was presented in NIXOS that allows unauthorized access to data on encrypted disk sections without requiring the unlock password when booting up. This technique takes advantage of the Trusted Platform Module (TPM2) for decoding, which is commonly used in server or multi-user workstation configurations where manually entering a password after each reboot is inconvenient.
When using this method of encryption, decoding is done using an additional key stored in the TPM, which is only released when the initial system state is confirmed. The system state is stored in the Platform Configuration Registers (PCR) as a hash and is tied to a digital signature that verifies the bootloader and the initial loading environment (Initrd). Access to the key in TPM is granted only when all the attached PCR registers are in the same state as when the key was created.
The loading chain of the operating system is verified using UEFI Secure Boot, and access to the keys can only be obtained from an unmodified Initrd image. If the check is successful, the disk is automatically decrypted, but access to the decrypted data is only granted after logging into the system. Attempting to access the keys without proper verification or tampering with the Initrd image will violate the trust chain, disrupt the PCR registers’ state, and prevent TPM2 from providing the necessary information for decryption.
This attack method enables access to encrypted LUKS sections without needing to identify them, which is not commonly described in setup instructions as it complicates the configuration. The demonstration of this attack was carried out on Fedora Linux with the clevis instrument and on NIXOS. However, physical access to the computer and the ability to extract the drive are necessary prerequisites for the attack.
The attacker’s approach involves replacing the existing encrypted root section with their own encrypted section using the same UUID identifier and known decryption keys. By transferring the Init process to the attacking section within the unchanged Initrd environment, the attacker gains control without violating the TPM state, allowing them to use TPM to decrypt the original disk section.