1

In my laptop I've set up a bios pw when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I've set up TPM to automatically decrypts the disk, if PCR are unaltered.

But now I'm playing with TPM's PCRs in order to be able to prevent that some thief who steals my laptop (which has a bios password when you power it on) to boot anything. I wanted to set a PCR to change when UEFI state changes (so also when a potential thief resets CMOS so resets the UEFI and so removes bios password), so that my linux distro prompts decryption pw and thief can't do anything.

But I tried with PCR1 which should be related to UEFI settings, and if I change anything in UEFI setting, nothing changes. So I tried ALL THE PCRs, and none change if I edit the UEFI settings. Why? Is there something I can do to block the possibility to reset CMOS and boot the laptop?

EDIT: Since all this does not work and PCR does not consider BIOS/UEFI changes etc.................... I reflected that, instead of using TPM just to prevent asking for decryption password, I just disable SecureBoot and don't use TPM and I'll enter the decryption disk password. BUT instead of entering two passwordws (bios boot pw and decrypt disk pw), I replaced the bios boot pw with the bios SETTING pw (so it asks me ONLY when I want to access bios or want to change the boot order) and so I ONLY HAVE ONE pw to enter when I power on the laptop: the disk decrypt one :)

Improve this question
6
  • 1
    If you have the firmware locked down, and a malicious party is unable to modify the boot order, then they will only ever be able to boot to the operating system you have previously configured. Have you actually confirmed you can, reset the firmware settings, without entering the password? I bet you will find that, in order to reset the firmware settings, you will actually be prompted for the password.
    – Ramhound
    Commented Nov 16, 2023 at 18:25
  • Why are you doing this with a BIOS password? The thief only needs to take your disk to get your data. I would suggest to use VeraCrypt or similar to put the password instead on your disk.
    – harrymc
    Commented Nov 16, 2023 at 20:25
  • @harrymc the disk is encrypted so thief can't access my data, I think
    – Allexj
    Commented Nov 16, 2023 at 21:05
  • 1
    Did you have a key that does not bind to any PCR enrolled to LUKS (and the TPM) before you enroll more that binds to one or more PCRs? Did you have the non-PCR-binding (keys) removed if that's the case? (Keys might bind to PCR 7 anyway though. Either way, try to remove all the keys that were enrolled to the TPM from LUKS and enroll one that binds to PCR 7, and see if toggling Secure Boot setting would cause it to ask for password? (Just as a test to see if you are doing things right and if the mechanism works in general.)
    – Tom Yan
    Commented Nov 17, 2023 at 4:03
  • 1
    It does seem PCR 1 is not really reliable anyway, and user configurable settings might not be part of what it "tracks": community.intel.com/t5/Intel-NUCs/… (I suppose it ultimately depends on the implmentation of the specific UEFI firmware. Not even sure how the "standard", if there's any, mandates it to be implemented with this regard.)
    – Tom Yan
    Commented Nov 17, 2023 at 4:05

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .