Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cryptsetup is used to unlock the system partition when using the Linux Unified Key Setup (LUKS). This is all about full disk encryption!

When booting up in Linux, there is a special file system called initramfs that runs before Linux has been fully added but after the bootloader like GRUB. This state initializes the Linux OS and the root partition. So, by design, initramfs is used to decrypt the main file system.

When using LUKS, a user must provide a password or one must be given from the TPM. If this fails, then a user can try again. If this fails more than 3 times, then the system reboots. If this fails 30 times on x86 machines, then the machine goes into a state where it feels it's broken.

What should the system do if it's broken? By default, this drops into an initramfs shell. In this case, we can modify initramfs, continue the boot process and more. This is NOT supposed to happen if LUKS is being used for file system encryption though.

This is where the bug is at. When checking to see if the maximum number of attempts has been checked, the bash statement will always return false, taking the wrong path. This ends up being horrible, since the system drops into the shell when it shouldn't.

What can you actually do in this state? By modifying the initramfs state, you could modify the boot procedure. Even worse, with auto-decryption via TPMs, we can bypass the boot policies that would normally restrict decrypting the file system.

How do you perform this exploit? Pressing enter 93 times. The authors believed that this bug was added in via new features being introduced into the system without considering the global issues. As people say "Complexity is the worst enemy of security." Overall, a good post on boot security.