Ubadilika wa Header wa LUKS2 na Matumizi Mabaya ya Null-Cipher katika Confidential VMs

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

TL;DR

  • Confidential VMs nyingi za Linux (CVMs) zinazofanya kazi kwenye AMD SEV-SNP au Intel TDX zinatumia LUKS2 kwa persistent storage. Header ya LUKS2 iliyoko kwenye disk inaweza kubadilika (malleable) na haina ulinzi wa integrity dhidi ya storage-adjacent attackers.
  • Ikiwa encryption ya data segment kwenye header imewekwa kuwa null cipher (mfano, “cipher_null-ecb”), cryptsetup inakubali hiyo na guest anasoma/andika plaintext kwa uwazi wakati ikidhani disk imefichwa (encrypted).
  • Kabla na hadi cryptsetup 2.8.0, null ciphers zilitumika kwa keyslots; tangu 2.8.1 zinakataliwa kwa keyslots zenye passwords zisizo tupu, lakini null ciphers zinaendelea kuruhusiwa kwa volume segments.
  • Remote attestation kwa kawaida hupima VM code/config, sio mutable external LUKS headers; bila validation/measurement ya wazi, attacker mwenye disk write access anaweza kulazimisha plaintext I/O.

Background: LUKS2 on-disk format (what matters for attackers)

  • Kifaa cha LUKS2 kinaanza na header ikifuatiwa na encrypted data.
  • Header ina nakala mbili sawa za sehemu ya binary na sehemu ya JSON metadata, pamoja na keyslots moja au zaidi.
  • JSON metadata inaelezea:
    • keyslots zilizowezeshwa na wrapping KDF/cipher zao
    • segments zinazotaja data area (cipher/mode)
    • digests (kwa mfano, hash ya volume key ili kuthibitisha passphrases)
  • Thamani za kawaida salama: keyslot KDF argon2id; keyslot na data segment encryption aes-xts-plain64.

Chunguza kwa haraka segment cipher moja kwa moja kutoka JSON:

# Read JSON metadata and print the configured data segment cipher
cryptsetup luksDump --type luks2 --dump-json-metadata /dev/VDISK \
| jq -r '.segments["0"].encryption'

Chanzo kuu

  • LUKS2 headers havithibitishwi dhidi ya uharibifu wa uhifadhi. Mshambuliaji kwenye host/uhifadhi anaweza kuandika upya metadata ya JSON inayokubaliwa na cryptsetup.
  • Kuanzia cryptsetup 2.8.0, vichwa vinavyoweka encryption ya segment kuwa cipher_null-ecb vinakubaliwa. null cipher haizingatii funguo na inarudisha plaintext.
  • Hadi 2.8.0, null ciphers pia zingeweza kutumika kwa keyslots (keyslot hufunguka na passphrase yoyote). Tangu 2.8.1, null ciphers zinakataliwa kwa keyslots zenye nywila zisizo tupu, lakini zinaendelea kuruhusiwa kwa segments. Kubadilisha tu segment cipher bado husababisha I/O ya plaintext hata baada ya 2.8.1.

Mfano wa tishio: kwa nini attestation haikukuokoa kwa chaguo-msingi

  • CVMs zinalenga kuhakikisha usiri, uadilifu, na uhalisi katika host isiyothibitishwa.
  • Uthibitisho wa mbali kawaida hupima image ya VM na usanidi wa kuanzisha, si header ya LUKS inayobadilika inayokaa kwenye uhifadhi usiothibitishwa.
  • Ikiwa CVM yako inamtumaaminia header ya kwenye diski bila uthibitisho/kipimo imara, mshambuliaji wa uhifadhi anaweza kuibadilisha kuwa null cipher na guest yako itapakia volume ya plaintext bila kosa.

Utekelezaji (inahitaji upatikanaji wa kuandika kwenye uhifadhi)

Masharti ya awali:

  • Upatikanaji wa kuandika kwenye block device iliyofichwa kwa LUKS2 ya CVM.
  • Guest inatumia header ya LUKS2 iliyoko kwenye diski bila uthibitisho/usimamizi imara.

Hatua (kwa muhtasari):

  1. Soma header JSON na tambua ufafanuzi wa data segment. Shamba la mfano: segments[“0”].encryption.
  2. Weka encryption ya data segment kuwa null cipher, kwa mfano cipher_null-ecb. Weka vigezo vya keyslot na muundo wa digest bila kubadilika ili passphrase ya kawaida ya guest bado “ifanye kazi.”
  3. Sasisha nakala zote mbili za header na header digests zinazohusiana ili header iwe yenye muundo unaolingana na nafsi yake.
  4. Wakati wa boot ijayo, guest itaendesha cryptsetup, itafungua keyslot iliyopo kwa passphrase yake, na ku-mount volume. Kwa sababu segment cipher ni null cipher, kusoma/kuandika yote yatakuwa plaintext.

Tofauti (pre-2.8.1 keyslot abuse): ikiwa keyslot’s area.encryption ni null cipher, hufunguka na passphrase yoyote. Changanya na null segment cipher kwa upatikanaji wa plaintext usio na mshono bila kujua siri ya guest.

Uzuiaji imara (epuka TOCTOU kwa detached headers)

Daima chukulia vichwa vya LUKS vilivyoko kwenye diski kama pembejeo zisizoaminika. Tumia detached-header mode ili uthibitisho na ufunguzi vitumie biti zile zile zilizothibitishwa kutoka kwa RAM iliyo na ulinzi:

# Copy header into protected memory (e.g., tmpfs) and open from there
cryptsetup luksHeaderBackup --header-backup-file /tmp/luks_header /dev/VDISK
cryptsetup open --type luks2 --header /tmp/luks_header /dev/VDISK --key-file=key.txt

Kisha utekeleze moja (au zaidi) ya yafuatayo:

  1. Tumia MAC kwa kichwa kizima
  • Hesabu na thibitisha MAC juu ya kichwa kizima kabla ya kutumika.
  • Fungua volumu tu wakati MAC inathibitishwa.
  • Mifano katika dunia halisi: Flashbots tdx-init na Fortanix Salmiac zimekubali uthibitishaji unaotegemea MAC.
  1. Uthibitishaji mkali wa JSON (inayohifadhi utangamano wa nyuma)
  • Toa metadata ya JSON na thibitisha orodha kali iliyoruhusiwa ya vigezo (KDF, ciphers, segment count/type, flags).
#!/bin/bash
set -e
# Store header in confidential RAM fs
cryptsetup luksHeaderBackup --header-backup-file /tmp/luks_header $BLOCK_DEVICE
# Dump JSON metadata header to a file
cryptsetup luksDump --type luks2 --dump-json-metadata /tmp/luks_header > header.json
# Validate the header
python validate.py header.json
# Open the cryptfs using key.txt
cryptsetup open --type luks2 --header /tmp/luks_header $BLOCK_DEVICE --key-file=key.txt
Mfano wa validator (kulazimisha mashamba salama) ```python from json import load import sys with open(sys.argv[1], "r") as f: header = load(f) if len(header["keyslots"]) != 1: raise ValueError("Expected 1 keyslot") if header["keyslots"]["0"]["type"] != "luks2": raise ValueError("Expected luks2 keyslot") if header["keyslots"]["0"]["area"]["encryption"] != "aes-xts-plain64": raise ValueError("Expected aes-xts-plain64 encryption") if header["keyslots"]["0"]["kdf"]["type"] != "argon2id": raise ValueError("Expected argon2id kdf") if len(header["tokens"]) != 0: raise ValueError("Expected 0 tokens") if len(header["segments"]) != 1: raise ValueError("Expected 1 segment") if header["segments"]["0"]["type"] != "crypt": raise ValueError("Expected crypt segment") if header["segments"]["0"]["encryption"] != "aes-xts-plain64": raise ValueError("Expected aes-xts-plain64 encryption") if "flags" in header["segments"]["0"] and header["segments"]["0"]["flags"]: raise ValueError("Segment contains unexpected flags") ```
  1. Pima/thibitisha kichwa
  • Ondoa random salts/digests na pima kichwa kilichosafishwa kwenye TPM/TDX/SEV PCRs au KMS policy state.
  • Toa funguo za decryption tu wakati kichwa kilichopimwa kinapolingana na wasifu uliothibitishwa, salama.

Mwongozo wa uendeshaji:

  • Lazimisha detached header + MAC au uhalalishaji mkali; kamwe usitegemee vichwa vilivyoko kwenye diski moja kwa moja.
  • Watumiaji wa attestation wanapaswa kukataa matoleo ya framework kabla ya patch kwenye allow-lists.

Vidokezo kuhusu matoleo na msimamo wa mtunzaji

  • Watunzaji wa cryptsetup walibainisha kwamba LUKS2 haikuundwa kutoa uadilifu dhidi ya utovu wa kuhifadhi katika mazingira haya; null ciphers zimehifadhiwa kwa ajili ya backward compatibility.
  • cryptsetup 2.8.1 (Oct 19, 2025) inakataa null ciphers kwa keyslots zenye password zisizo tupu lakini bado inaruhusu null ciphers kwa segments.

Ukaguzi wa haraka na tathmini

  • Kagua kama encryption yoyote ya segment imewekwa kuwa null cipher:
cryptsetup luksDump --type luks2 --dump-json-metadata /dev/VDISK \
| jq -r '.segments | to_entries[] | "segment=" + .key + ", enc=" + .value.encryption'
  • Thibitisha keyslot na segment algorithms kabla ya kufungua volume. Ikiwa huwezi kutumia MAC, lazimisha uthibitishaji mkali wa JSON na fungua kwa kutumia detached header kutoka protected memory.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks