Dell Venue 11 pro (7139) as a Linux Tablet – with full disk encryption !

I can’t stomach the “telemetry” in Windows 10, and wanted a cheap hybrid laptop / tablet for when I go travelling.  I really love the concept of the Dell Venue 11, and managed to pick up a mint condition second hand i5/250gig/8gig model – replete with keyboard and docking station for NZ$400 including shipping.

A couple of years ago I previously struggled to get an i3 model working with Linux touch-screen and WIFI, and I’m quite happy with how far things have come – All the hardware worked out of the box on Ubuntu 16.04.2 (Partly, I suspect, due to the Intel AC WIFI adaptor the unit came with) – unfortunately it did not work well as a tablet.

There are 2 enhancements I’ve implemented which I believe will make the unit a usable tablet –

Full Disk Encryption

Credit where its due: The idea came from https://ranzbak.nl/tpmluks/ which I used as a starting point – unfortunately it required quite a bit of work (particularly extracting initrd and rebuilding it is probably not ideal, and sha1 – while not fantastic, is probably better then using md5 hashes and TPM is based on sha1 hashes.    Also the provided diffs did not work and the PCRs are in a different place)

While its easy enough to enable FDE when setting up Linux, it requires a keyboard to enter the passphrase, however the system does have an onboard keyboard for for entering a (BIOS) password.    Leveraging TPM its possible to set a boot password in the BIOS, and then use TPM to ensure the disk is encrypted.

First step is to take control of tpm:

apt-get install tpm-tools trousers

tpm_takeownership

In order to do this some modifications are needed in the initrd files.  The idea here is to use a hash of the TPM PCRs – which should be unique to the device to decrypt the disk if available (If not,we can always fall back to a regular passphrase).

Changes to /usr/share/initramfs-tools/scripts/local-top/cryptroot:

265c265,266
< cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget –key-file=-”

> cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget ”
> # cryptopen=”$cryptopen open –type luks $cryptsource $crypttarget –key-file=-”
300,303c301,320
< if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
< $cryptkeyscript “$cryptkey” | $cryptopen; then
< message “cryptsetup: cryptsetup failed, bad password or options?”
< continue

>
> # Check against TPM
>
> if [ $count -eq 1 ] && [ -e “/sys/class/tpm/tpm0/device/pcrs” ]
> then
> cryptmd5hash=`cat “/sys/class/tpm/tpm0/device/pcrs” | sha1sum | cut -f1 -d’ ‘`
>
> pcrs=`cat /sys/class/tpm/tpm0/devices/pcrs`
>
> if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
> echo $cryptmd5hash | $cryptopen; then
> message “cryptsetup: Setting up Crypt from TPM hash failed – $pcrs – $cryptmd5hash”
> continue
> fi
> else
> if ! crypttarget=”$crypttarget” cryptsource=”$cryptsource” \
> $cryptkeyscript “$cryptkey” | $cryptopen; then
> message “cryptsetup: cryptsetup failed, bad password or options?”
> continue
> fi

This also required the addition of 2 files to the initrd – sha1sum and cut.   To add these, find the lines “copy_exec” near the bottom of /usr/share/initramfs-tools/hooks/cryptroot and add

copy_exec /bin/cut

copy_exec /usr/bin/sha1

Then run “update-initramfs -u” to rebuild the inittab file for your kernel.

You will also need to add the sha1 passphrase to your LUKS device (in an unused keyslot.  (My LUKS device is /dev/sda3).  There is no doubt a better way to do this, but I simply did this:

cat /sys/class/tpm/tpm0/device/pcrs | sha1sum | cut -f1 -d” “

This produced a rather long string which represents a hash of the pcrs and what we use as a passphrase – it should be unique to the system.

I then set this by copying-and-pasting the passphrase into the second slot using the command

cryptsetup luksAddKey /dev/sda3 -S1

Note that S1 is slot 1 (second slot – the first one is lot 0).  There are 8 slots you can use.

Note:  This is not as secure as using FDE directly – one attack would be for someone to “borrow” the system, remove the ssd,  install a compromised initrd file, replace the drive, wait for you to enter your phrase and then they will have the hash which can be used for FDE.    Of-course, this is not significantly different to someone putting a keylogger on your system – and does provide protection if a thief simply steals the device.

Onscreen Keyboard on login –

Although it should work, it appears that the “Onboard” keyboard does not correctly work with the default lightdm manager.   I eventually discovered that replacing it with gdm3  (apt install gdm3) fixed it.  A gotcha – You need to reboot the system after installing GDM3 – not just log out and in again.