-
-
Notifications
You must be signed in to change notification settings - Fork 13.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-cryptsetup is broken when used with tpm2 #167994
Comments
Potential solution might be:
Or maybe creating a module that links required libraries 🤔 + instantiate |
I think the
interface in Instead of accepting a path to the
On NixOS, this is a problem. Due to Ideally, the |
Before submitting any patches I decided to ask cryptsetup maintainers. |
Wouldn't |
I'm not sure - loading random |
We (@Mic92, @luis-hebendanz) just had a discussion in Mumble about this. Our proposed solution would be something like this in cryptsetup (untested!): diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 61be376..37befe8 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
token = &ret->u.v2;
- r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name);
+ r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
if (r < 0 || (size_t)r >= sizeof(buf))
return -EINVAL;
- assert(*buf == '/');
-
log_dbg(cd, "Trying to load %s.", buf);
h = dlopen(buf, RTLD_LAZY); This would allow us to load the libraries from the default library search path that we can alter using our default tools like patchelf. |
Sounds like a nice idea, but we should definitely ask upstream (in https://gitlab.com/cryptsetup/cryptsetup/-/issues/733) about this - they wrote:
If I see this correctly, by dropping the absolute PATH we'd find all systemd cryptsetup external token |
I might be completely off, but running patchelf inside of a cryptsetup derivation yields dependency loop, since we have to drag systemd in it. |
No, the idea was to use make use of |
@flokli I really don't see the issue since overriding LD_LIBRARY_PATH only works when not using setuid From the
|
@dasJ |
With the aforementioned patch + this patch, the test succeeds: diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix
index 055ae7d1681..2204d7e1bc4 100644
--- a/nixos/tests/systemd-cryptenroll.nix
+++ b/nixos/tests/systemd-cryptenroll.nix
@@ -1,11 +1,17 @@
-import ./make-test-python.nix ({ pkgs, ... }: {
+import ./make-test-python.nix ({ pkgs, ... }: let
+
+ cryptsetup = pkgs.cryptsetup.overrideAttrs (oA: {
+ patches = oA.patches ++ [ ../../pkgs/os-specific/linux/cryptsetup/relative-token-path.patch ];
+ });
+
+in {
name = "systemd-cryptenroll";
meta = with pkgs.lib.maintainers; {
maintainers = [ ymatsiuk ];
};
nodes.machine = { pkgs, lib, ... }: {
- environment.systemPackages = [ pkgs.cryptsetup ];
+ environment.systemPackages = [ cryptsetup ];
virtualisation = {
emptyDiskImages = [ 512 ];
qemu.options = [
@@ -14,6 +20,22 @@ import ./make-test-python.nix ({ pkgs, ... }: {
"-device tpm-tis,tpmdev=tpm0"
];
};
+
+ systemd.package = (pkgs.systemd.overrideAttrs (oA: {
+ nativeBuildInputs = oA.nativeBuildInputs ++ [
+ pkgs.makeBinaryWrapper
+ ];
+ postFixup = ''
+ ${oA.postFixup or ""}
+
+ for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
+ wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
+ done
+ '';
+ })).override {
+ inherit cryptsetup;
+ };
};
testScript = ''
@@ -37,7 +59,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
# Enroll new LUKS key and bind it to Secure Boot state
# For more details on PASSWORD variable, check the following issue:
# https://github.com/systemd/systemd/issues/20955
- machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
+ machine.succeed("PASSWORD=lukspass SYSTEMD_LOG_LEVEL=debug SYSTEMD_LOG_LOCATION=1 LD_DEBUG=files systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
# Add LUKS partition to /etc/crypttab to test auto unlock
machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
machine.shutdown() |
Fix: #171242 |
can this be closed with #189676 merged? |
Yes, thanks for the ping :-) |
Hmh, I |
I checked logs,
Confusingly, it says that even if I touch a file in there, so maybe we invoke it wrongly - or conventions change midway? |
I'm going to check the test now, but what I noticed some time ago, that
it seems like this has stopped working Edit: the test is failing due to the same issue ☝🏻
☝🏻 looks like a race condition to me, might that be that the state directory disappeared before the swtpm process dies? |
Ping @RaitoBezarius |
That was this bug: #210896 |
Yea, and upon cherrypicking that commit on nixos-unstable, |
I can confirm. I sent a PR to staging (#213182), to mark the test as not broken there. This can be closed, sorry for the noise. |
Describe the bug
Plugins built with
systemd
are not available incryptsetup
Steps To Reproduce
Steps to reproduce the behavior:
Local with TPM2
Password prompt appears:
#cleanup sudo systemd-cryptenroll --wipe-slot=tpm2 encrypted.img
Using tests with
swtpm
boot.kernelParams = [ "systemd.log_level=debug" "systemd.log_target=console" "console=ttyS0,38400" "console=tty1" ];
nix build .#nixosTests.systemd-cryptenroll
(give it a minute since it spits out lots of debug statement)nix log .#nixosTests.systemd-cryptenroll
Expected behavior
Password prompt should not appear
Additional context
#139864 should've been caught this issue
strace
suggests that the new systemd feature is to blame:It seems like
cryptsetup
expects the library to be present under${cryptsetup}/lib/cryptsetup
but it's present under${systemd}/lib/cryptsetup
No matter what I do I get into dependency loop 🤷🏻
Notify maintainers
@flokli @kloenk @Mic92
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.The text was updated successfully, but these errors were encountered: