-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clevis ignores PCR policy #102
Comments
No, this is not the expected behavior. What clevis and tpm2-tools version are you using? On my Fedora 30 machine:
|
The problem is in the jose project that's not able to parse
So you should file an issue in the jose project for this.
Probably that's not correct and should take into account when the field is key is present but its value couldn't be parsed. |
Sorry I forgot to post my versions! find them below: cat /etc/redhat-release
Fedora release 29 (Twenty Nine)
uname -a
Linux localhost.localdomain 5.0.16 #1 SMP Tue May 21 10:40:27 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux
rpm -qa tpm2-tools tpm2-tss
tpm2-tools-3.1.4-1.fc29.x86_64
tpm2-tss-2.1.2-1.fc29.x86_64
rpm -qa clevis clevis-luks jose
clevis-luks-11-4.fc29.x86_64
jose-10-3.fc29.x86_64
clevis-11-4.fc29.x86_64
Originally, I was using
Done latchset/jose#68
I originally thought that I was passing an invalid configuration, given that I was sing |
Right, the But yes, probably
Yes, please file another issue for that. I think this issue can be closed now, unless you want to keep it open until |
Done, created new issue for Jose settings parsing state validation #103. I am closing this, it is now clear which is the setting I should have used to not run into this error. Thank you @martinezjavier! |
Clevis is ignoring the pcr policy configured with bind.
The following test demonstrate the behaviour.
Use clevis to create a key slot in an already created LUKS container.
Select the PCR
sha1:16
to enforce the policy.By default,
sha1:16
contains zeroes.Extend the PCR
sha1:16
with any value.sudo tpm2_pcrextend 16:sha1=a3d2744ea1acb343f49fe2a6441c0b057a0ac64c sudo tpm2_pcrlist --sel-list sha1:16 > pcr-26-final.yaml
Check the PCR
sha1:16
stateUnlock the LUKS container using clevis
Expected: Clevis should not be able to unlock the volume, given that the policy should not be satisfied with the modified PCR value
Actual: Clevis unlocks the volume
The impact of this is that, if you used clevis with an PCR policy, the volume can be unlocked regardless of the platform integrity state.
NOTE: This originally happened with the PCR-9 as well. I am using the PCR-16 for testing purposes, given that it is the one that you can reset.
@martinezjavier is this expected behaviour?
The text was updated successfully, but these errors were encountered: