Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clevis luks bind fails with key file in non-interactive mode #105

Closed
dnoliver opened this issue Jun 21, 2019 · 8 comments · Fixed by #141
Closed

clevis luks bind fails with key file in non-interactive mode #105

dnoliver opened this issue Jun 21, 2019 · 8 comments · Fixed by #141
Labels
bug

Comments

@dnoliver
Copy link

dnoliver commented Jun 21, 2019
edited

Test Script

#!/bin/bash

set -x
set -e

apt-cache policy \
        clevis \
        clevis-luks \
        clevis-udisks2 \
        clevis-tpm2 \
        cryptsetup

openssl rand -hex 8 > key
cryptsetup --verbose --batch-mode luksFormat /dev/sdb1 key
cryptsetup luksOpen /dev/sdb1 c1 --key-file key
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1

clevis luks bind -f -k key -d /dev/sdb1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
clevis luks unlock -d /dev/sdb1 -n c1
ls /dev/mapper/c1

set +e
set +x

Test Output:

+ set -e
+ apt-cache policy clevis clevis-luks clevis-udisks2 clevis-tpm2 cryptsetup
clevis:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
     8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
clevis-luks:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
     8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
clevis-udisks2:
  Installed: 8-1
  Candidate: 8-1
  Version table:
 *** 8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status
clevis-tpm2:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
cryptsetup:
  Installed: 2:2.0.2-1ubuntu1.1
  Candidate: 2:2.0.2-1ubuntu1.1
  Version table:
 *** 2:2.0.2-1ubuntu1.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:2.0.2-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
+ openssl rand -hex 8
+ cryptsetup --verify-passphrase --verbose --batch-mode luksFormat /dev/sdb1 key
Command successful.
+ cryptsetup luksOpen /dev/sdb1 c1 --key-file key
+ mkfs.ext4 /dev/mapper/c1
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 7685376 4k blocks and 1921360 inodes
Filesystem UUID: 5ef66bc2-28a9-4288-8b5c-52a93c788f7b
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done   

+ sleep 1
+ cryptsetup luksClose c1
+ clevis luks bind -f -k key -d /dev/sdb1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
No key available with this passphrase.
2

OS: Ubuntu 18.04, with ubuntu disco repos to install clevis-11
Result: I need to do it interactively, which have other problems that will describe in other issue
@dnoliver dnoliver changed the title clevis luks bind failes with key file clevis luks bind fails with key file in non-interactive mode Jun 21, 2019
@dnoliver dnoliver mentioned this issue Jun 21, 2019
Open
@sergio-correia
Copy link
Collaborator

Could you try the following patch (on top of master) and report back the results, please?

diff --git a/src/luks/clevis-luks-bind b/src/luks/clevis-luks-bind
index 3044a32..a9356fe 100755
--- a/src/luks/clevis-luks-bind
+++ b/src/luks/clevis-luks-bind
@@ -122,16 +122,16 @@ fi
 case "$KEY" in
 "") read -r -s -p "Enter existing LUKS password: " old; echo;;
  -) old="$(/bin/cat)";;
- *) old="$(/bin/cat "$KEY")";;
+ *) ! IFS= read -rd '' old < "$KEY";;
 esac
 
 # Add the new key
 if [ -n "$SLT" ]; then
-    cryptsetup luksAddKey --key-slot "$SLT" "$DEV"
+    cryptsetup luksAddKey --key-slot "$SLT" --key-file <(echo -n "$old") "$DEV"
 else
-    SLT="$(cryptsetup luksAddKey -v "$DEV" \
+    SLT="$(cryptsetup luksAddKey --key-file <(echo -n "$old") -v "$DEV" \
         | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p')"
-fi < <(echo "$old"; echo -n "$key")
+fi < <(echo -n "$key")
 if [ $? -ne 0 ]; then
     echo "Error while adding new key to LUKS header!" >&2
     exit 1

@dnoliver
Copy link
Author

@sergio-correia I will need some time to prepare a build environment and test this patch, given that I have been just using the default clevis that is present in Fedora.

I think it will be faster if I could modify the /usr/bin/clevis-luks-bind script that I already have installed, is that possible? Would this change work in the release version?

@sergio-correia
Copy link
Collaborator

@dnoliver: please try the slightly modified following patch, which should apply on top of clevis-luks-bind provided by clevis-luks-11-5.fc30:

diff --git a/clevis-luks-bind b/clevis-luks-bind
index 6fbc003..b8e8c62 100755
--- a/clevis-luks-bind
+++ b/clevis-luks-bind
@@ -111,18 +111,17 @@ fi
 case "$KEY" in
 "") read -s -p "Enter existing LUKS password: " old; echo;;
  -) old=`/bin/cat`;;
- *) old=`/bin/cat "$KEY"`;;
+ *) ! IFS= read -rd '' old < "$KEY";;
 esac
 
 # Add the new key
 if [ -n "$SLT" ]; then
-    if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
-        echo "Error while adding new key to LUKS header!" >&2
-        exit 1
-    fi
-elif ! SLT=`echo -e "$old\n$key" \
-        | cryptsetup luksAddKey -v $DEV \
-        | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
+    cryptsetup luksAddKey --key-slot "$SLT" --key-file <(echo -n "$old") "$DEV"
+else
+    SLT="$(cryptsetup luksAddKey --key-file <(echo -n "$old") -v "$DEV" \
+        | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p')"
+fi < <(echo -n "$key")
+if [ $? -ne 0 ]; then
     echo "Error while adding new key to LUKS header!" >&2
     exit 1
 fi

@dnoliver
Copy link
Author

Hope I did it corretcly,

[intel@fedora-workstation-1 ~]$ diff clevis-luks-bind.bak clevis-luks-bind

shows:

114c114
<  *) old=`/bin/cat "$KEY"`;;
---
>  *) ! IFS= read -rd '' old < "$KEY";;
119,126c119,124
<     if ! echo -e "$old\n$key" | cryptsetup luksAddKey --key-slot $SLT $DEV; then
<         echo "Error while adding new key to LUKS header!" >&2
<         exit 1
<     fi
< elif ! SLT=`echo -e "$old\n$key" \
<         | cryptsetup luksAddKey -v $DEV \
<         | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p'`; then
<     echo "Error while adding new key to LUKS header!" >&2
---
>     cryptsetup luksAddKey --key-slot "$SLT" --key-file <(echo -n "$old") "$DEV"
> else
>     SLT="$(cryptsetup luksAddKey --key-file <(echo -n "$old") -v "$DEV" \
>         | sed -rn 's|^Key slot ([0-9]+) created\.$|\1|p')"
> fi < <(echo -n "$key")
> if [ $? -ne 0 ]; then    echo "Error while adding new key to LUKS header!" >&2

Running the test:

[root@fedora-workstation-1 test]# ./clevis-test.sh 
+ set -e
+ openssl rand -hex 8
+ cryptsetup --verbose --batch-mode luksFormat /dev/sda1 key
Existing 'crypto_LUKS' superblock signature on device /dev/sda1 will be wiped.
Existing 'crypto_LUKS' superblock signature on device /dev/sda1 will be wiped.
Key slot 0 created.
Command successful.
+ cryptsetup luksOpen /dev/sda1 c1 --key-file key
+ mkfs.ext4 /dev/mapper/c1
mke2fs 1.44.6 (5-Mar-2019)
Creating filesystem with 15024120 4k blocks and 3760128 inodes
Filesystem UUID: cc3e77d1-62a1-427f-9b22-d44249ebdde9
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
        4096000, 7962624, 11239424

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done   

+ sleep 1
+ cryptsetup luksClose c1
+ clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
+ clevis luks unlock -d /dev/sda1 -n c1
+ ls /dev/mapper/c1
/dev/mapper/c1
+ set +e
+ set +x

Works! Thank you @sergio-correia!

FYI: I tested this in Fedora Workstation 30, not on Ubuntu (there are other reported issues in Ubuntu about versions and such)

I am happy that it works in Fedora :)

@sergio-correia
Copy link
Collaborator

Thanks for testing, I will push that fix.

sergio-correia added a commit to sergio-correia/clevis that referenced this issue Nov 23, 2019
@sergio-correia
Rework the logic for reading the existing key
0382e7f 
We now use cryptsetup and key file, and that way we handle
passphrases with newlines on them as well.

Add also tests to confirm non-interactive mode is working.

Fixes: latchset#105
sergio-correia added a commit to sergio-correia/clevis that referenced this issue Nov 23, 2019
@sergio-correia
Rework the logic for reading the existing key
e972edb 
We now use cryptsetup and key file, and that way we handle
passphrases with newlines on them as well.

Add also tests to confirm non-interactive mode is working.

Fixes: latchset#105
sergio-correia added a commit to sergio-correia/clevis that referenced this issue Nov 29, 2019
@sergio-correia
Rework the logic for reading the existing key
834eda9 
We now use cryptsetup and key file, and that way we handle
passphrases with newlines on them as well.

Add also tests to confirm non-interactive mode is working.

Fixes: latchset#105
@sergio-correia sergio-correia mentioned this issue Nov 29, 2019
Merged
@dnoliver
Copy link
Author

dnoliver commented Dec 4, 2019

Thanks!

When is this going to be present in an rpm package for Fedora?

@sergio-correia
Copy link
Collaborator

There is a Fedora 31 package currently in testing: https://bodhi.fedoraproject.org/updates/FEDORA-2019-777babd249

@dnoliver
Copy link
Author

dnoliver commented Jan 6, 2020

Thank you @sergio-correia, it works with Clevis 11-11

Apparently it got updated with the latest automatic update

[root@fedora-server-1 intel]# sudo dnf upgrade --advisory=FEDORA-2019-777babd249
Last metadata expiration check: 2:03:11 ago on Mon 06 Jan 2020 11:53:20 AM PST.
No security updates needed, but 0 updates available
Dependencies resolved.
Nothing to do.
Complete!

The test now pass

#!/bin/bash

set -euxo pipefail

rpm -qa clevis* cryptsetup* luks* tpm2*

openssl rand -hex 8 > key
cryptsetup --verbose --batch-mode luksFormat /dev/sda1 key
cryptsetup open /dev/sda1 c1 --key-file key
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup close c1

clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
clevis luks unlock -d /dev/sda1 -n c1
ls /dev/mapper/c1
cryptsetup close c1

Test output:

[root@fedora-server-1 intel]# bash test.sh 
+ rpm -qa 'clevis*' 'cryptsetup*' 'luks*' 'tpm2*'
cryptsetup-libs-2.2.2-1.fc31.x86_64
tpm2-tools-4.0.1-1.fc31.x86_64
clevis-11-11.fc31.x86_64
cryptsetup-2.2.2-1.fc31.x86_64
tpm2-tss-2.3.1-1.fc31.x86_64
clevis-luks-11-11.fc31.x86_64
tpm2-tss-devel-2.3.1-1.fc31.x86_64
tpm2-pkcs11-tools-0-0.8.20191011git0b7ceff.fc31.x86_64
luksmeta-9-5.fc31.x86_64
+ openssl rand -hex 8
+ cryptsetup --verbose --batch-mode luksFormat /dev/sda1 key
Existing 'crypto_LUKS' superblock signature (offset: 0 bytes) on device /dev/sda1 will be wiped.
Existing 'crypto_LUKS' superblock signature (offset: 16384 bytes) on device /dev/sda1 will be wiped.
Key slot 0 created.
Command successful.
+ cryptsetup open /dev/sda1 c1 --key-file key
+ mkfs.ext4 /dev/mapper/c1
mke2fs 1.45.3 (14-Jul-2019)
Creating filesystem with 7681792 4k blocks and 1921360 inodes
Filesystem UUID: ab3793f3-67ca-4cfb-bbc4-c972b9a9130b
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
        4096000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done   

+ sleep 1
+ cryptsetup close c1
+ clevis luks bind -f -k key -d /dev/sda1 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"1,2"}'
+ clevis luks unlock -d /dev/sda1 -n c1
+ ls /dev/mapper/c1
/dev/mapper/c1
+ cryptsetup close c1

@dnoliver dnoliver mentioned this issue Jan 6, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rework the logic for reading the existing key sergio-correia/clevis
2 participants
@dnoliver @sergio-correia