Running kexec-save-key wiped the only slot remaining #645
Comments
|
Yeah that's a good catch. We probably should be using luksRemoveKey instead. |
@flammit: instead of killslot? Edit: in my attempts to play fair with crypsetup, I found that specifying the slots was mitigating those errors. Of course killslot doesn't pardon and will just delete the key slot (1 here, as specified). But if I understand well the problem of @EDmitry, it was caused by playing externally with cryptsetup, so using luksRemoveKey would not have prevented the disaster and would have complied also, or I might miss something. |
@EDmitry : When you change a passphrase for a keyslot without specifying which one to play with, cryptsetup creates a new slot and deletes the old one. Adding a keyslot leaves the old one in place. So you had nothing in slot 0 anymore because of changing a passphrase, and save-key doesn't validate if slot 0 exists, just kills slot 1, and saves new key in 1 as instructed. So in this case, it killed slot 1, had nothing to validate functional decryption against old key (no more slots) and failed to insert new key in slot 1. Any proposition to deal with this external error? As a side note, adding key (additional passphrase to unlock disk) for slot, or changing slot decryption key (passphrase) doesn't reencrypt disk content. It just adds/change key to be able to decrypt same encrypted disk content. To reencrypt, cryptsetup-reencrypt needs to be used. |
|
Came across this as well while setting up my T430. A rare occurance but got me confused for a second 😄 One fast Debian reinstall later and making sure I was using slot 0 solved everything. |
Non related outside of reviewing current code: - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding close issue linuxboot#645, checking if slot1 is the only slot prior of wiping it Currently rebased on top of https://github.com/tlaurion/stenghten_entropy_sources_with_jitter_and_TPM to test qemu at the same time. TODO: rebase on top of osresearch/master prior of merging
Non related outside of reviewing current code: - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding close issue linuxboot#645, checking if slot1 is the only slot prior of wiping it Currently rebased on top of https://github.com/tlaurion/stenghten_entropy_sources_with_jitter_and_TPM to test qemu at the same time. TODO: rebase on top of osresearch/master prior of merging
Non related outside of reviewing current code: - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding close issue linuxboot#645, checking if slot1 is the only slot prior of wiping it Tested: - on top of https://github.com/tlaurion/stenghten_entropy_sources_with_jitter_and_TPM to test qemu at the same time. - On top of master Boards: - qemu-coreboot-whiptail-tpm1: success - qemu-coreboot-whiptail-tpm2 : fails
Non related outside of reviewing current code: - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding close issue linuxboot#645, checking if slot1 is the only slot prior of wiping it Tested: - on top of https://github.com/tlaurion/stenghten_entropy_sources_with_jitter_and_TPM to test qemu at the same time. - On top of master Boards: - qemu-coreboot-whiptail-tpm1: success - qemu-coreboot-whiptail-tpm2 : fails
…when resealing TOTP)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for linuxboot#645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
…when resealing TOTP)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for linuxboot#645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
…when resealing TOTP)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for linuxboot#645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
|
Not sure why I cannot tag this issue from #1482, but that PR fixes this. Closing prematurely otherwise won't be closed automatically (Bad Github) |
After running
kexec-save-key -p /boot/ /dev/sda2the only slot generated by Qubes installation was wiped, and the new key wasn't inserted. Verified with luksDump that all slots are disabled after running the command. I see that from the code it supposed to wipe the slot 1, but I think the reason my main key was in slot 1 is because I change the LUKS password before. That probably inserted a new key in slot 1 and deleted from 0.I think
kexec-seal-keyshould verify that it's not removing the only slot available.The text was updated successfully, but these errors were encountered: