-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[UKI] Cant unlock luks device after adding new certs to EFI #32946
Comments
According to docs, if not specified, when locking via a tpm signature/policy it will bind to PCR11, but this sure looks like its binding to PCR7 as well? Otherwise Im not sure why would adding a new cert in the KEK or DB would break the PCR11 measurements? |
We also tried to specify exactly |
oh I just saw it thanks to #30546 decryption is trying PCR7+11 ? Does that make sense if the default is to encrypt with 11 only? |
going further down into this, when running cryptsetup its supposed to store the binded PCR slots into the luks JSON header?
So if we enroll with PCR11 cryptsetup would read that from the header and try to unlock with PCR11 only but we are not seeing this, we are locking with PCR11 and we can clearly see cryptsetup picking up 7+11:
|
I did regenerate the partition and encrolling the key seems to default to 7+11 no matter what we specify in the flag
BUT, it seems that if we specify So whats the flag to use? Is this a docs issue? did the behavior change? Docs mention:
So it makes sense that if we are using a policy in order to be able to update the system, we use |
yes, confirmed that setting public key and public pcrs, does not bind only to the public pcrs as one would assume from whats written in the docs, it binds also to the default --tpm-pcrs values which default to 7 in the back without hinting at it. I think the docs need to be updated to mention that both values would be merged, so if you dont specify anything in the tpm2-pcrs it will automatically add PCR7. Not only that but docs also hint that if you want to use public pcrs to allow updating you need to use that flag, because tpm2-pcr will lock to a single set of measurements, which made us wary of setting that as we didnt want to bind to just 1 set of measurements. |
going more and more on this, seems that the solution of setting the {
"type": "systemd-tpm2",
"keyslots": [
"2"
],
"tpm2-blob": "AJ4AIOU3ZfAH3z0fvsiJ0aw2I7Pq+Zue8/5qABTjPXcgU5QxABD9zn5TUr1qrEmkg4exJDDPErq23zAyh4zGfDL7DIR5buyw8ukHDX9CPu05Rqqe71LQsQYf56RPP03DSyzZ+Wtr95bwPkaoDexs/Ecw47dZbqL6j75/+e2oTMzv/qmKf2yExISVoi15bqsIofGYc/oe+yR/55IiQVK/DABOAAgACwAAABIAIHsVg0g6toC+AVZjPAXcWbl1jlPVYIMUTGSyiqttBy+pABAAIJvOeakoukYzJt/UpdzCD0fyoXU8T//ND+3nKwf5OVLx",
"tpm2-pcrs": [
11
],
"tpm2-pcr-bank": "sha256",
"tpm2-policy-hash": "7b1583483ab680be0156633c05dc59b9758e53d56083144c64b28aab6d072fa9",
"tpm2-pin": false,
"tpm2_pcrlock": false,
"tpm2_pubkey_pcrs": [
11
],
"tpm2_pubkey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExTldTU3RWNDRIQVowdkdGaFBuUAp3eHJZbUhHRU1NeHVzUXRPVnBXNVFiLzN2dHRDMFpieG05MGdMQ2w0UjYzNUl2WGVwb2I1NmZhR2YyL2l5TTJyCnA2MlRHSnpLdFNLODFGNjFLQnlZRjdaS2pWeWFNTmMzSjdoMVBmQjdlT0oyZ1EzUGdybWpLM0lKdUkxT2hGMzcKUi9maWt3cFYvZ2VTU2diUGxqZ3IyUmw1b1d4VFluNXFDaC9CQ3dmbDVZTnp0N0lPOEVFdEUwTThycklvTHpTMQp4UnhmaWdoOTNQaEltdG5tbDN2ZDlnd1FIcnJPN2NzNGVsQVkrOFhSdW5kRVZCYmd1TTd6QzBIUlRocDRZYWh0Cmw4bVREQ1YwaGFZOVVvSWp0ZGJkcG10K3NEMmZyYllEVlk5Zis3VTJSZDdZcDFkaDhNc1BHMkJ5M1RVQ2l3a1EKYVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==",
"tpm2_srk": "gQAAAQAiAAtFmtcOfTaTsqkzrcwxonwYAc9HacRwvfKkGhbjR9uaLAAAAAEAWgAjAAsAAwRyAAAABgCAAEMAEAADABAAICn301ozNM+qA0RKpa/ptgcIYxLjBPYKJvcfxSpaCILlACBkbJ6JNOT36Spcm1s3hFSP+RVLj0JG+/ZQPRDTF+0jmA=="
} we dont want to have that |
docs say that passing an empty string will result in tpm2-pcrs not being binded to anything but that fails
|
This can be workaround by skipping the TPM and using the
I dunno, seems like a bug? |
Yes, And yes, it is not clear from the documentation. Even more confusing is the silent default for |
He @arvidjaar thanks for confirming but as you can see above, passing an empty
|
What apparently happens here. The systemd/src/cryptenroll/cryptenroll-tpm2.c Lines 443 to 445 in 72192b6
The value of systemd/src/cryptenroll/cryptenroll-tpm2.c Lines 374 to 383 in 72192b6
This works as long as systemd/src/shared/tpm2-util.c Lines 4218 to 4222 in 72192b6
systemd/src/shared/tpm2-util.c Lines 4240 to 4241 in 72192b6
Which fails due to bank (hash algorithm) being uninitialized. |
Awesome troubleshooting! Locally building systemd and trying with some debug logging seems to confirm indeed that this is the issue. I guess we should check if |
ah no, I missed your comment that its using Too complex to fix it myself :D |
From issue systemd#32946 If you want to bind a policy to PCR11 and especify the tpm2-pcr flag with and empty value, the bank calculation will fail as it tries to use a non valid value for the calculation of hash. This works around it by trying to use the public keys pcr values if they are set and if the usual tpm2 pcrs banks are empty as to not fail Signed-off-by: Itxaka <itxaka@kairos.io>
…but signed PCR binding is on We so far derived the PCR bank to use from the PCR values specified fr literal PCR binding. However, when that's not used then we left the bank uninitialized – which will break if signed PCR binds are used (where we need to pick a bank too after all). Hence, let's explicitly pick a bank to use if literal PCR values are not used, to make things just work. Fixes: systemd#32946
I prepped a simple fix in #32993. Could you give it a whirl? |
systemd version the issue has been seen with
255.4-1ubuntu8
Used distribution
Ubuntu 24.04
Linux kernel version used
6.8.0-31-generic
CPU architectures issue was seen on
x86_64
Component
systemd-cryptsetup
Expected behaviour you didn't see
Installed UKI signed with secureboot custom cert (lets call it itxaka1). Measured with tpm2-signature to default PCRs (11 according to docs). Partitions are correctly unlocked on boot with cryptsetup attach using the measurements on /run/systemd/ (
systemd-cryptsetup attach oem /dev/vda2 - tpm2-device=auto
)All fine and dandy and working without issues.
Then we add a new KEK cert to the EFI firmware (lets call it itxaka2) and system boots correctly, so secureboot works, but partitions wont unlock anymore. See logs attached.
If you remove the cert, then it starts working again.
Unexpected behaviour you saw
Expecting it to unlock anyway as measurements and tpm2 policy should not relay on PCR7, which is the one that changed by adding new certs.
Steps to reproduce the problem
Additional program output to the terminal or log subsystem illustrating the issue
The text was updated successfully, but these errors were encountered: