Skip to content

pcrlock: add support for unlocking a root fs with a pcrlock file#30130

Merged
bluca merged 4 commits intosystemd:mainfrom
poettering:pcrlock-root
Jan 23, 2024
Merged

pcrlock: add support for unlocking a root fs with a pcrlock file#30130
bluca merged 4 commits intosystemd:mainfrom
poettering:pcrlock-root

Conversation

@poettering
Copy link
Copy Markdown
Member

@poettering poettering commented Nov 21, 2023
edited by github-actions bot
Loading

We store the pcrlock policy JSON file in /var/. We need it to unlock LUKS devices that are locked to pcrlock. That means we have to copy the pcrlock policy file somewhere better to be able to unlock the root fs itself (where /var/ typically resides), to avoid the cyclic dependency.

Let's address this by wrapping the policy file in a credential, and writting it to /loader/credentials in the ESP. Then sd-stub will pick it up, and pass it to the initrd where we can consume it.

We disable encryption/authentication for the credential, since we need to access it to unlock TPM-locked objects, and hence cannot lock it to TPM itself. We already had a codepath for that in place, to cover for TPM-less systems, but refused to enable the codepath if we detected a TPM present (simple in order to refuse unauthenticated credentials). Hence we relax the rules here a bit and allow the data to be consumed even with disabled encryption/authentication on explicit request.

All in all behaviour is fully automatic.

(As preparation this converts a good chunk of the tpm2 codebase to use struct iovec for maintaining "blobs" of arbitrary data, instead of manual pairs of void* and size_t.)

@poettering poettering added this to the v256 milestone Nov 21, 2023
@github-actions github-actions bot added documentation tests repart please-review PR is ready for (re-)review by a maintainer labels Nov 21, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 21, 2023
edited
Loading

We had successfully released a new major release. We are no longer in a development freeze phase.
We will try our best to get back to your PR as soon as possible. Thank you for your patience.

@bluca bluca added ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR and removed please-review PR is ready for (re-)review by a maintainer labels Nov 22, 2023
@github-actions github-actions bot added please-review PR is ready for (re-)review by a maintainer and removed ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR labels Nov 22, 2023
@yuwata yuwata added ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR and removed please-review PR is ready for (re-)review by a maintainer labels Nov 22, 2023
@github-actions github-actions bot added please-review PR is ready for (re-)review by a maintainer and removed ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR labels Nov 24, 2023
@poettering poettering added the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label Nov 30, 2023
@github-actions github-actions bot removed the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label Nov 30, 2023
@poettering poettering added the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label Nov 30, 2023
@github-actions github-actions bot removed the ci-fails/needs-rework 🔥 Please rework this, the CI noticed an issue with the PR label Nov 30, 2023
@poettering poettering force-pushed the pcrlock-root branch 3 times, most recently from 80e66b9 to b6a8f87 Compare December 7, 2023 21:34
@poettering poettering force-pushed the pcrlock-root branch 4 times, most recently from b25010e to 0a6e69b Compare January 5, 2024 08:50
@poettering poettering mentioned this pull request Jan 5, 2024
Merged
@poettering poettering force-pushed the pcrlock-root branch 3 times, most recently from e27af99 to fd81129 Compare January 10, 2024 14:26
@poettering poettering force-pushed the pcrlock-root branch 2 times, most recently from 2f6fe67 to 70d96c6 Compare January 18, 2024 08:42
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
bluca
bluca reviewed Jan 19, 2024
View reviewed changes
@poettering
Copy link
Copy Markdown
Member Author

poettering commented Jan 22, 2024

force pushed a new version with some points addressed, but see discussions above.

@bluca bluca merged commit f70daee into systemd:main Jan 23, 2024
@github-actions github-actions bot removed the please-review PR is ready for (re-)review by a maintainer label Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bluca bluca bluca approved these changes

+1 more reviewer

@dtardon dtardon dtardon left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cryptsetup documentation repart tests tpm2 util-lib

Milestone

v256

Development

Successfully merging this pull request may close these issues.

4 participants

@poettering @bluca @dtardon @yuwata