heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Setting a TPM Disk Unlock Key fails without error and is not user friendly.

Open tlaurion opened this issue 3 years ago • 2 comments
trafficstars

To fix:

  • Initial setup of disk unlock key setups kexec_key_devices.txt
    • We can use cryptsetup to check for all blkid and check if we have a LUKS header and suggest those devices automatically so the user only enters it once, to be saved to be reused.
    • That file contains encrypted devices/encrypted LVM(still not tested on my side)
    • That is, /dev/sdaX UUID in case of encrypted devices
  • Next runs should not ask again to
    • setup Encrypted LVM group if not defined under that file
    • setup Encrypted devices
  • It should actually prompt user to reuse already defined key devices under kexec_key_devices.txt and simply reuse them if user accepts
  • Note that if Disk Recovery Key (passphrase should be added here) entered is bad, it will silently fails and go back to boot selection when trying to set a Disk Unlock Key, instead of looping, or at least stop so user can read error.
  • Note that initial setup of TPM Disk Encryption Key is bad:
  • Do you wish to add a disk encryption to the TPM is just a wrong sentence, missing key and should be TPM Disk Encryption Key and passphrase. Otherwise we are training users to mix keys and passphrases and its already complicated here. If not ok with glossary, we should modify glossary, otherwise we have no clue what we are talking about. I will also move glossary terms with Capitals.
  • On booting default, the user is asked to type unlock password. Those should be the same and should be TPM Disk encryption Key passphrase (because it's what is asked here, not the key) and setting it up should prompt to setup a TPM Disk Unlock Key, and ask for passphrase, not password.
  • I thought we all agreed that the coined term was TPM Disk Encryption Key, which is too long, and should be TPM Disk Unlock Key and TPM Disk Unlock Key passphrase. While the glossary is naming TPM encryption key. So to not change anything, the prompt will be changed to TPM Disk Encryption Key passphrase.

Additionally, for traces:

  • Show boot options silently fails if signature check fails, going back to menu

tlaurion avatar Mar 10 '22 21:03 tlaurion

This is what is happening to me, posted at the bottom of #1170

How do I fix this? What do you mean by signature check fails?

I resigned my files & it fixed this issue, as well as hitting enter instead of typing 'y' for the first prompt.

Sirwhofromwhere avatar Jun 12 '22 01:06 Sirwhofromwhere

What do you mean by signature check fails?

Heads checks and returns an error on console in between two fbwhiotail graphic output, hence the user doesn't see failing signature validation failing.

It requires the user to sign /boot from the menu.

Solution to this is to switch those "warn" to "error" messages and have an error logging function that waits for user input.

tlaurion avatar Jul 27 '22 15:07 tlaurion