kairos
kairos copied to clipboard
kairos-io
UKI: kcrypt unlock-all doesn't unlock TPM-bound partitions
Currently unlocking partitions encrypted with TPM manually by calling kcrypt unlock-all doesn't work.
Workaround exists, and documented in https://kairos.io/docs/installation/trustedboot/#mount-partitions-after-install
To reproduce:
- In the Kairos config, try to run
kcrypt unlock-allin an after-install stage (e.g. to write some files to the disk) - Install Kairos in UKI mode
- See installation failing.
Possible solution:
Introduce a new stage/hook (e.g. "after-decrypt") to allow people to run code right after decrypting the disks. This stage will also make sure the disk is encrypted again when the stage is done.
Also, there is a --tpm flag in kcrypt unlock-all command that might workaround the issue.
kcrypt unlock-all could work if we add a --tpm flag so it knows it needs to go over the tpm unlock workflow instead of the usual one.
kcrypt has the --tpm flag since: https://github.com/kairos-io/kcrypt/commit/94af8c8d
And it works:
[root@fedora kairos]# blkid
/dev/sr0: BLOCK_SIZE="2048" UUID="2024-03-22-06-21-55-00" LABEL="UKI_ISO_INSTALL" TYPE="iso9660"
/dev/loop0: UUID="382D-CD50" BLOCK_SIZE="512" TYPE="vfat"
/dev/vda2: UUID="8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e" TYPE="crypto_LUKS" PARTLABEL="oem" PARTUUID="88b189b8-ff89-49fc-92c0-a2ed101960df"
/dev/vda3: UUID="85c39d0f-4867-5227-8334-f5eec606d9eb" TYPE="crypto_LUKS" PARTLABEL="persistent" PARTUUID="d5ff410d-26bb-4af9-a2cc-b00b9cbaf5d0"
/dev/vda1: LABEL_FATBOOT="COS_GRUB" LABEL="COS_GRUB" UUID="1DE8-4BAA" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="efi" PARTUUID="2c953d75-6869-49eb-83b0-660ebbd42753"
[root@fedora kairos]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 458M 1 loop /run/rootfsbase
sr0 11:0 1 458.4M 0 rom /run/initramfs/live
vda 252:0 0 40G 0 disk
├─vda1 252:1 0 15G 0 part
├─vda2 252:2 0 64M 0 part
└─vda3 252:3 0 24.9G 0 part
[root@fedora kairos]# kcrypt unlock-all
Got luks UUID 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
for partition vda2
Unmounted Luks found at '/dev/vda2'
Checking uuid: 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
Unlocking failed: 'Unable to get a keyslot with id: 0'
Got luks UUID 85c39d0f-4867-5227-8334-f5eec606d9eb
for partition vda3
Unmounted Luks found at '/dev/vda3'
Checking uuid: 85c39d0f-4867-5227-8334-f5eec606d9eb
Unlocking failed: 'Unable to get a keyslot with id: 0'
[root@fedora kairos]# kcrypt unlock-all --tpm
Got luks UUID 8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e
for partition vda2
Unmounted Luks found at '/dev/vda2'
Got luks UUID 85c39d0f-4867-5227-8334-f5eec606d9eb
for partition vda3
Unmounted Luks found at '/dev/vda3'
[root@fedora kairos]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 458M 1 loop /run/rootfsbase
sr0 11:0 1 458.4M 0 rom /run/initramfs/live
vda 252:0 0 40G 0 disk
├─vda1 252:1 0 15G 0 part
├─vda2 252:2 0 64M 0 part
│ └─vda2 253:0 0 48M 0 crypt
└─vda3 252:3 0 24.9G 0 part
└─vda3 253:1 0 24.9G 0 crypt
[root@fedora kairos]# blkid
/dev/sr0: BLOCK_SIZE="2048" UUID="2024-03-22-06-21-55-00" LABEL="UKI_ISO_INSTALL" TYPE="iso9660"
/dev/loop0: UUID="382D-CD50" BLOCK_SIZE="512" TYPE="vfat"
/dev/vda2: UUID="8bfa06f9-ca4f-56dc-90c9-49cf20f4f45e" TYPE="crypto_LUKS" PARTLABEL="oem" PARTUUID="88b189b8-ff89-49fc-92c0-a2ed101960df"
/dev/vda3: UUID="85c39d0f-4867-5227-8334-f5eec606d9eb" TYPE="crypto_LUKS" PARTLABEL="persistent" PARTUUID="d5ff410d-26bb-4af9-a2cc-b00b9cbaf5d0"
/dev/vda1: LABEL_FATBOOT="COS_GRUB" LABEL="COS_GRUB" UUID="1DE8-4BAA" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="efi" PARTUUID="2c953d75-6869-49eb-83b0-660ebbd42753"
/dev/mapper/vda3: LABEL="COS_PERSISTENT" UUID="8ce7c934-a70c-41c4-9d6e-e717fe4ce167" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/vda2: LABEL="COS_OEM" UUID="ae859253-ec7d-46db-b891-2321fcacbb7c" BLOCK_SIZE="1024" TYPE="ext4"
Nothing more to do I guess?
Introduced in version 0.9.0: https://github.com/kairos-io/kcrypt/compare/v0.7.0...v0.9.0 (cut in December 18th: https://github.com/kairos-io/kcrypt/releases/tag/v0.9.0)