clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

clevis luks bind with tpm2 fails on Ubuntu 18.04

Open dnoliver opened this issue 6 years ago • 4 comments

Test Script

NOTE: Cannot be non-interactive because of #105

#!/bin/bash

set -x
set -e

apt-cache policy \
	clevis \
	clevis-luks \
	clevis-udisks2 \
	clevis-tpm2 \
	cryptsetup

export TPM2TOOLS_TCTI_NAME=device
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0

openssl rand -hex 8 > key
cryptsetup --verify-passphrase --verbose luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 c1
mkfs.ext4 /dev/mapper/c1
sleep 1
cryptsetup luksClose c1

clevis luks bind -f -d /dev/sdb1 tpm2 '{"pcr_bank":"sha1", "pcr_ids":"1,2"}'
clevis luks unlock -d /dev/sdb1 -n c1 || echo 'Failed'
clevis luks bind -f -d /dev/sdb1 tpm2 '{"pcr_bank":"sha1", "pcr_ids":"1,2"}'
clevis luks unlock -d /dev/sdb1 -n c1 || echo 'Failed'
ls /dev/mapper/c1

set +e
set +x

Test Script output

+ set -e
+ apt-cache policy clevis clevis-luks clevis-udisks2 clevis-tpm2 cryptsetup
clevis:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
     8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
clevis-luks:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
     8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
clevis-udisks2:
  Installed: 8-1
  Candidate: 8-1
  Version table:
 *** 8-1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status
clevis-tpm2:
  Installed: 11-1
  Candidate: 11-1
  Version table:
 *** 11-1 100
        100 /var/lib/dpkg/status
cryptsetup:
  Installed: 2:2.0.2-1ubuntu1.1
  Candidate: 2:2.0.2-1ubuntu1.1
  Version table:
 *** 2:2.0.2-1ubuntu1.1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:2.0.2-1ubuntu1 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
+ export TPM2TOOLS_TCTI_NAME=device
+ TPM2TOOLS_TCTI_NAME=device
+ export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
+ TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
+ openssl rand -hex 8
+ cryptsetup --verify-passphrase --verbose luksFormat /dev/sdb1

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/sdb1: 
Verify passphrase: 
Command successful.
+ cryptsetup luksOpen /dev/sdb1 c1
Enter passphrase for /dev/sdb1: 
+ mkfs.ext4 /dev/mapper/c1
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 7685376 4k blocks and 1921360 inodes
Filesystem UUID: 7e95228f-3d82-4bc4-a500-d51f04452006
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
	4096000

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done   

+ sleep 1
+ cryptsetup luksClose c1
+ clevis luks bind -f -d /dev/sdb1 tpm2 '{"pcr_bank":"sha1", "pcr_ids":"1,2"}'
Enter existing LUKS password: 
2
+ clevis luks unlock -d /dev/sdb1 -n c1
+ echo Failed
Failed
+ clevis luks bind -f -d /dev/sdb1 tpm2 '{"pcr_bank":"sha1", "pcr_ids":"1,2"}'
Enter existing LUKS password: 
3
+ clevis luks unlock -d /dev/sdb1 -n c1
+ ls /dev/mapper/c1
/dev/mapper/c1
+ set +e
+ set +x

Clevis Luks Bind only works once I added the second slot. If I try to run the same test again, Clevis Luks Bind will consistently fails with Error while saving Clevis metadata in LUKSMeta! So, this test only works when I reformat my /dev/sdb1 completely (using the disk utility in ubuntu) Note that I am using Clevis-11 in Ubuntu 18.04, by adding the ubuntu disco repository.

So in summary, there are 2 issues:

  1. With a disk formatted from scratch, clevis-luks-unlock will fail to unlock the partition with a single slot, and will succeed if a second slot (with the same configuration in this case) is applied
  2. With a disk already formatted, clevis-luks-bind will fail to add an slot, with error message Error while saving Clevis metadata in LUKSMeta!

dnoliver avatar Jun 21 '19 22:06 dnoliver

It looks like the bind does work on 19.04.

daheise avatar Aug 13 '19 16:08 daheise

I submitted an issue some weeks ago to launchpad asking for an update

update clevis, clevis-luks, and clevis-tpm2 packages to clevis-11 in 18.04

Hope it gets solved!

dnoliver avatar Aug 13 '19 16:08 dnoliver

It looks like there is till a bug in v11 that will crop up in an update: #112

It's been fixed on master, but not in a tagged release.

daheise avatar Aug 13 '19 17:08 daheise

It looks like Ubuntu just pulls Clevis straight from Debian, so I've reported two issues to the Debian maintainer:

  • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934923
  • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934923

daheise avatar Aug 16 '19 16:08 daheise