clevis
clevis copied to clipboard
latchset
ERROR: installing 'clevis-decrypt-http' on Ubuntu 19.04
I get the following error when running dracut -f after binding luks with tpm2 on Ubuntu 19.04
dracut-install: ERROR: installing 'clevis-decrypt-http'
dracut: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.Sj4n83/initramfs -a /etc/services clevis-decrypt-http clevis-decrypt-tang clevis-decrypt-sss /usr/lib/x86_64-linux-gnu/clevis-luks-askpass clevis-decrypt luksmeta clevis mktemp curl jose socat
The command clevis-decrypt-http does not exist. The only unlock function I need is tpm2. Is there a file I can edit to achieve this?
Changing /usr/lib/dracut/modules.d/60clevis/module-setup.sh from
inst_multiple /etc/services \
clevis-decrypt-http \
clevis-decrypt-tang \
clevis-decrypt-sss \
/usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
clevis-decrypt \
luksmeta \
clevis \
mktemp \
curl \
jose \
socat
to
inst_multiple /etc/services \
clevis-decrypt-tang \
clevis-decrypt-sss \
/usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
clevis-decrypt \
luksmeta \
clevis \
mktemp \
curl \
jose \
socat
Got the initramfs to build, but I still haven't achieved a TPM unlock.
Ubuntu implements encryption on LVM volumes. I get prompted for a passphrase for sda3_crypt. When I try to bind clevis to that device, I get the following
sudo clevis luks bind -d /dev/mapper/sda3_crypt tpm2 '{}'
/dev/mapper/sda3_crypt is not a LUKS device!
I have tried binding to /dev/sda3 to no avail. The bind succeeds, but I'm not able to boot without a password.
Diff between Fedora 30 module-setup.sh and and the Ubuntu 19.04 module-setup.sh
--- module-setup.sh 2019-08-14 11:00:38.381192804 -0400
+++ /usr/lib/dracut/modules.d/60clevis/module-setup.sh 2018-10-30 17:55:28.000000000 -0400
@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2016 Red Hat, Inc.
@@ -19,12 +19,12 @@
#
depends() {
- echo crypt systemd
+ echo crypt systemd network
return 0
}
cmdline() {
- echo ""
+ echo "rd.neednet=1"
}
install() {
@@ -36,21 +36,20 @@
inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"
inst_multiple /etc/services \
+ clevis-decrypt-http \
clevis-decrypt-tang \
clevis-decrypt-sss \
- /usr/libexec/clevis-luks-askpass \
+ /usr/lib/x86_64-linux-gnu/clevis-luks-askpass \
clevis-decrypt \
- cryptsetup \
luksmeta \
clevis \
mktemp \
curl \
jose \
- nc
+ socat
for cmd in clevis-decrypt-tpm2 \
tpm2_createprimary \
- tpm2_pcrlist \
tpm2_unseal \
tpm2_load; do
@@ -62,10 +61,8 @@
if (($ret == 0)); then
inst_multiple clevis-decrypt-tpm2 \
tpm2_createprimary \
- tpm2_pcrlist \
tpm2_unseal \
tpm2_load
- inst_libdir_file "libtss2-tcti-device.so*"
fi
dracut_need_initqueue
Whether using the Ubuntu package, or building from source, during dracut-initqueue on boot I get an error in clevis-luks-askpass saying that cryptsetup cannot be found on lines 52 and 67. This is despite cryptsetup clearly being placed in usr/sbin/cryptsetup during dracut -f.
$ sudo lsinitramfs /boot/initramfs-5.0.0-25-generic.img | grep cryptsetup
usr/lib/systemd/system-generators/systemd-cryptsetup-generator
usr/lib/systemd/system/cryptsetup.target
usr/lib/systemd/system/sysinit.target.wants/cryptsetup.target
usr/lib/systemd/systemd-cryptsetup
usr/lib/x86_64-linux-gnu/libcryptsetup.so
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12
usr/lib/x86_64-linux-gnu/libcryptsetup.so.12.4.0
usr/sbin/cryptsetup
This change isn't reflected in a tagged release, which is at lease one reason Debian is having issues.
I have this problem too. Is there any advice for working around it?
I have gotten the unlock tools to be recognized in the the initrd for Debian finally. I have not gotten the unlock to work yet. A summary of getting to this point is below.
- Modify
/usr/lib/dracut/modules.d/60clevis/module-setup.sh
# remove `clevis-decrypt-http` from
#`/usr/lib/dracut/modules.d/60clevis/module-setup.sh` and
# add the following: /usr/sbin/cryptsetup \
# clevis-decrypt-tpm2 \
# tpm2_createprimary \
# tpm2_unseal \
# tpm2_load \
# tpm2_pcrlist
# The guard for clevis-decrypt-tpm2 prevents these items from being added.
# I don't know why.
- Update the initrd file. (RHEL-based distros use initramfs)
sudo dracut -fv /boot/initrd.img-$(uname -r)
Now I get the following error on boot emitted by clevis' clevis-decrypt-tpm2: "Creating TPM2 primary key failed!". I think this is caused by another error emitted from tpm2_createprimary expressed as follows: ERROR on line: "168" in file: "tools/tpm2_tool.c": Unable to run tpm2_createprimary. I have found no leads on these latter two errors. I expect some kind of TPM ownership issue.
I am also failing to unlock the full encrypted disk bound with clevis + TPM2.0. I always have to supply password manually after Dracut fails. Tried it on 19.10.
Also, is there a way to get clevis-tpm2 to run on 18.04?
Any help is appreciated.
@bviktor Sorry, not familiar with Noobuntu, could you elaborate how I would integrate in standard distribution of Ubuntu 18.04?
I'm building a fresh preseed/simple-cdd install image, and actually, I now have this working with the standard debian packages, and the fixed dracut module-setup.sh. My problem was that I didn't realise the dracut image wasn't being used by grub! Now I explicitly specify the initrd.img, it's all working. I bind using the following, and to the sda5 device, not the mapper device. Maybe that's the difference here?
/usr/bin/clevis luks bind -d /dev/sda5 tpm2 '{"pcr_ids": "1,2,5,7"}'
If you do cryptsetup luksDump /dev/sdX, do you see the clevis key?
This works for me in the freshly installed and booted OS, and when I reboot, I get the password prompt, then 2-3 seconds later, the automatic unlock. If I try to run this as part of my postinstall, before booting the OS properly, I get this error:
in-target: A TPM2 device with the in-kernel resource manager is needed!
I'll try and troubleshoot this, but may raise another issue for help.
The point is, you don't need dracut, because Clevis v12 supports initramfs-tools.
@bviktor As I understood, you have built your own clevis package with a patch, but you also have custom tpm2-tss and tpm2-tools. Do I need that for clevis 12?
Yes, because the Ubuntu versions are too old. All the deb build scripts are here:
https://github.com/noobient/noobuntu/tree/master/share
And all the packages are here:
https://nexus.noobient.com/#browse/browse:noobuntu
The only patch I have is a revert for a oneliner, and the issue has been reported already :)
@bviktor Thanks for the resources you have provided!
Unfortunately, I tried your packages with initramfs-tools unlocker, after even with dracut, but Ubuntu just won't decrypt on it's own. Just hangs on passphrase prompt :/
However, it seems clevis works with Fedora just fine (as descibed here https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/). I tried it and it worked as expected (I mean on dracut).
Is there a clevis alternative for ubuntu?
Well we're using this on ~30 workstations already, so it definitely works. This is the guide we're using:
https://github.com/noobient/noobuntu/wiki/Full-Disk-Encryption
I'd try on a clean install first, dracut may have messed things up a little.
@bviktor Thanks for providing the guide. I did a fresh install of 18.04, installed the noobuntu repo packages, followed the guide, but the automatic unlock does not happen. I started to think there is a HW problem, but then, why would it work with Fedora, and not with Ubuntu.
Here is a sudo cryptsetup luksDump /dev/nvme0n1p3
LUKS header information for /dev/nvme0n1p3
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 1f 9b 9b 9a 17 53 26 39 e8 c8 8a 63 ac f4 6a fa fb 7d 8c 9e
MK salt: e7 3c 24 a7 7d c5 2c 07 fa 5f d2 a8 48 e3 02 8e
ba 36 93 b4 42 31 0b a3 8f ad 63 29 0a e5 c2 da
MK iterations: 117870
UUID: 76fed620-05cf-4b16-8b8a-4876435a2fef
Key Slot 0: ENABLED
Iterations: 1885928
Salt: 3d e2 ac dd e8 95 9e 01 6e c6 81 7d 41 5b f8 c6
be c4 fa 68 f3 27 2c ea c9 ed ec 92 e7 8b 90 48
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 1801676
Salt: b0 a8 d6 74 5d 66 8a 1e 07 a1 1c a7 7b 6d c4 de
fd 26 ca 8c 18 87 1f c6 c4 eb 9c 9f 57 85 9e ef
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
Can these two slots coexist?
Additionally, here is a tmp device info (I am using the Intel NUC):
$ dmesg | grep -i tpm
[ 0.000000] efi: TPMFinalLog=0x8a9cb000 ACPI 2.0=0x8a95f000 ACPI=0x8a95f000 SMBIOS=0x8ade9000 SMBIOS 3.0=0x8ade8000 ESRT=0x8ade5418 MEMATTR=0x86cfa018 TPMEventLog=0x83989018
[ 0.014784] ACPI: TPM2 0x000000008A99A328 000034 (v04 INTEL NUC7i5DN 00000034 AMI 00000000)
[ 2.036732] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
UPDATE: Managed to get dracut unlocker working on Ubuntu 19.10 with this patch: http://fit-pc.com/wiki/index.php?title=Linux:_Full_Disk_Encryption
(clevis 11-2)
I'm not sure what you're doing, I just did a completely default desktop installation from the stock Ubuntu 18.04.4 media, then
sudo apt-key adv --fetch-keys https://apt.noobient.com/files/noobuntu.asc
echo 'deb [arch=amd64] https://apt.noobient.com/noobuntu/ bionic main' | sudo tee /etc/apt/sources.list.d/noobuntu.list
sudo apt update
sudo apt install --no-install-recommends clevis
Then those few commands explained in the FDE wiki, and it unlocks perfectly.
Are you sure you're using the correct packages? To me:
$ apt list --installed | grep 'clevis\|tpm2'
clevis/bionic,now 12-6 amd64 [installed]
tpm2-tools/bionic,now 4.1.1-1 amd64 [installed,automatic]
tpm2-tss/bionic,now 2.3.2-1 amd64 [installed,automatic]
@bviktor Thank you for posting this!
I did exactly that from fresh install of 18.04.4 desktop, but it does not work with initramfs. I have noticed NUC tries to boot, fails, restarts and then I get the password prompt.
Is there a specific BIOS property I have to set?
Currently UEFI and Secure Boot are ON, while Legacy Boot is OFF.
TPM enabled, UEFI enabled, CSM (legacy) disabled, Secure Boot disabled, but SB shouldn't affect this.
I'll try to test this on a NUC (we have a few), and get back to you. What's your model?
@bviktor I might try with SB disabled once more.
NUC Product Code: BLKNUC7i7DNHE
Greatly appreciated, means a lot! :)
Just tested on a NUC7i5BN, works just fine.
Are you on the latest BIOS?
Are you sure you do both the clevis luks bind and update-initramfs commands? Do note that -u did not work for me, only -c.
@bviktor Thanks mate!
Still no luck, but here is what I tried so far.
Flashed BIOS with the newest image.
Tried it on a separate NUC which is slightly different model, but I got same results.
Tried it with both -u and -c flag.
For convenience, here is a full output of what I did in terminal: https://gist.github.com/rLoka/93148f9adfdcbc951569e7b8d90c090d
I might try it once more on a completely different environment from NUC.