clevis icon indicating copy to clipboard operation
clevis copied to clipboard

Published 20 hours ago verified publisher icon latchset

Clevis luks bind fail to unlock automatically during the bootup

Open Naranthiran opened this issue 3 years ago • 14 comments

In the kickstart I and encryption the volume using the below code.

part pv.0 --size=1 --grow --encrypted --luks-version=luks2 --passphrase="test123"

And binding the luks volume in the post installation.

clevis luks bind -d /dev/sda4 tpm2 '{"pcr_ids":"0,1,4,5,7"}' <<< "test123"

After the successful installation and during the bootup the decryption(tpm2) is not working.

When I manually enter the luks password, decrypt and login in the system.

I am able to find keyslot 0 for luks and keyslot 1 for tpm2 bind has been used.

When I try to bind the volume manually and reboot the systems automatic decryption is working.

#clevis luks bind -d /dev/sda4 tpm2 '{"pcr_ids":"0,1,4,5,7"}' <<< "test123" #dracut -f #reboot

Can any one help me to under the what is causing the issue and help to resolve.

Naranthiran avatar Jul 30 '21 06:07 Naranthiran

Hello @Naranthiran, could you please check if boot logs dump message like the ones in #285

sarroutbi avatar Jul 30 '21 08:07 sarroutbi

Hi Sarroutbi,

Thanks for you response, but I not able to find the file "clevis-luks-askpass.patch".

I am not able to find any failed logs in dmesg or journalctl

Can you please explain me in detail if I need to do the below workaround is this clevis-luks-askpass.patch:

--- a/clevis-luks-askpass +++ b/clevis-luks-askpass @@ -35,6 +35,10 @@ esac done

+until [ -c /dev/tpm0 ]; do

  • sleep 1 +done

while true; do for question in "${path}"/ask.*; do # question will expand to itself, in case no files match, so we verify

Naranthiran avatar Jul 30 '21 14:07 Naranthiran

Hello @Naranthiran,

On the one hand, clevis-luks-askpass is part of the clevis-systemd package. Do you have such package installed?

sarroutbi avatar Aug 02 '21 13:08 sarroutbi

Hi Sarroutbi,

Yes I have installed the package clevis-systemd. And I am able to find the below files only.

1)clevis-luks-askpass.path 2)clevis-luks-askpass.service

Naranthiran avatar Aug 02 '21 14:08 Naranthiran

@Naranthiran : can you please share your OS details?

sarroutbi avatar Aug 02 '21 14:08 sarroutbi

Hi Sarroutbi,

I am using "AlmaLinux 8.4".

Naranthiran avatar Aug 02 '21 15:08 Naranthiran

Hello @Naranthiran. This OS seems to be binary compatible with RHEL, so no issue should take place.

Regarding clevis-luks-askpass, it is normally in "/usr/libexec" path, and part of clevis-systemd:

$ rpm -qf /usr/libexec/clevis-luks-askpass
clevis-systemd-15-1.el8.x86_64

Could you try to apply patch described above on that file to check if the issue fixes? Obviously, this is not a definitive patch, but I would like to clarify if the same issue is taking place.

sarroutbi avatar Aug 03 '21 14:08 sarroutbi

Hi Sarroutbi,

Please find the below output. [root@localhost ~]# rpm -qf /usr/libexec/clevis-luks-askpass clevis-systemd-15-1.el8.x86_64

Naranthiran avatar Aug 04 '21 11:08 Naranthiran

Hello @Naranthiran , can you please try applying patch:

+++ b/clevis-luks-askpass
@@ -35,6 +35,10 @@
esac
done

+until [ -c /dev/tpm0 ]; do
sleep 1
+done

To check if the issue gets fixed?

sarroutbi avatar Aug 05 '21 08:08 sarroutbi

Hi Sarroutbi,

Can explain me in details how to apply the above patch..

Naranthiran avatar Aug 05 '21 09:08 Naranthiran

Sure:

  1. Save previous content to a file (example: askpass.patch) contained in the same path (/usr/libexec)
  2. Apply the patch by executing:

sudo patch -p1 < askpass.patch

sarroutbi avatar Aug 05 '21 09:08 sarroutbi

Hi Sarroutbi,

I have executed the below steps and still automatic unlocking is not working.

When I run clevis-luks-regen to the disk which I have bind and restart the system, automat unlocking is working.

Naranthiran avatar Aug 14 '21 16:08 Naranthiran

Hello, everyone. Sorry for bothering you, but I would need some help please.

I am running clevis-luks 15-8 on rocky 8.5 (it supposedly has the patch) and the client-server sends the request to the tang server, tang server seems to respond. After that, client-server dyes. Even adding the key by hand, It does not work anymore. It freezes. If I reboot with tang server stoped, I can use the key by hand and it works.

I believe it freezes after the tang response is received.

EDITED: It seems it happens when you have more than one encrypted partition (including root).

Any idea ? Thank you M

mchingotto avatar Feb 10 '22 05:02 mchingotto

Hi, Thanks for your update. I was able to resolve the issue.

On Fri, Jul 30, 2021 at 2:15 PM Sergio Arroutbi @.***> wrote:

Hello @Naranthiran https://github.com/Naranthiran, could you please check if boot logs dump message like the ones in #285 https://github.com/latchset/clevis/issues/285

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/latchset/clevis/issues/329#issuecomment-889740198, or unsubscribe https://github.com/notifications/unsubscribe-auth/APLCXMRHVBHMODEBMQOSE4LT2JRCHANCNFSM5BH4TPWA .

-- Regards, Naranthiran Duraisamy +91 9994299198

Naranthiran avatar Feb 11 '22 14:02 Naranthiran