Re: Fedora 38 and signed PCR binding

Aleksandar Kostadinov <akostadi@xxxxxxxxxx> · Sun, 8 Oct 2023 15:08:44 +0300

I've progressed past this point by upgrading to Fedora 39 Beta which
apparently has a newer ukify version. The issue now though is that
automatic unlock does not work. I need to enter password manually and
I see no errors in console output.

Here's what I did:
> sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3

> $ sudo cat /etc/crypttab
> luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes

> sudo dracut -f

>           /usr/lib/systemd/ukify build \
>                 --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
>                 --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
>                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
>                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
>                 --phases='enter-initrd' \
>                 --pcr-banks=sha1,sha256 \
>                 --secureboot-private-key=/etc/secure_boot/db_custom.key \
>                 --secureboot-certificate=/etc/secure_boot/db_custom.pem \
>                 --sign-kernel \
>                 --cmdline=@/etc/kernel/cmdline \
>                 --measure \
>                 --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi

> efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"

The UKI entry now does boot. But waits for luks decryption password.

I added a print line to the `ukify` executable to see the signature
file generated.

> {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}

Any ideas what might be going wrong or how to further debug it?

Thank you!

On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
<akostadi@xxxxxxxxxx> wrote:
>
> Will appreciate any pointers about debugging and fixing this!
>
> On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> <akostadi@xxxxxxxxxx> wrote:
> >
> > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > <lennart@xxxxxxxxxxxxxx> wrote:
> > >
> > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:
> > >
> > > > Hi again. I tried to boot from UKI to no avail.
> > > >
> > > > First created a "db" certificate
> > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > >
> > > > Then uploaded it to secure boot trust VIA USB drive and the  UEFI seup.
> > > >
> > > > Then created UKI:
> > > > >           /usr/lib/systemd/ukify \
> > > > >                 /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > >                 /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > >                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > >                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > >                 --phases='enter-initrd' \
> > > > >                 --pcr-banks=sha1,sha256 \
> > > > >                 --secureboot-private-key=/etc/secure_boot/db.key \
> > > > >                 --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > >                 --sign-kernel \
> > > > >                 --cmdline='ro rhgb'
> > > >
> > > > Then added a boot entry:
> > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > >
> > > > Unfortunately when trying to boot this I get:
> > > > > Bad kernel image: Load Error
> > >
> > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > signature. i.e. we generate that error typically if we can#t jump into
> > > it because it doesn't come with the right PE headers.
> >
> > This is just a standard kernel coming with Fedora 38. I didn't modify
> > it. Also initrd as generated by dracut.
> >
> > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > 00000000  4d 5a ea 07                                       |MZ..|
> > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild@30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> >
> > Any suggestions on how to fix it?
> >
> > If it matters -- ukify 253 (253.7-1.fc38)