Console didn't show anything but I found these lines in system log.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating group 'tss' with GID 59.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating user 'tss' (Account used for TPM access) with UID 59 and GID 59.
> Oct 08 18:34:51 systemd-tmpfiles[232]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
>
> Oct 08 18:34:52 systemd[1]: Found device dev-disk-by\x2duuid-16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.device - UMIS_RTFTJ032VGD1EWX 3.
> Oct 08 18:34:52 systemd[1]: Starting systemd-cryptsetup@luks\x2d16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.service - Cryptography Setup for luks-16b6da19-8810-49f8-8923-ce803dacc3a1...
>
> Oct 08 18:34:53 systemd-cryptsetup[437]: Couldn't find signature for this PCR bank, PCR index and public key.
> Oct 08 18:34:53 systemd-cryptsetup[437]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/16b6da19-8810-49f8-8923-ce803dacc3a1.
> Oct 08 18:34:53 systemd-cryptsetup[437]: Automatically discovered security TPM2 token unlocks volume.
> Oct 08 18:34:54 systemd-cryptsetup[437]: Couldn't find signature for this PCR bank, PCR index and public key.
> Oct 08 18:34:54 systemd-cryptsetup[437]: TPM2 operation failed, falling back to traditional unlocking: No such device or address
>
> Oct 08 18:35:24 systemd-cryptsetup[437]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/16b6da19-8810-49f8-8923-ce803dacc3a1.
> Oct 08 18:35:26 systemd-cryptsetup[437]: Successfully extended PCR index 15 with 'cryptsetup:luks-16b6da19-8810-49f8-8923-ce803dacc3a1:16b6da19-8810-49f8-8923-ce803dacc3a1' and volume key (banks sha1, sha256).
> Oct 08 18:35:26 systemd[1]: Finished systemd-cryptsetup@luks\x2d16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.service - Cryptography Setup for luks-16b6da19-8810-49f8-8923-ce803dacc3a1.
How to know what is the issue causing "Couldn't find signature for
this PCR bank, PCR index and public key." ?
On Sun, Oct 8, 2023 at 3:20 PM Aleksandar Kostadinov
<akostadi@xxxxxxxxxx> wrote:
>
> Also forgot to mention how I have setup the RSA keys:
>
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> > openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem
>
> and
>
> > echo "add_dracutmodules+=\" tpm2-tss \"" > /etc/dracut.conf.d/tpm2.conf
>
> The secure boot key I assume is alright because I have secure boot
> enabled and it boots the kernel.
>
> On Sun, Oct 8, 2023 at 3:08 PM Aleksandar Kostadinov
> <akostadi@xxxxxxxxxx> wrote:
> >
> > I've progressed past this point by upgrading to Fedora 39 Beta which
> > apparently has a newer ukify version. The issue now though is that
> > automatic unlock does not work. I need to enter password manually and
> > I see no errors in console output.
> >
> > Here's what I did:
> > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
> >
> > > $ sudo cat /etc/crypttab
> > > luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes
> >
> > > sudo dracut -f
> >
> > > /usr/lib/systemd/ukify build \
> > > --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
> > > --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
> > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > --phases='enter-initrd' \
> > > --pcr-banks=sha1,sha256 \
> > > --secureboot-private-key=/etc/secure_boot/db_custom.key \
> > > --secureboot-certificate=/etc/secure_boot/db_custom.pem \
> > > --sign-kernel \
> > > --cmdline=@/etc/kernel/cmdline \
> > > --measure \
> > > --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi
> >
> > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"
> >
> > The UKI entry now does boot. But waits for luks decryption password.
> >
> > I added a print line to the `ukify` executable to see the signature
> > file generated.
> >
> > > {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}
> >
> > Any ideas what might be going wrong or how to further debug it?
> >
> > Thank you!
> >
> >
> >
> > On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
> > <akostadi@xxxxxxxxxx> wrote:
> > >
> > > Will appreciate any pointers about debugging and fixing this!
> > >
> > > On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> > > <akostadi@xxxxxxxxxx> wrote:
> > > >
> > > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > > > <lennart@xxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:
> > > > >
> > > > > > Hi again. I tried to boot from UKI to no avail.
> > > > > >
> > > > > > First created a "db" certificate
> > > > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > > > >
> > > > > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
> > > > > >
> > > > > > Then created UKI:
> > > > > > > /usr/lib/systemd/ukify \
> > > > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > > > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > > > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > > > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > > > > --phases='enter-initrd' \
> > > > > > > --pcr-banks=sha1,sha256 \
> > > > > > > --secureboot-private-key=/etc/secure_boot/db.key \
> > > > > > > --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > > > > --sign-kernel \
> > > > > > > --cmdline='ro rhgb'
> > > > > >
> > > > > > Then added a boot entry:
> > > > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > > > >
> > > > > > Unfortunately when trying to boot this I get:
> > > > > > > Bad kernel image: Load Error
> > > > >
> > > > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > > > signature. i.e. we generate that error typically if we can#t jump into
> > > > > it because it doesn't come with the right PE headers.
> > > >
> > > > This is just a standard kernel coming with Fedora 38. I didn't modify
> > > > it. Also initrd as generated by dracut.
> > > >
> > > > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > > 00000000 4d 5a ea 07 |MZ..|
> > > > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild@30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> > > >
> > > > Any suggestions on how to fix it?
> > > >
> > > > If it matters -- ukify 253 (253.7-1.fc38)
Re: Fedora 38 and signed PCR binding
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov <akostadi@xxxxxxxxxx>
- Date: Tue, 10 Oct 2023 03:21:28 +0300
- Cc: Systemd <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CAPws7ka8zH=qLnXi=qqWg6hRTvaWpiXFAjdt6ZcTP8NYjCGUYg@mail.gmail.com>
- References: <CAPws7kav07bXBfyk6Ad=j9fNEKmAg8X50yuwykaP_h3ObruYqQ@mail.gmail.com> <CAPws7kZ4funXLTn-43C5RtVuEWW+ujxshwEUsD_33pDyZCiq2w@mail.gmail.com> <ZPcA2l4ht35Q7M6g@gardel-login> <CAPws7kYKWYMrYnCbot_s4o_MYF82Zwdv_0GTc-_Gd9pQTj-qOQ@mail.gmail.com> <ZP8AnUM/4snIo4sl@gardel-login> <CAPws7kZE+kDRmf09M+fm=2GPKm07J_R-J0xz68N5YLiA87Cx5w@mail.gmail.com> <CAPws7kZ53q3Ghur0g19O_mK82CC86Vh8754nSjMUZ=iYTOrRWQ@mail.gmail.com> <CAPws7kadgGstxk6rcTgE4Ez7w1Sma-rS9=_peJGq8FC-Pf7qvQ@mail.gmail.com> <CAPws7ka8zH=qLnXi=qqWg6hRTvaWpiXFAjdt6ZcTP8NYjCGUYg@mail.gmail.com>
- References:
- Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Lennart Poettering
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Lennart Poettering
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Fedora 38 and signed PCR binding
- Prev by Date: Help! Reached target Local File Systems order is incorrect
- Next by Date: Re: How to make an encrypted disk mentioned in /etc/crypttab "optional"?
- Previous by thread: Re: Fedora 38 and signed PCR binding
- Next by thread: Re: Fedora 38 and signed PCR binding
- Index(es):
 |