On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
<akostadi@xxxxxxxxxx> wrote:
>
> I've progressed past this point by upgrading to Fedora 39 Beta which
> apparently has a newer ukify version. The issue now though is that
> automatic unlock does not work. I need to enter password manually and
> I see no errors in console output.
>
> Here's what I did:
> > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
This probably isn't what you want, because you're specifying
--tpm2-public-key-pcrs= but not --tpm2-public-key=, so the
--tpm2-public-key-pcrs= doesn't actually do anything (it should
probably either fail or at least print a warning).
Since you didn't specify --tpm2-pcrs=, it will default to use only
PCR7, using the current value (at the time you ran
systemd-cryptenroll).
Just for testing, can you try:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" /dev/sda3
That will enroll your tpm with *no* pcr values, so it should always
successfully unlock your volume using the tpm (note, you probably
don't want to do this other than for testing). Then see if it uses the
tpm to unlock the volume on boot. If so, you just need to get the
specific PCR parameters correct (and make sure to supply your PEM
public key to systemd-cryptenroll using --tpm2-public-key=), and
provide the correct signature.
>
> > $ sudo cat /etc/crypttab
> > luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes
>
> > sudo dracut -f
>
> > /usr/lib/systemd/ukify build \
> > --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
> > --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
> > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > --phases='enter-initrd' \
> > --pcr-banks=sha1,sha256 \
> > --secureboot-private-key=/etc/secure_boot/db_custom.key \
> > --secureboot-certificate=/etc/secure_boot/db_custom.pem \
> > --sign-kernel \
> > --cmdline=@/etc/kernel/cmdline \
> > --measure \
> > --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi
>
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"
>
> The UKI entry now does boot. But waits for luks decryption password.
>
> I added a print line to the `ukify` executable to see the signature
> file generated.
>
> > {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}
>
> Any ideas what might be going wrong or how to further debug it?
>
> Thank you!
>
>
>
> On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
> <akostadi@xxxxxxxxxx> wrote:
> >
> > Will appreciate any pointers about debugging and fixing this!
> >
> > On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> > <akostadi@xxxxxxxxxx> wrote:
> > >
> > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > > <lennart@xxxxxxxxxxxxxx> wrote:
> > > >
> > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:
> > > >
> > > > > Hi again. I tried to boot from UKI to no avail.
> > > > >
> > > > > First created a "db" certificate
> > > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > > >
> > > > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
> > > > >
> > > > > Then created UKI:
> > > > > > /usr/lib/systemd/ukify \
> > > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > > > --phases='enter-initrd' \
> > > > > > --pcr-banks=sha1,sha256 \
> > > > > > --secureboot-private-key=/etc/secure_boot/db.key \
> > > > > > --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > > > --sign-kernel \
> > > > > > --cmdline='ro rhgb'
> > > > >
> > > > > Then added a boot entry:
> > > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > > >
> > > > > Unfortunately when trying to boot this I get:
> > > > > > Bad kernel image: Load Error
> > > >
> > > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > > signature. i.e. we generate that error typically if we can#t jump into
> > > > it because it doesn't come with the right PE headers.
> > >
> > > This is just a standard kernel coming with Fedora 38. I didn't modify
> > > it. Also initrd as generated by dracut.
> > >
> > > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > 00000000 4d 5a ea 07 |MZ..|
> > > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild@30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> > >
> > > Any suggestions on how to fix it?
> > >
> > > If it matters -- ukify 253 (253.7-1.fc38)
>
Re: Fedora 38 and signed PCR binding
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Fedora 38 and signed PCR binding
- From: Dan Streetman <ddstreet@xxxxxxxx>
- Date: Wed, 11 Oct 2023 18:13:52 -0400
- Cc: Systemd <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CAPws7kadgGstxk6rcTgE4Ez7w1Sma-rS9=_peJGq8FC-Pf7qvQ@mail.gmail.com>
- References: <CAPws7kav07bXBfyk6Ad=j9fNEKmAg8X50yuwykaP_h3ObruYqQ@mail.gmail.com> <CAPws7kZ4funXLTn-43C5RtVuEWW+ujxshwEUsD_33pDyZCiq2w@mail.gmail.com> <ZPcA2l4ht35Q7M6g@gardel-login> <CAPws7kYKWYMrYnCbot_s4o_MYF82Zwdv_0GTc-_Gd9pQTj-qOQ@mail.gmail.com> <ZP8AnUM/4snIo4sl@gardel-login> <CAPws7kZE+kDRmf09M+fm=2GPKm07J_R-J0xz68N5YLiA87Cx5w@mail.gmail.com> <CAPws7kZ53q3Ghur0g19O_mK82CC86Vh8754nSjMUZ=iYTOrRWQ@mail.gmail.com> <CAPws7kadgGstxk6rcTgE4Ez7w1Sma-rS9=_peJGq8FC-Pf7qvQ@mail.gmail.com>
- Follow-Ups:
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- References:
- Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Lennart Poettering
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Lennart Poettering
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Re: Fedora 38 and signed PCR binding
- From: Aleksandar Kostadinov
- Fedora 38 and signed PCR binding
- Prev by Date: Re: How to make an encrypted disk mentioned in /etc/crypttab "optional"?
- Next by Date: Re: Help! Reached target Local File Systems order is incorrect
- Previous by thread: Re: Fedora 38 and signed PCR binding
- Next by thread: Re: Fedora 38 and signed PCR binding
- Index(es):
 |