Re: Fedora 38 and signed PCR binding

Aleksandar Kostadinov <akostadi@xxxxxxxxxx> · Sun, 12 Nov 2023 00:25:45 +0200

On Sun, Nov 12, 2023 at 12:09 AM Aleksandar Kostadinov
<akostadi@xxxxxxxxxx> wrote:
>
> On Thu, Oct 12, 2023 at 1:14 AM Dan Streetman <ddstreet@xxxxxxxx> wrote:
> > On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov <akostadi@xxxxxxxxxx> wrote:
> > ...
> > > Here's what I did:
> > > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
> >
> > This probably isn't what you want, because you're specifying
> > --tpm2-public-key-pcrs= but not --tpm2-public-key=, so the
> > --tpm2-public-key-pcrs= doesn't actually do anything (it should
> > probably either fail or at least print a warning).
>
> in man pages I see:
> --tpm2-public-key= option accepts a path to a PEM encoded RSA
>            public key, to bind the encryption to. If this is not specified
>            explicitly, but a file tpm2-pcr-public-key.pem exists in one of the
>            directories /etc/systemd/, /run/systemd/, /usr/lib/systemd/
>            (searched in this order), it is automatically used.
>
> I do have such a file.
>
> > Since you didn't specify --tpm2-pcrs=, it will default to use only
> > PCR7, using the current value (at the time you ran
> > systemd-cryptenroll).
>
> I specify --tpm2-public-key-pcrs=11, should I specify also
> --tpm2-pcrs? I don't want to bind to plain PCRs.
>
> > Just for testing, can you try:
> > sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" /dev/sda3
> >
> > That will enroll your tpm with *no* pcr values, so it should always
> > successfully unlock your volume using the tpm (note, you probably
> > don't want to do this other than for testing). Then see if it uses the
> > tpm to unlock the volume on boot. If so, you just need to get the
> > specific PCR parameters correct (and make sure to supply your PEM
> > public key to systemd-cryptenroll using --tpm2-public-key=), and
> > provide the correct signature.
>
> This is a nice check actually. And in fact it does not open the volume
> automatically. Which is super strange. As it worked with the normal
> grub based boot process.
>
> sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto
> --tpm2-pcrs= /dev/sda3
> then removed `tpm2-measure-pcr=yes` from /etc/crypttab, then
> `dracut-f` and finally `ukify ..` with the exact same arguments as
> before.
>
> Did I miss something?
>
> Strange is that in `journalctl -b` I still see "Couldn't find
> signature for this PCR bank, PCR index and public key." So I wonder
> what could be broken and how to fix it. How to inspect the initrd
> inside the UKI?

And when I tried removing anything related to measuring PCRs from
ukify, it still doesn't work but at least I don't see these messages
in journalct. So issue appears to be related to how the UKI was
generated. But again, no idea how to debug what is inside it. I don't
know how to extract the parts.

/usr/lib/systemd/ukify build
                  --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz
                  --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img
                  --secureboot-private-key=/etc/secure_boot/db_custom.key
                  --secureboot-certificate=/etc/secure_boot/db_custom.pem
                  --sign-kernel
                  --cmdline=@/etc/kernel/cmdline
                  --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi

> <...>