[systemd-devel] Fedora 38 and signed PCR binding

Aleksandar Kostadinov akostadi at redhat.com
Sun Oct 8 12:20:42 UTC 2023


Also forgot to mention how I have setup the RSA keys:

> openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem

and

> echo "add_dracutmodules+=\" tpm2-tss \"" > /etc/dracut.conf.d/tpm2.conf

The secure boot key I assume is alright because I have secure boot
enabled and it boots the kernel.

On Sun, Oct 8, 2023 at 3:08 PM Aleksandar Kostadinov
<akostadi at redhat.com> wrote:
>
> I've progressed past this point by upgrading to Fedora 39 Beta which
> apparently has a newer ukify version. The issue now though is that
> automatic unlock does not work. I need to enter password manually and
> I see no errors in console output.
>
> Here's what I did:
> > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
>
> > $ sudo cat /etc/crypttab
> > luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes
>
> > sudo dracut -f
>
> >           /usr/lib/systemd/ukify build \
> >                 --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
> >                 --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
> >                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> >                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> >                 --phases='enter-initrd' \
> >                 --pcr-banks=sha1,sha256 \
> >                 --secureboot-private-key=/etc/secure_boot/db_custom.key \
> >                 --secureboot-certificate=/etc/secure_boot/db_custom.pem \
> >                 --sign-kernel \
> >                 --cmdline=@/etc/kernel/cmdline \
> >                 --measure \
> >                 --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi
>
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"
>
> The UKI entry now does boot. But waits for luks decryption password.
>
> I added a print line to the `ukify` executable to see the signature
> file generated.
>
> > {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}
>
> Any ideas what might be going wrong or how to further debug it?
>
> Thank you!
>
>
>
> On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
> <akostadi at redhat.com> wrote:
> >
> > Will appreciate any pointers about debugging and fixing this!
> >
> > On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> > <akostadi at redhat.com> wrote:
> > >
> > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > > <lennart at poettering.net> wrote:
> > > >
> > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
> > > >
> > > > > Hi again. I tried to boot from UKI to no avail.
> > > > >
> > > > > First created a "db" certificate
> > > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > > >
> > > > > Then uploaded it to secure boot trust VIA USB drive and the  UEFI seup.
> > > > >
> > > > > Then created UKI:
> > > > > >           /usr/lib/systemd/ukify \
> > > > > >                 /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > > >                 /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > > >                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > > >                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > > >                 --phases='enter-initrd' \
> > > > > >                 --pcr-banks=sha1,sha256 \
> > > > > >                 --secureboot-private-key=/etc/secure_boot/db.key \
> > > > > >                 --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > > >                 --sign-kernel \
> > > > > >                 --cmdline='ro rhgb'
> > > > >
> > > > > Then added a boot entry:
> > > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > > >
> > > > > Unfortunately when trying to boot this I get:
> > > > > > Bad kernel image: Load Error
> > > >
> > > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > > signature. i.e. we generate that error typically if we can#t jump into
> > > > it because it doesn't come with the right PE headers.
> > >
> > > This is just a standard kernel coming with Fedora 38. I didn't modify
> > > it. Also initrd as generated by dracut.
> > >
> > > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > 00000000  4d 5a ea 07                                       |MZ..|
> > > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild at 30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> > >
> > > Any suggestions on how to fix it?
> > >
> > > If it matters -- ukify 253 (253.7-1.fc38)



More information about the systemd-devel mailing list