[systemd-devel] Fedora 38 and signed PCR binding
Aleksandar Kostadinov
akostadi at redhat.com
Tue Oct 10 00:21:28 UTC 2023
Console didn't show anything but I found these lines in system log.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating group 'tss' with GID 59.
> Oct 08 18:34:51 systemd-sysusers[228]: Creating user 'tss' (Account used for TPM access) with UID 59 and GID 59.
> Oct 08 18:34:51 systemd-tmpfiles[232]: Failed to parse ACL "default:group:tss:rwx", ignoring: Invalid argument
>
> Oct 08 18:34:52 systemd[1]: Found device dev-disk-by\x2duuid-16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.device - UMIS_RTFTJ032VGD1EWX 3.
> Oct 08 18:34:52 systemd[1]: Starting systemd-cryptsetup at luks\x2d16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.service - Cryptography Setup for luks-16b6da19-8810-49f8-8923-ce803dacc3a1...
>
> Oct 08 18:34:53 systemd-cryptsetup[437]: Couldn't find signature for this PCR bank, PCR index and public key.
> Oct 08 18:34:53 systemd-cryptsetup[437]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/16b6da19-8810-49f8-8923-ce803dacc3a1.
> Oct 08 18:34:53 systemd-cryptsetup[437]: Automatically discovered security TPM2 token unlocks volume.
> Oct 08 18:34:54 systemd-cryptsetup[437]: Couldn't find signature for this PCR bank, PCR index and public key.
> Oct 08 18:34:54 systemd-cryptsetup[437]: TPM2 operation failed, falling back to traditional unlocking: No such device or address
>
> Oct 08 18:35:24 systemd-cryptsetup[437]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/16b6da19-8810-49f8-8923-ce803dacc3a1.
> Oct 08 18:35:26 systemd-cryptsetup[437]: Successfully extended PCR index 15 with 'cryptsetup:luks-16b6da19-8810-49f8-8923-ce803dacc3a1:16b6da19-8810-49f8-8923-ce803dacc3a1' and volume key (banks sha1, sha256).
> Oct 08 18:35:26 systemd[1]: Finished systemd-cryptsetup at luks\x2d16b6da19\x2d8810\x2d49f8\x2d8923\x2dce803dacc3a1.service - Cryptography Setup for luks-16b6da19-8810-49f8-8923-ce803dacc3a1.
How to know what is the issue causing "Couldn't find signature for
this PCR bank, PCR index and public key." ?
On Sun, Oct 8, 2023 at 3:20 PM Aleksandar Kostadinov
<akostadi at redhat.com> wrote:
>
> Also forgot to mention how I have setup the RSA keys:
>
> > openssl genrsa -out /etc/systemd/tpm2-pcr-private-key.pem 2048
> > openssl rsa -in /etc/systemd/tpm2-pcr-private-key.pem -pubout -out /etc/systemd/tpm2-pcr-public-key.pem
>
> and
>
> > echo "add_dracutmodules+=\" tpm2-tss \"" > /etc/dracut.conf.d/tpm2.conf
>
> The secure boot key I assume is alright because I have secure boot
> enabled and it boots the kernel.
>
> On Sun, Oct 8, 2023 at 3:08 PM Aleksandar Kostadinov
> <akostadi at redhat.com> wrote:
> >
> > I've progressed past this point by upgrading to Fedora 39 Beta which
> > apparently has a newer ukify version. The issue now though is that
> > automatic unlock does not work. I need to enter password manually and
> > I see no errors in console output.
> >
> > Here's what I did:
> > > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
> >
> > > $ sudo cat /etc/crypttab
> > > luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes
> >
> > > sudo dracut -f
> >
> > > /usr/lib/systemd/ukify build \
> > > --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
> > > --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
> > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > --phases='enter-initrd' \
> > > --pcr-banks=sha1,sha256 \
> > > --secureboot-private-key=/etc/secure_boot/db_custom.key \
> > > --secureboot-certificate=/etc/secure_boot/db_custom.pem \
> > > --sign-kernel \
> > > --cmdline=@/etc/kernel/cmdline \
> > > --measure \
> > > --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi
> >
> > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"
> >
> > The UKI entry now does boot. But waits for luks decryption password.
> >
> > I added a print line to the `ukify` executable to see the signature
> > file generated.
> >
> > > {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}
> >
> > Any ideas what might be going wrong or how to further debug it?
> >
> > Thank you!
> >
> >
> >
> > On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
> > <akostadi at redhat.com> wrote:
> > >
> > > Will appreciate any pointers about debugging and fixing this!
> > >
> > > On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> > > <akostadi at redhat.com> wrote:
> > > >
> > > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > > > <lennart at poettering.net> wrote:
> > > > >
> > > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
> > > > >
> > > > > > Hi again. I tried to boot from UKI to no avail.
> > > > > >
> > > > > > First created a "db" certificate
> > > > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > > > >
> > > > > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
> > > > > >
> > > > > > Then created UKI:
> > > > > > > /usr/lib/systemd/ukify \
> > > > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > > > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > > > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > > > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > > > > --phases='enter-initrd' \
> > > > > > > --pcr-banks=sha1,sha256 \
> > > > > > > --secureboot-private-key=/etc/secure_boot/db.key \
> > > > > > > --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > > > > --sign-kernel \
> > > > > > > --cmdline='ro rhgb'
> > > > > >
> > > > > > Then added a boot entry:
> > > > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > > > >
> > > > > > Unfortunately when trying to boot this I get:
> > > > > > > Bad kernel image: Load Error
> > > > >
> > > > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > > > signature. i.e. we generate that error typically if we can#t jump into
> > > > > it because it doesn't come with the right PE headers.
> > > >
> > > > This is just a standard kernel coming with Fedora 38. I didn't modify
> > > > it. Also initrd as generated by dracut.
> > > >
> > > > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > > 00000000 4d 5a ea 07 |MZ..|
> > > > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild at 30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> > > >
> > > > Any suggestions on how to fix it?
> > > >
> > > > If it matters -- ukify 253 (253.7-1.fc38)
More information about the systemd-devel
mailing list