[systemd-devel] Fedora 38 and signed PCR binding
Dan Streetman
ddstreet at ieee.org
Wed Oct 11 22:13:52 UTC 2023
On Sun, Oct 8, 2023 at 8:09 AM Aleksandar Kostadinov
<akostadi at redhat.com> wrote:
>
> I've progressed past this point by upgrading to Fedora 39 Beta which
> apparently has a newer ukify version. The issue now though is that
> automatic unlock does not work. I need to enter password manually and
> I see no errors in console output.
>
> Here's what I did:
> > sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-public-key-pcrs=11 /dev/sda3
This probably isn't what you want, because you're specifying
--tpm2-public-key-pcrs= but not --tpm2-public-key=, so the
--tpm2-public-key-pcrs= doesn't actually do anything (it should
probably either fail or at least print a warning).
Since you didn't specify --tpm2-pcrs=, it will default to use only
PCR7, using the current value (at the time you ran
systemd-cryptenroll).
Just for testing, can you try:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" /dev/sda3
That will enroll your tpm with *no* pcr values, so it should always
successfully unlock your volume using the tpm (note, you probably
don't want to do this other than for testing). Then see if it uses the
tpm to unlock the volume on boot. If so, you just need to get the
specific PCR parameters correct (and make sure to supply your PEM
public key to systemd-cryptenroll using --tpm2-public-key=), and
provide the correct signature.
>
> > $ sudo cat /etc/crypttab
> > luks-### UUID=### none discard,tpm2-device=auto,tpm2-measure-pcr=yes
>
> > sudo dracut -f
>
> > /usr/lib/systemd/ukify build \
> > --linux=/lib/modules/6.5.5-300.fc39.x86_64/vmlinuz \
> > --initrd=/boot/initramfs-6.5.5-300.fc39.x86_64.img \
> > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > --phases='enter-initrd' \
> > --pcr-banks=sha1,sha256 \
> > --secureboot-private-key=/etc/secure_boot/db_custom.key \
> > --secureboot-certificate=/etc/secure_boot/db_custom.pem \
> > --sign-kernel \
> > --cmdline=@/etc/kernel/cmdline \
> > --measure \
> > --output=/boot/efi/EFI/fedora/uki/vmlinuz.efi
>
> > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ.EFI -L "Fedora UKI"
>
> The UKI entry now does boot. But waits for luks decryption password.
>
> I added a print line to the `ukify` executable to see the signature
> file generated.
>
> > {"sha1": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "3d43ca831277c9a57f7741a23dca2896da9ece1417d1dc047c7a018014571580", "sig": "hJ4fhnRPXmsEXdq6o5eVS9WbGyJJdp/Q+x8Op5EPp0JmnB79nuGZqtTK1tYaxjzgN6/w/Wq1k93p/owSks9I7SJ5wJ0ciA4Ruaou49HdK0eDBbDmJ+Bsb33t/tP7bgXrpz2KEzkpmxd9SkIfM/0cK9tHJfrlvuAZgNr9vr3zLBkaWGI2XkDhOCnujWvxatDX2L63IPUyAZ+CGqvSL95734MPsJ0VWeP3w0mBb9KfMw7jifWLVj+1A3V5iY2bK5HYCzMBab91XuQo2JjMRDfE33PlqkiRFq56AwpLkZAVijndFNHJj7zHrzXBBsKWsO+t3i6WVF4g2cmaISVs6ehIJw=="}], "sha256": [{"pcrs": [11], "pkfp": "77cb92791d56699be04ab48bdc85adbd6e12ec2816241eadbe0859650684bee7", "pol": "76e24d931952b45046e001cac3ed6a6f9b76162fb3eb2366f704a6c360e720b1", "sig": "t17dochSzptJyvNkrldHKSKF1WnVW6EncKNtvNftp7+VHJEb3/GL58/M67eRI7lDSxcTzKXEFCqgDUOJIBBod9hhY9i0QPirr7GOWOcV+3FsjFtT+q+SJ0QNBdYXCYvy5GwsrBe1RXRlw4JxfyNLXlaD4xVVsbEFd079yVK9HVd7LxIs8hVwDRTBMPnWgiglzinkYr6GxN7q0ipQAtVANyWOIWVMWAuYQ7fvZXqO4XEq1Bpu73vUxfMo+5g+GRJS0dXOnSXZWro8IssjZNaDimWOIgPPTmIDZVs4SptyLcQo9O6Z9YYScanP0jXtuJEkzCi7YxG+0QwHQQTp4mka2g=="}]}
>
> Any ideas what might be going wrong or how to further debug it?
>
> Thank you!
>
>
>
> On Fri, Sep 15, 2023 at 12:02 PM Aleksandar Kostadinov
> <akostadi at redhat.com> wrote:
> >
> > Will appreciate any pointers about debugging and fixing this!
> >
> > On Tue, Sep 12, 2023 at 2:55 AM Aleksandar Kostadinov
> > <akostadi at redhat.com> wrote:
> > >
> > > On Mon, Sep 11, 2023 at 2:57 PM Lennart Poettering
> > > <lennart at poettering.net> wrote:
> > > >
> > > > On Mo, 11.09.23 14:48, Aleksandar Kostadinov (akostadi at redhat.com) wrote:
> > > >
> > > > > Hi again. I tried to boot from UKI to no avail.
> > > > >
> > > > > First created a "db" certificate
> > > > > > openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> > > > > > openssl x509 -outform DER -in db.pem -out db.crt
> > > > >
> > > > > Then uploaded it to secure boot trust VIA USB drive and the UEFI seup.
> > > > >
> > > > > Then created UKI:
> > > > > > /usr/lib/systemd/ukify \
> > > > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
> > > > > > /boot/initramfs-6.4.12-200.fc38.x86_64.img \
> > > > > > --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
> > > > > > --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
> > > > > > --phases='enter-initrd' \
> > > > > > --pcr-banks=sha1,sha256 \
> > > > > > --secureboot-private-key=/etc/secure_boot/db.key \
> > > > > > --secureboot-certificate=/etc/secure_boot/db.pem \
> > > > > > --sign-kernel \
> > > > > > --cmdline='ro rhgb'
> > > > >
> > > > > Then added a boot entry:
> > > > > > efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"
> > > > >
> > > > > Unfortunately when trying to boot this I get:
> > > > > > Bad kernel image: Load Error
> > > >
> > > > That suggests the kernel you picked does not carry a correct PE/MZ
> > > > signature. i.e. we generate that error typically if we can#t jump into
> > > > it because it doesn't come with the right PE headers.
> > >
> > > This is just a standard kernel coming with Fedora 38. I didn't modify
> > > it. Also initrd as generated by dracut.
> > >
> > > > $ hexdump -C -n4 < /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > 00000000 4d 5a ea 07 |MZ..|
> > > > $ file /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz
> > > > /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz: Linux kernel x86 boot executable bzImage, version 6.4.12-200.fc38.x86_64 (mockbuild at 30894952d3244f1ab967aeda9ed417f6) #1 SMP PREEMPT_DYNAMIC Wed Aug 23 17:46:49 UTC 2023, RO-rootFS, swap_dev 0XD, Normal VGA
> > >
> > > Any suggestions on how to fix it?
> > >
> > > If it matters -- ukify 253 (253.7-1.fc38)
>
More information about the systemd-devel
mailing list